linux – 传入的数据包没有命中iptables INPUT链

Linux 前端之家
前端之家收集整理的这篇文章主要介绍了linux – 传入的数据包没有命中iptables INPUT链前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我在docker容器中运行VPN客户端.我正在尝试通过端口8080从主机连接到在docker容器中运行的Web服务器.当我尝试连接时,我通过tcpdump在端口8080上看到我的传入数据包,但Web服务器从未看到它.
我已经为数据包的所有可能状态转换添加了iptables’-j LOG’规则,试图追踪它.我看到的数据包是:

>表’raw’,链PREROUTING
>表’mangle’,链PREROUTING
> table’nat’,链条PREROUTING

然后……没什么.在一小段延迟之后,数据包被重新发送,我看到新数据包通过PREROUTING.没有任何东西出现在剪辑INPUT或mangle FORWARD链上 – 据我所知,这是不可能的 – 它必须击中其中一个.
有没有办法让数据包通过PREROUTING,但不能点击INPUT或FORWARD?
我的iptables如下:

  1. root@87ff7ad8e4f9:/# iptables -t raw -L 
  2. Chain PREROUTING (policy ACCEPT)
  3. target     prot opt source               destination         
  4. NFLOG      tcp  --  anywhere             anywhere             tcp spt:http-alt nflog-prefix  "raw pre-route Src incoming packet"
  5. NFLOG      tcp  --  anywhere             anywhere             tcp dpt:http-alt nflog-prefix  "raw pre-route Dest incoming packet"
  6.  
  7. Chain OUTPUT (policy ACCEPT)
  8. target     prot opt source               destination         
  9. NFLOG      tcp  --  anywhere             anywhere             tcp dpt:http-alt nflog-prefix  "Dest outgoing packet"
  10. NFLOG      tcp  --  anywhere             anywhere             tcp spt:http-alt nflog-prefix  "Src outgoing packet"
  11. root@87ff7ad8e4f9:/# iptables -t mangle -L 
  12. Chain PREROUTING (policy ACCEPT)
  13. target     prot opt source               destination         
  14. NFLOG      tcp  --  anywhere             anywhere             tcp dpt:http-alt nflog-prefix  "mangle PREROUTING Dest incoming packet"
  15.  
  16. Chain INPUT (policy ACCEPT)
  17. target     prot opt source               destination         
  18. NFLOG      all  --  anywhere             anywhere             nflog-prefix  "mangle INPUT Dest incoming packet any2"
  19.  
  20. Chain FORWARD (policy ACCEPT)
  21. target     prot opt source               destination         
  22. NFLOG      all  --  anywhere             anywhere             nflog-prefix  "mangle FORWARD Dest incoming packet any"
  23.  
  24. Chain OUTPUT (policy ACCEPT)
  25. target     prot opt source               destination         
  26. MARK       tcp  --  anywhere             anywhere             tcp spt:http-alt MARK set 0x1
  27. MARK       tcp  --  anywhere             anywhere             tcp dpt:http-alt MARK set 0x1
  28. NFLOG      tcp  --  anywhere             anywhere             tcp spt:http-alt nflog-prefix  "MARK set 0x1"
  29. NFLOG      tcp  --  anywhere             anywhere             tcp dpt:http-alt nflog-prefix  "Dest MARK set 0x1"
  30.  
  31. Chain POSTROUTING (policy ACCEPT)
  32. target     prot opt source               destination         
  33. root@87ff7ad8e4f9:/# iptables -t nat -L 
  34. Chain PREROUTING (policy ACCEPT)
  35. target     prot opt source               destination         
  36. NFLOG      tcp  --  anywhere             anywhere             tcp dpt:http-alt nflog-prefix  "nat PREROUTING Dest incoming packet"
  37.  
  38. Chain INPUT (policy ACCEPT)
  39. target     prot opt source               destination         
  40. NFLOG      tcp  --  anywhere             anywhere             tcp dpt:http-alt nflog-prefix  "nat INPUT Dest incoming packet"
  41.  
  42. Chain OUTPUT (policy ACCEPT)
  43. target     prot opt source               destination         
  44.  
  45. Chain POSTROUTING (policy ACCEPT)
  46. target     prot opt source               destination         
  47. root@87ff7ad8e4f9:/# iptables -t filter -L 
  48. Chain INPUT (policy ACCEPT)
  49. target     prot opt source               destination         
  50. NFLOG      tcp  --  anywhere             anywhere             nflog-prefix  "connection made"
  51. NFLOG      tcp  --  anywhere             anywhere             tcp dpt:http-alt nflog-prefix  "filter INPUT Dest incoming packet"
  52.  
  53. Chain FORWARD (policy ACCEPT)
  54. target     prot opt source               destination         
  55.  
  56. Chain OUTPUT (policy ACCEPT)
  57. target     prot opt source               destination         
  58. ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
  59. ACCEPT     all  --  anywhere             anywhere            
  60. ACCEPT     all  --  anywhere             anywhere            
  61. ACCEPT     all  --  anywhere             anywhere            
  62. ACCEPT     all  --  anywhere             172.17.0.0/16       
  63. ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
  64. ACCEPT     tcp  --  anywhere             anywhere             owner GID match vpn
  65. ACCEPT     udp  --  anywhere             anywhere             owner GID match vpn
  66. DROP       all  --  anywhere             anywhere

