114
係統診斷小技巧(7):追蹤iptables執行路徑的簡易方法
TL;DR
Iptables
嚴格說來,Iptables隻是Linux係統防火牆用戶空間的接口工具而已,但是,日常大家都以Iptables指稱包括用戶空間和內核空間在內的整個防火牆。這裏我們也使用這個慣用法,但是,還是先明確下防火牆內核空間的名稱(netfilter),這樣大家容易理解為什麼防火牆相關的命名往往有"nf"或者“netfilter”這樣的字眼或者前綴。
Iptables在內核的網絡棧放置了鉤子。通過給這些鉤子提供回調函數,我們可以在內核網絡棧中注入我們的邏輯。明顯的例子就是防火牆規則。當然,Iptables的用途肯定不止如此。比如,用之於探查某些網絡包處理的流程,進而提取數據用於診斷和排查,也是不錯的工具。
這裏我們聊聊如何追蹤Iptables的執行路徑。這個技能既能用於診斷和排除防火牆自身的問題,也能用於填補Linux係統小技巧(6):刀鋒組合-strace和wireshark工具留下的空白區。
Hooks
我們先從源碼的視角看看Iptables的各色鉤子。以下是源碼片段,完整源碼請參考include/uapi/linux/netfilter.h。慎重建議您耐心分析下後續的類似代碼片段。
/* Responses from hook functions. */
#define NF_DROP 0
#define NF_ACCEPT 1
#define NF_STOLEN 2
#define NF_QUEUE 3
#define NF_REPEAT 4
#define NF_STOP 5 /* Deprecated, for userspace nf_queue compatibility. */
#define NF_MAX_VERDICT NF_STOP
enum nf_inet_hooks {
NF_INET_PRE_ROUTING,
NF_INET_LOCAL_IN,
NF_INET_FORWARD,
NF_INET_LOCAL_OUT,
NF_INET_POST_ROUTING,
NF_INET_NUMHOOKS
};
enum nf_dev_hooks {
NF_NETDEV_INGRESS,
NF_NETDEV_NUMHOOKS
};
enum {
NFPROTO_UNSPEC = 0,
NFPROTO_INET = 1,
NFPROTO_IPV4 = 2,
NFPROTO_ARP = 3,
NFPROTO_NETDEV = 5,
NFPROTO_BRIDGE = 7,
NFPROTO_IPV6 = 10,
NFPROTO_DECNET = 12,
NFPROTO_NUMPROTO,
};
當然,我們經常比較疑惑的,是各個表和其各個鏈的執行順序問題。這牽涉到執行優先級問題。每個鉤子執行的操作都帶有優先級。源碼片段如下,完整源碼請參考include/linux/netfilter.h。
struct nf_hook_ops {
/* User fills in from here down. */
nf_hookfn *hook;
struct net_device *dev;
void *priv;
u_int8_t pf;
unsigned int hooknum;
/* Hooks are ordered in ascending priority. */
int priority; /* 優先級在這定義的 */
};
那麼, 優先級別是哪裏定義的呢?下麵是代碼片段,完整源碼請參考include/uapi/linux/netfilter_ipv4.h。
enum nf_ip_hook_priorities {
NF_IP_PRI_FIRST = INT_MIN,
NF_IP_PRI_CONNTRACK_DEFRAG = -400,
NF_IP_PRI_RAW = -300,
NF_IP_PRI_SELINUX_FIRST = -225,
NF_IP_PRI_CONNTRACK = -200,
NF_IP_PRI_MANGLE = -150,
NF_IP_PRI_NAT_DST = -100,
NF_IP_PRI_FILTER = 0,
NF_IP_PRI_SECURITY = 50,
NF_IP_PRI_NAT_SRC = 100,
NF_IP_PRI_SELINUX_LAST = 225,
NF_IP_PRI_CONNTRACK_HELPER = 300,
NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX,
NF_IP_PRI_LAST = INT_MAX,
};
文字累人,再引圖一張(原圖在此)
但是,到此為止,我們也隻是大致梳理了下Iptables的各個表和表的各個鏈的執行順序而已。順序究竟如何,還得追蹤執行路徑。這裏要討論一個建議的方案。
簡易方案實施的模板
簡易方案可行,關鍵在於,首先,從係統進出的網絡包,不管其最終目的地為何,都要經過raw表的PREROUTING和OUTPUT鏈。這一點也可以從上圖核實。二,從iptables-extensions可知,TRACE擴展目標能夠記錄Iptables處理一個網絡包時經過的表、鏈和規則。
哪麼,具體應該怎麼做呢?
