Linux

如何在 Debian Squeeze 上啟用 IPtables TRACE 目標(6)

  • May 21, 2019

我正在嘗試使用 IPtables 的 TRACE 目標,但似乎無法記錄任何跟踪資訊。我想使用這裡描述的內容: Debugger for Iptables

來自 TRACE 的 iptables 人:

   This target marks packes so that the kernel will log every  rule  which
   match  the  packets  as  those traverse the tables, chains, rules. (The
   ipt_LOG or ip6t_LOG module is required for the  logging.)  The  packets
   are   logged   with   the   string   prefix:  "TRACE:  tablename:chain-
   name:type:rulenum " where type can be "rule" for plain  rule,  "return"
   for  implicit  rule at the end of a user defined chain and "policy" for
   the policy of the built in chains.
   It can only be used in the raw table.

我使用以下規則:iptables -A PREROUTING -t raw -p tcp -j TRACE但在 /var/log/syslog 或 /var/log/kern.log 中沒有附加任何內容!

是否缺少另一個步驟?我找錯地方了嗎?

編輯

即使我找不到日誌條目,由於數據包計數器增加,TRACE 目標似乎設置正確:

# iptables -L -v -t raw
Chain PREROUTING (policy ACCEPT 193 packets, 63701 bytes)
pkts bytes target     prot opt in     out     source               destination
 193 63701 TRACE      tcp  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 178 packets, 65277 bytes)
pkts bytes target     prot opt in     out     source               destination

編輯 2

該規則iptables -A PREROUTING -t raw -p tcp -j LOG 確實將數據包資訊列印到 /var/log/syslog… 為什麼 TRACE 不起作用?

跑步:

modprobe ipt_LOG

那為我修好了。

似乎(即對我有用)需要新核心(對於 IPv4):

modprobe nf_log_ipv4
sysctl net.netfilter.nf_log.2=nf_log_ipv4

學分:

  • <https://www.centos.org/forums/viewtopic.php?f=47&t=54411>
  • 支持其他答案,因為他們給了我重要的提示

引用自:https://serverfault.com/questions/385937