Linux
為什麼我的 nat iptables 規則不適用於標記的數據包?
系統: debian 擠壓,Linux 伺服器 2.6.32-5-amd64 #1 SMP Tue May 13 16:34:35 UTC 2014 x86_64 GNU/Linux,iptables v1.4.8
lsmod | grep iptable iptable_security 2176 0 iptable_mangle 2817 1 iptable_filter 2258 0 iptable_raw 1867 0 iptable_nat 4283 1 nf_nat 13308 2 ipt_REDIRECT,iptable_nat nf_conntrack_ipv4 9833 3 iptable_nat,nf_nat nf_conntrack 46391 3 iptable_nat,nf_nat,nf_conntrack_ipv4 ip_tables 13915 5 iptable_security,iptable_mangle,iptable_filter,iptable_raw,iptable_nat x_tables 12845 11 ipt_REDIRECT,xt_mark,xt_MARK,xt_dscp,xt_DSCP,xt_tcpudp,xt_string,ipt_LOG,ip6_tables,iptable_nat,ip_tables
這些是我的規則:
iptables -t mangle -A PREROUTING -p tcp -s 192.168.1.2 --dport 80 -m string --algo kmp --string anystring -j LOG --log-prefix anystring1 iptables -t mangle -A PREROUTING -p tcp -s 192.168.1.2 --dport 80 -m string --algo kmp --string anystring -j MARK --set-mark 0x401 iptables -t nat -A PREROUTING -m mark --mark 0x401 -j LOG --log-prefix anystring11 iptables -t nat -A PREROUTING -p tcp -m mark --mark 0x401 -j REDIRECT --to-ports 911 iptables -t mangle -A INPUT -m mark --mark 0x401 -j LOG --log-prefix anystring111
系統日誌:
May 22 10:17:01 server kernel: [51224.137665] anystring1IN=eth0 OUT= MAC=00:1b:b9:a1:b0:da:00:17:e0:78:3b:40:08:00 SRC=192.168.1.2 DST=192.168.1.1 LEN=224 TOS=0x00 PREC=0x00 TTL=62 ID=51913 DF PROTO=TCP SPT=54516 DPT=80 WINDOW=457 RES=0x00 ACK PSH URGP=0 May 22 10:17:01 server kernel: [51224.137692] anystring111IN=eth0 OUT= MAC=00:1b:b9:a1:b0:da:00:17:e0:78:3b:40:08:00 SRC=192.168.1.2 DST=192.168.1.1 LEN=224 TOS=0x00 PREC=0x00 TTL=62 ID=51913 DF PROTO=TCP SPT=54516 DPT=80 WINDOW=457 RES=0x00 ACK PSH URGP=0 MARK=0x401 May 22 10:17:01 server kernel: [51224.140909] anystring1IN=eth0 OUT= MAC=00:1b:b9:a1:b0:da:00:17:e0:78:3b:40:08:00 SRC=192.168.1.2 DST=192.168.1.1 LEN=154 TOS=0x00 PREC=0x00 TTL=62 ID=47231 DF PROTO=TCP SPT=54517 DPT=80 WINDOW=457 RES=0x00 ACK PSH URGP=0 May 22 10:17:01 server kernel: [51224.140934] anystring111IN=eth0 OUT= MAC=00:1b:b9:a1:b0:da:00:17:e0:78:3b:40:08:00 SRC=192.168.1.2 DST=192.168.1.1 LEN=154 TOS=0x00 PREC=0x00 TTL=62 ID=47231 DF PROTO=TCP SPT=54517 DPT=80 WINDOW=457 RES=0x00 ACK PSH URGP=0 MARK=0x401
我的桌子:
iptables -t nat -L -v
Chain PREROUTING (policy ACCEPT 9485 packets, 604K bytes) pkts bytes target prot opt in out source destination 0 0 LOG all -- any any anywhere anywhere mark match 0x401 LOG level warning prefix `anystring11' 0 0 REDIRECT tcp -- any any anywhere anywhere mark match 0x401 redir ports 911 Chain POSTROUTING (policy ACCEPT 12570 packets, 850K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 8009 packets, 564K bytes) pkts bytes target prot opt in out source destination
iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 339K packets, 101M bytes) pkts bytes target prot opt in out source destination 6 1134 LOG tcp -- any any 192.168.1.2 anywhere tcp dpt:www STRING match "anystring" ALGO name kmp TO 65535 LOG level warning prefix `anystring1' 6 1134 MARK tcp -- any any 192.168.1.2 anywhere tcp dpt:www STRING match "anystring" ALGO name kmp TO 65535 MARK set 0x401 Chain INPUT (policy ACCEPT 211K packets, 88M bytes) pkts bytes target prot opt in out source destination 6 1134 LOG all -- any any anywhere anywhere mark match 0x401 LOG level warning prefix `anystring111' Chain FORWARD (policy ACCEPT 128K packets, 13M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 192K packets, 139M bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 317K packets, 152M bytes) pkts bytes target prot opt in out source destination
iptables -t 過濾器 -L -v
Chain INPUT (policy ACCEPT 250K packets, 100M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 141K packets, 15M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 229K packets, 157M bytes) pkts bytes target prot opt in out source destination
iptables -t 原始 -L -v
Chain PREROUTING (policy ACCEPT 394K packets, 115M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 234K packets, 158M bytes) pkts bytes target prot opt in out source destination
iptables -t 安全 -L -v
Chain INPUT (policy ACCEPT 254K packets, 101M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 141K packets, 15M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 232K packets, 158M bytes) pkts bytes target prot opt in out source destination
這似乎違反直覺,但只有 conntrack 不知道的數據包會通過 NAT 表。這使得嘗試使用字元串匹配對 NAT 產生問題:當字元串出現在數據包中時,連接已經建立。
通常使用 iptables 字元串匹配是不明智的,你應該在更高層做一些事情來實現你的目標。