- 因為需要內核記錄Iptables的行為,所以,我們首先要確保日誌相關的模塊被加載以及相關的配置完成
- 給raw表的PREROUTING和OUTPUT鏈設置合適的規則。
以追蹤UDP作為例子。
首先,確認哪個日誌模塊可用
for mod in ipt_LOG nf_log_ipv4;do\
find /lib/modules/$(uname -r) -name "${mod}.ko" -type f | grep -q ${mod}.ko && mod=${mod} && break;\
done
繼而,加載日誌模塊,並且配置之
modprobe ${mod}
sysctl net.netfilter.nf_log.2=${mod}
最後一步,給raw設定規則
iptables -t raw -A OUTPUT -p udp -j TRACE
iptables -t raw -A PREROUTING -p udp -j TRACE
具體例子
我們具體測試下建議方案的效果。測試拓撲圖如下
我們在虛擬機forwarder中啟動docker,並且將docker的UDP端口10370開放出來(其實我們開放的端口不止一個)
docker run -it $(for p in $(seq 10300 10399);do echo "-p ${p}:${p}/udp" | xargs;done) ubuntu
而後,在docker中啟動一個echo server進程。我們使用的是nmap提供的ncat工具。
ncat -u -e $(which cat) -k -l 10370
而後,我們在虛擬機forwarder上捕捉進出的網絡包。
tcpdump -i eth0 -w pkts.pcap host vm_trigger_ip
而後,我們在虛機trigger上建立到虛機forwarder的連接
ncat -u vm_forwarder_ip 10370
最後,我們在虛機trigger上分別發送1483字節、1485字節和1498字節的數據。
接下來的工作,就是分析捕捉到的數據了。
首先,我們確認echo server工作正常。我們使用wireshark來分析抓到的網絡包,並且配置了wireshark不要合並分片的網絡包(如何配置,請參考IP Reassembly)。
很明顯,trigger、forwarder和echo server之間的鏈路的MTU是1500,echo server也工作正常。
進一步,讓我們看下相關的內核日誌
Aug 24 11:14:47 forwarder kernel: [594576.178700] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178732] TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178743] TRACE: nat:PREROUTING:rule:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178759] TRACE: nat:DOCKER:rule:31 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178773] TRACE: mangle:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178779] TRACE: filter:FORWARD:rule:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178790] TRACE: filter:DOCKER-ISOLATION:return:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178794] TRACE: filter:FORWARD:rule:2 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178799] TRACE: filter:DOCKER:rule:30 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178804] TRACE: security:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178808] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178815] TRACE: nat:POSTROUTING:policy:102 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.179972] TRACE: raw:PREROUTING:policy:2 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=64 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.179979] TRACE: mangle:PREROUTING:policy:1 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=64 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.179987] TRACE: mangle:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.179991] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.179998] TRACE: filter:DOCKER-ISOLATION:return:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.180003] TRACE: filter:FORWARD:rule:4 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.180007] TRACE: security:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.180010] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 PHYSIN=veth79e0ef5 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:15:11 forwarder kernel: [594600.593744] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1513 TOS=0x00 PREC=0x00 TTL=57 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593773] TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1513 TOS=0x00 PREC=0x00 TTL=57 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593788] TRACE: mangle:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593795] TRACE: filter:FORWARD:rule:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593808] TRACE: filter:DOCKER-ISOLATION:return:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593813] TRACE: filter:FORWARD:rule:2 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593820] TRACE: filter:DOCKER:rule:30 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593825] TRACE: security:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593830] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593942] TRACE: raw:PREROUTING:policy:2 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=64 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593948] TRACE: mangle:PREROUTING:policy:1 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=64 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593957] TRACE: mangle:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593962] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593969] TRACE: filter:DOCKER-ISOLATION:return:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593975] TRACE: filter:FORWARD:rule:4 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593979] TRACE: security:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593982] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 PHYSIN=veth79e0ef5 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:32 forwarder kernel: [594621.306336] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1526 TOS=0x00 PREC=0x00 TTL=57 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306366] TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1526 TOS=0x00 PREC=0x00 TTL=57 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306381] TRACE: mangle:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306387] TRACE: filter:FORWARD:rule:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306400] TRACE: filter:DOCKER-ISOLATION:return:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306405] TRACE: filter:FORWARD:rule:2 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306413] TRACE: filter:DOCKER:rule:30 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306418] TRACE: security:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306423] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306530] TRACE: raw:PREROUTING:policy:2 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=64 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306535] TRACE: mangle:PREROUTING:policy:1 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=64 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306544] TRACE: mangle:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306548] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306556] TRACE: filter:DOCKER-ISOLATION:return:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306560] TRACE: filter:FORWARD:rule:4 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306564] TRACE: security:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306567] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 PHYSIN=veth79e0ef5 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
考慮到有同學可能會細致分析,我們也給出相關的Iptables規則(篇幅期間,刪除了部分大同小異規則)
root@forwarder:~# for t in filter mangle nat security raw;do echo '############################################';echo $t; echo '############################################';iptables -L -n -v -t $t;echo;done
############################################
filter
############################################
Chain INPUT (policy ACCEPT 8134 packets, 566K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER-ISOLATION all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 6362 packets, 2498K bytes)