我的系统日志显示

  1. Oct  4 07:22:56 87ff7ad8e4f9 raw pre-route Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39119 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 
  2. Oct  4 07:22:56 87ff7ad8e4f9 mangle PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39119 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 
  3. Oct  4 07:22:56 87ff7ad8e4f9 nat PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39119 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 
  4. Oct  4 07:22:57 87ff7ad8e4f9 raw pre-route Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39120 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 
  5. Oct  4 07:22:57 87ff7ad8e4f9 mangle PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39120 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 
  6. Oct  4 07:22:57 87ff7ad8e4f9 nat PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39120 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0

解决方法

我想我明白了.
PREROUTING和INPUT / FORWARD之间有什么关系?看看 the map:路由决策.

从您的日志:SRC = 76.167.254.196 DST = 172.17.0.2.
没有DNAT,您无法将公共路由到私有IP地址.尝试添加

  1. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 172.17.0.2

或者您可以将VPN设置为拥有私有IP.

猜你在找的Linux相关文章

文件查找---find
文件查找(find) 1 find 简单的说,就是实时查找指定的内容或条件。特点:最新、最快、最...
非交互式添加分区
非交互式添加分区 方法一 添加/deb/sdb 下的分区,其实位置为1到1000M,第二个分区位置为1...
编译安装httpd
编译安装httpd 1 去官网下载源码包 为避免非法软件,一定要去官网下载http://www.apache.o...
磁盘分区-gdisk用法
gdisk用法 gdisk - InteractiveGUIDpartitiontable (GPT) manipulator GPTfdisk (akagdisk...
Linux常用快捷按键
1 一定用快捷键 这里简单的说下几个常用的快捷按键。 1.1 移动光标快捷键 Crtl + a 光...
文件的压缩与解压
文件的压缩与解压 常用命令和参数 1 gzip -c 将压缩或解压的结果输出至标准输出 -d 解压缩...
合并 CentOS 6.8 的两个ISO镜像
合并 CentOS 6.8 的两个ISO镜像 1、创建相关目录: 说明: /mnt/dvd1和/mnt/dvd2 用于挂载...
常用的文件查看命令
常用的文件查看命令 1 cat 常用参数 -n 显示行号 -E 显示行尾结束符 $ -b 显示非空行编号 ...
挂载mount
mount 1 挂载mount 基本概念 挂载:将额外文件系统与根文件系统现存的目录建立起关联关系,...
部署DNS服务
DNS,全称Domain Name System,即域名解析系统 。 DNS功能 主机名到IP地址的映射有两种方式...
LinuxWindowsCentOSUbuntuNginxWebServiceScalaMemcacheApacheRedisDockerBashAzureTomcatLNMPShell数据结构服务器运维网络安全
xebugnodemondocker-copydcoselasticsearcwindows-contdocker-windodocker-awsamazon-cloudenvoyproxyhashicorp-vaswisscomdevkafka-pythonzscalerphoton-osdocker-swarmkamongoogle-cloudconcoursewso2-ampersistent-vapi-managerprocess-manamanjarojenkins-workhypriotremoteapikeystonejsbitcoindbitcoin-test