Linux

傳入的數據包不會命中 iptables INPUT 鏈

  • October 13, 2016

我在 docker 容器中執行 VPN 客戶端。我正在嘗試通過 8080 埠從主機連接到在 docker 容器中執行的 Web 伺服器。當我嘗試連接時,我通過 tcpdump 在埠 8080 上看到我的傳入數據包,但 Web 伺服器從未看到它。我為數據包的所有可能狀態轉換添加了 iptables ‘-j LOG’ 規則,以嘗試追踪它。我在以下位置看到數據包:

  • 表“原始”,鏈 PREROUTING
  • 表 ‘mangle’,鏈 PREROUTING
  • table’nat’,鏈 PREROUTING

然後……什麼都沒有。經過一小段延遲後,數據包被重新發送,我看到新數據包通過了 PREROUTING。mangle INPUT 或 mangle FORWARD 鏈上什麼都沒有出現——據我所知,這是不可能的——它必須擊中其中一個。有什麼方法可以讓數據包通過 PREROUTING,但沒有命中 INPUT 或 FORWARD?我的iptables如下:

root@87ff7ad8e4f9:/# iptables -t raw -L 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
NFLOG      tcp  --  anywhere             anywhere             tcp spt:http-alt nflog-prefix  "raw pre-route Src incoming packet"
NFLOG      tcp  --  anywhere             anywhere             tcp dpt:http-alt nflog-prefix  "raw pre-route Dest incoming packet"

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
NFLOG      tcp  --  anywhere             anywhere             tcp dpt:http-alt nflog-prefix  "Dest outgoing packet"
NFLOG      tcp  --  anywhere             anywhere             tcp spt:http-alt nflog-prefix  "Src outgoing packet"
root@87ff7ad8e4f9:/# iptables -t mangle -L 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
NFLOG      tcp  --  anywhere             anywhere             tcp dpt:http-alt nflog-prefix  "mangle PREROUTING Dest incoming packet"

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
NFLOG      all  --  anywhere             anywhere             nflog-prefix  "mangle INPUT Dest incoming packet any2"

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
NFLOG      all  --  anywhere             anywhere             nflog-prefix  "mangle FORWARD Dest incoming packet any"

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
MARK       tcp  --  anywhere             anywhere             tcp spt:http-alt MARK set 0x1
MARK       tcp  --  anywhere             anywhere             tcp dpt:http-alt MARK set 0x1
NFLOG      tcp  --  anywhere             anywhere             tcp spt:http-alt nflog-prefix  "MARK set 0x1"
NFLOG      tcp  --  anywhere             anywhere             tcp dpt:http-alt nflog-prefix  "Dest MARK set 0x1"

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
root@87ff7ad8e4f9:/# iptables -t nat -L 
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
NFLOG      tcp  --  anywhere             anywhere             tcp dpt:http-alt nflog-prefix  "nat PREROUTING Dest incoming packet"

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
NFLOG      tcp  --  anywhere             anywhere             tcp dpt:http-alt nflog-prefix  "nat INPUT Dest incoming packet"

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
root@87ff7ad8e4f9:/# iptables -t filter -L 
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
NFLOG      tcp  --  anywhere             anywhere             nflog-prefix  "connection made"
NFLOG      tcp  --  anywhere             anywhere             tcp dpt:http-alt nflog-prefix  "filter INPUT Dest incoming packet"

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             172.17.0.0/16       
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     tcp  --  anywhere             anywhere             owner GID match vpn
ACCEPT     udp  --  anywhere             anywhere             owner GID match vpn
DROP       all  --  anywhere             anywhere            

我的系統日誌顯示:

Oct  4 07:22:56 87ff7ad8e4f9 raw pre-route Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39119 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 
Oct  4 07:22:56 87ff7ad8e4f9 mangle PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39119 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 
Oct  4 07:22:56 87ff7ad8e4f9 nat PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39119 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 
Oct  4 07:22:57 87ff7ad8e4f9 raw pre-route Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39120 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 
Oct  4 07:22:57 87ff7ad8e4f9 mangle PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39120 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 
Oct  4 07:22:57 87ff7ad8e4f9 nat PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39120 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 

我不完全明白為什麼,但是反向路徑過濾器是丟棄數據包的原因。通過以下命令將其關閉解決了我的問題:sysctl -w net.ipv4.conf.eth0.rp_filter=0

我想我明白了。PREROUTING 和 INPUT/FORWARD 之間是什麼?看圖路由決定。

從你的日誌:SRC=76.167.254.196 DST=172.17.0.2。沒有 DNAT,您無法將公共 IP 地址路由到私有 IP 地址。嘗試添加這個:

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 172.17.0.2

或者您可以將您的 VPN 設置為擁有私有 IP。

引用自:https://serverfault.com/questions/806919