pkts bytes target prot opt in out source destination
Chain DOCKER (1 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10399
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10398
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10397
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10396
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10395
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10394
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10393
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10392
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10391
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10390
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10389
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10388
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10387
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10386
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10385
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10384
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10383
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10382
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10381
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10380
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10379
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10378
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10377
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10376
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10375
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10374
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10373
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10372
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10371
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10370
# ... ...
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10310
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10309
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10308
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10307
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10306
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10305
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10304
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10303
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10302
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10301
0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10300
Chain DOCKER-ISOLATION (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
############################################
mangle
############################################
Chain PREROUTING (policy ACCEPT 146 packets, 9205 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 146 packets, 9205 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 123 packets, 70493 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 123 packets, 70493 bytes)
pkts bytes target prot opt in out source destination
############################################
nat
############################################
Chain PREROUTING (policy ACCEPT 371 packets, 20868 bytes)
pkts bytes target prot opt in out source destination
1193 73848 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 371 packets, 20868 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 538 packets, 34120 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 538 packets, 34120 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.18.0.0/16 0.0.0.0/0
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10399
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10398
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10397
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10396
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10395
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10394
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10393
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10392
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10391
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10390
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10389
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10388
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10387
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10386
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10385
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10384
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10383
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10382
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10381
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10380
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10379
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10378
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10377
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10376
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10375
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10374
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10373
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10372
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10371
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10370
# ... ...
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10310
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10309
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10308
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10307
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10306
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10305
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10304
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10303
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10302
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10301
0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10300
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10399 to:172.18.0.2:10399
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10398 to:172.18.0.2:10398
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10397 to:172.18.0.2:10397
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10396 to:172.18.0.2:10396
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10395 to:172.18.0.2:10395
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10394 to:172.18.0.2:10394
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10393 to:172.18.0.2:10393
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10392 to:172.18.0.2:10392
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10391 to:172.18.0.2:10391
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10390 to:172.18.0.2:10390
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10389 to:172.18.0.2:10389
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10388 to:172.18.0.2:10388
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10387 to:172.18.0.2:10387
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10386 to:172.18.0.2:10386
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10385 to:172.18.0.2:10385
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10384 to:172.18.0.2:10384
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10383 to:172.18.0.2:10383
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10382 to:172.18.0.2:10382
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10381 to:172.18.0.2:10381
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10380 to:172.18.0.2:10380
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10379 to:172.18.0.2:10379
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10378 to:172.18.0.2:10378
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10377 to:172.18.0.2:10377
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10376 to:172.18.0.2:10376
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10375 to:172.18.0.2:10375
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10374 to:172.18.0.2:10374
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10373 to:172.18.0.2:10373
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10372 to:172.18.0.2:10372
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10371 to:172.18.0.2:10371
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10370 to:172.18.0.2:10370
# ... ...
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10311 to:172.18.0.2:10311
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10310 to:172.18.0.2:10310
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10309 to:172.18.0.2:10309
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10308 to:172.18.0.2:10308
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10307 to:172.18.0.2:10307
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10306 to:172.18.0.2:10306
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10305 to:172.18.0.2:10305
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10304 to:172.18.0.2:10304
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10303 to:172.18.0.2:10303
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10302 to:172.18.0.2:10302
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10301 to:172.18.0.2:10301
0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10300 to:172.18.0.2:10300
############################################
security
############################################
Chain INPUT (policy ACCEPT 146 packets, 9257 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 114 packets, 77993 bytes)
pkts bytes target prot opt in out source destination
############################################
raw
############################################
Chain PREROUTING (policy ACCEPT 50 packets, 3203 bytes)
pkts bytes target prot opt in out source destination
0 0 TRACE udp -- * * 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 41 packets, 55987 bytes)
pkts bytes target prot opt in out source destination
0 0 TRACE udp -- * * 0.0.0.0/0 0.0.0.0/0
結論
綜上可知,有簡易方案可以追蹤Iptables的執行路徑。通過這種方案,用於排查和診斷,能夠探查包在內核中處理信息。無疑這種簡易有其獨到之處。
參考
- Towards the perfect ruleset
- iptables debugging
- How to Enable IPtables TRACE Target on Debian Squeeze (6)
最後更新:2017-08-24 17:32:29
上一篇:
MySQL兩千萬數據優化&遷移
下一篇: 雲服務唿叫中心的座席通話記錄如何長期保存?
- jQuery中extend中方法互相調用
- Intel 14nm工藝生產線即將上馬
- 最新VMware Workstation 9.0 / Player 5.0 / Fusion 5.0/VMware Tools 9.2.0 不同平台正式版下載
- Yii2單元測試生成的測試類方法中,引入外部非模型類報錯,如何解決?
- 對AttributeSet和defStyle的理解
- 【Tsinghua】麵試(Interview)
- 互聯網企業安全高級指南1.3 互聯網企業和傳統企業在安全建設中的區別
- 乙烯基單封頭
- cocos2dx 定時器(schedule)的使用及Label類的使用
- 《Hadoop與大數據挖掘》一2.4.3 動手實踐:編寫Word Count程序並打包運行