Netfilter框架:
测试环境:
准备netfilter 环境:测试STA—>AP的流量
firewall-rules stop
iptables -t mangle -A PREROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_PRER_131_ICMP: " iptables -t nat -A PREROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_PRER_131_ICMP: " iptables -t mangle -A POSTROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_POSTR_131_ICMP: " iptables -t nat -A POSTROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_POSTR_131_ICMP: " iptables -t filter -A INPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_INPUT_131_ICMP: " iptables -t filter -A OUTPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_OUTPUT_131_ICMP: " iptables -t filter -A FORWARD -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_FORWARD_131_ICMP: " iptables -t nat -A OUTPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_OUTPUT_131_ICMP: " iptables -t mangle -A INPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_INPUT_131_ICMP: " iptables -t mangle -A OUTPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_OUTPUT_131_ICMP: " iptables -t mangle -A FORWARD -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_FORWARD_131_ICMP: "
iptables -t mangle -I PREROUTING -m mark --mark 0x5a -j LOG --log-prefix="IPT_MANGLE_PRER_EBT_INPUTMARK"
ebtables -t broute -I BROUTING -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_BROUTING_131_ICMP: " ebtables -t nat -I PREROUTING -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_PREROUTING_131_ICMP: " ebtables -t nat -I POSTROUTING -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_POSTROUTING_131_ICMP: " ebtables -t nat -I OUTPUT -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_OUTPUT_131_ICMP: "
ebtables -I FORWARD -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_FORWARD_131_ICMP: " ebtables -I INPUT -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_INPUT_131_ICMP: " ebtables -I OUTPUT -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_OUTPUT_131_ICMP: "
ebtables -I INPUT -p IPv4 --ip-src 192.168.1.131 --ip-proto icmp --log-level info --log-prefix "" -j mark --mark-set 0x5a --mark-target CONTINUE
iptables -t mangle -L iptables -t nat -L iptables -t filter -L
ebtables -t broute -L ebtables -t filter -L ebtables -t nat -L |
sysctl -w net.bridge.bridge-nf-call-iptables=0
如果没有连接跟踪表记录该流时,log如下: EBT_BROUTING_131_ICMP: IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1 EBT_PREROUTING_131_ICMP: IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1 EBT_FORWARD_131_ICMP: IN=ath0.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1 EBT_POSTROUTING_131_ICMP: IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1
如果有连接跟踪表记录该流时,log如下: 相同 EBT_BROUTING_131_ICMP: IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1 EBT_PREROUTING_131_ICMP: IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1 EBT_FORWARD_131_ICMP: IN=ath1.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1 EBT_POSTROUTING_131_ICMP: IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1 符合Netfilter流程图(不执行Netfilter路径上iptables hook点) |
ping192.168.1.130
如果没有连接跟踪表记录该流时,log如下:多了IPT_NAT_PRER_131_ICMP EBT_BROUTING_131_ICMP: IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 EBT_PREROUTING_131_ICMP: IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 EBT_INPUT_131_ICMP: IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 IPT_MANGLE_PRER_EBT_INPUTMARKIN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a IPT_NAT_PRER_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a
如果有连接跟踪表记录该流时,log如下;
EBT_BROUTING_131_ICMP: IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 EBT_PREROUTING_131_ICMP: IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 EBT_INPUT_131_ICMP: IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 IPT_MANGLE_PRER_EBT_INPUTMARKIN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a 不符合Netfilter流程图 |
sysctl -w net.bridge.bridge-nf-call-iptables=1
ping192.168.1.1
如果有连接跟踪表记录该流时,log如下; EBT_BROUTING_131_ICMP: IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1 EBT_PREROUTING_131_ICMP: IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1 IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=00:21:29:b6:b9:65:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528 EBT_FORWARD_131_ICMP: IN=ath0.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1 IPT_mangle_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath0.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528 IPT_FILTER_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath0.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528 EBT_POSTROUTING_131_ICMP: IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1 IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 PHYSIN=ath0.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528
如果没有连接跟踪表记录该流时,log如下:(多了IPT_NAT_PRER_131_ICMP和IPT_NAT_POSTR_131_ICMP) EBT_BROUTING_131_ICMP: IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1 EBT_PREROUTING_131_ICMP: IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1 IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=00:21:29:b6:b9:65:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530 IPT_NAT_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=00:21:29:b6:b9:65:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530 EBT_FORWARD_131_ICMP: IN=ath1.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1 IPT_mangle_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530 IPT_FILTER_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530 EBT_POSTROUTING_131_ICMP: IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1 IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530 IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530 符合Netfilter流程图 |
如果有连接跟踪表记录该流时,log如下; EBT_BROUTING_131_ICMP: IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 EBT_PREROUTING_131_ICMP: IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2535 EBT_INPUT_131_ICMP: IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2535 IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2535
如果没有连接跟踪表记录该流时,log如下:(多了IPT_NAT_PRER_131_ICMP) EBT_BROUTING_131_ICMP: IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 EBT_PREROUTING_131_ICMP: IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521 IPT_NAT_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521 EBT_INPUT_131_ICMP: IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521 IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521 符合Netfilter流程图 |
测试APàSTA发送的流量
firewall-rules stop
iptables -t mangle -A PREROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_PRER_131_ICMP: " iptables -t nat -A PREROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_PRER_131_ICMP: " iptables -t mangle -A POSTROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_POSTR_131_ICMP: " iptables -t nat -A POSTROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_POSTR_131_ICMP: " iptables -t filter -A INPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_INPUT_131_ICMP: " iptables -t filter -A OUTPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_OUTPUT_131_ICMP: " iptables -t filter -A FORWARD -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_FORWARD_131_ICMP: " iptables -t nat -A OUTPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_OUTPUT_131_ICMP: " iptables -t mangle -A INPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_INPUT_131_ICMP: " iptables -t mangle -A OUTPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_OUTPUT_131_ICMP: " iptables -t mangle -A FORWARD -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_FORWARD_131_ICMP: "
ebtables -t broute -I BROUTING -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_BROUTING_131_ICMP: " ebtables -t nat -I PREROUTING -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_PREROUTING_131_ICMP: " ebtables -t nat -I POSTROUTING -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_POSTROUTING_131_ICMP: " ebtables -t nat -I OUTPUT -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_NAT_OUTPUT_131_ICMP: "
ebtables -I FORWARD -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_FORWARD_131_ICMP: " ebtables -I INPUT -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_INPUT_131_ICMP: " ebtables -I OUTPUT -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_OUTPUT_131_ICMP: "
iptables -t mangle -L iptables -t nat -L iptables -t filter -L
ebtables -t broute -L ebtables -t filter -L ebtables -t nat -L
|
sysctl -w net.bridge.bridge-nf-call-iptables=0
如果有连接跟踪表记录该流时,log如下; IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0 IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0 IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0 IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0 IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0 EBT_NAT_OUTPUT_131_ICMP: IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1 EBT_OUTPUT_131_ICMP: IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1 EBT_POSTROUTING_131_ICMP: IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1
如果没有连接跟踪表记录该流时,log如下:没有差异 IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0 IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0 IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0 IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0 IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0 EBT_NAT_OUTPUT_131_ICMP: IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1 EBT_OUTPUT_131_ICMP: IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1 EBT_POSTROUTING_131_ICMP: IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1 符合Netfilter流程图 |
sysctl -w net.bridge.bridge-nf-call-iptables=1
如果有连接跟踪表记录该流时,log如下; IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0 IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0 IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0 IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0 IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0 EBT_NAT_OUTPUT_131_ICMP: IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1 EBT_OUTPUT_131_ICMP: IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1 EBT_POSTROUTING_131_ICMP: IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1
如果没有连接跟踪表记录该流时,log如下:相同 IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0 IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0 IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0 IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0 IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0 EBT_NAT_OUTPUT_131_ICMP: IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1 EBT_OUTPUT_131_ICMP: IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1 EBT_POSTROUTING_131_ICMP: IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1
符合Netfilter流程图 |
Netfilter/Ebtables/Iptables本地和转发流量的路径
原文地址:http://blog.csdn.net/zxygww/article/details/45046833