系统诊断小技巧(7):利用Iptables进行排查和诊断的简易方案
本文共 36233 字,大约阅读时间需要 120 分钟。
TL;DR
Iptables
严格说来,只是Linux系统防火墙用户空间的接口工具而已,但是,日常大家都以指称包括用户空间和内核空间在内的整个防火墙。这里我们也使用这个惯用法,但是,还是先明确下防火墙内核空间的名称(),这样大家容易理解为什么防火墙相关的命名往往有"nf"或者“netfilter”这样的字眼或者前缀。
在内核的网络栈放置了钩子。通过给这些钩子提供回调函数,我们可以在内核网络栈中注入我们的逻辑。明显的例子就是防火墙规则。当然,的用途肯定不止如此。比如,用之于探查某些网络包处理的流程,进而提取数据用于诊断和排查,也是不错的工具。
这里我们聊聊如何追踪的执行路径。这个技能既能用于诊断和排除防火墙自身的问题,也能用于填补留下的空白区。
Hooks
我们先从源码的视角看看的各色钩子。以下是源码片段,完整源码请参考。慎重建议您耐心分析下后续的类似代码片段。
/* Responses from hook functions. */#define NF_DROP 0#define NF_ACCEPT 1#define NF_STOLEN 2#define NF_QUEUE 3#define NF_REPEAT 4#define NF_STOP 5 /* Deprecated, for userspace nf_queue compatibility. */#define NF_MAX_VERDICT NF_STOPenum nf_inet_hooks { NF_INET_PRE_ROUTING, NF_INET_LOCAL_IN, NF_INET_FORWARD, NF_INET_LOCAL_OUT, NF_INET_POST_ROUTING, NF_INET_NUMHOOKS};enum nf_dev_hooks { NF_NETDEV_INGRESS, NF_NETDEV_NUMHOOKS};enum { NFPROTO_UNSPEC = 0, NFPROTO_INET = 1, NFPROTO_IPV4 = 2, NFPROTO_ARP = 3, NFPROTO_NETDEV = 5, NFPROTO_BRIDGE = 7, NFPROTO_IPV6 = 10, NFPROTO_DECNET = 12, NFPROTO_NUMPROTO,}; 当然,我们经常比较疑惑的,是各个表和其各个链的执行顺序问题。这牵涉到执行优先级问题。每个钩子执行的操作都带有优先级。源码片段如下,完整源码请参考。
struct nf_hook_ops { /* User fills in from here down. */ nf_hookfn *hook; struct net_device *dev; void *priv; u_int8_t pf; unsigned int hooknum; /* Hooks are ordered in ascending priority. */ int priority; /* 优先级在这定义的 */}; 那么, 优先级别是哪里定义的呢?下面是代码片段,完整源码请参考。
enum nf_ip_hook_priorities { NF_IP_PRI_FIRST = INT_MIN, NF_IP_PRI_CONNTRACK_DEFRAG = -400, NF_IP_PRI_RAW = -300, NF_IP_PRI_SELINUX_FIRST = -225, NF_IP_PRI_CONNTRACK = -200, NF_IP_PRI_MANGLE = -150, NF_IP_PRI_NAT_DST = -100, NF_IP_PRI_FILTER = 0, NF_IP_PRI_SECURITY = 50, NF_IP_PRI_NAT_SRC = 100, NF_IP_PRI_SELINUX_LAST = 225, NF_IP_PRI_CONNTRACK_HELPER = 300, NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX, NF_IP_PRI_LAST = INT_MAX,}; 文字累人,再引图一张(原图)
但是,到此为止,我们也只是大致梳理了下的各个表和表的各个链的执行顺序而已。顺序究竟如何,还得追踪执行路径。这里要讨论一个建议的方案。
简易方案实施的模板
简易方案可行,关键在于,首先,从系统进出的网络包,不管其最终目的地为何,都要经过raw表的PREROUTING和OUTPUT链。这一点也可以从上图核实。二,从可知,TRACE扩展目标能够记录处理一个网络包时经过的表、链和规则。
哪么,具体应该怎么做呢?
- 因为需要内核记录的行为,所以,我们首先要确保日志相关的模块被加载以及相关的配置完成
- 给raw表的PREROUTING和OUTPUT链设置合适的规则。
以追踪UDP作为例子。
首先,确认哪个日志模块可用
for m in ipt_LOG nf_log_ipv4;do\ find /lib/modules/$(uname -r) \( -name "${m}.ko" -o -name "${m}.ko.xz" \) -type f | grep -q ${m}.ko && mod=${m} && break;\done 继而,加载日志模块,并且配置之
modprobe ${mod}modprobe nf_conntrack_ipv4sysctl net.netfilter.nf_log.2=${mod} 最后一步,给raw设定规则(可以进一步限制,比如对什么协议执行追踪等)
iptables -t raw -A OUTPUT -p udp -j TRACEiptables -t raw -A PREROUTING -p udp -j TRACE
具体例子
我们具体测试下建议方案的效果。测试拓扑图如下
我们在虚拟机forwarder中启动docker,并且将docker的UDP端口10370开放出来(其实我们开放的端口不止一个)
docker run -it $(for p in $(seq 10300 10399);do echo "-p ${p}:${p}/udp" | xargs;done) ubuntu 而后,在docker中启动一个echo server进程。我们使用的是提供的工具。
默认ubuntu镜像中没有我们需要的软件包,因此,我们做些必要的安装。
apt-get updateapt-get -y install iproute2 nmap net-tools
现在启动echo server
ncat -u -e $(which cat) -k -l 10370
而后,我们在虚拟机forwarder上捕捉进出的网络包。
tcpdump -i eth0 -w pkts.pcap host vm_trigger_ip
而后,我们在虚机trigger上建立到虚机forwarder的连接
ncat -u vm_forwarder_ip 10370
最后,我们在虚机trigger上分别发送1483字节、1485字节和1498字节的数据。
接下来的工作,就是分析捕捉到的数据了。
首先,我们确认echo server工作正常。我们使用来分析抓到的网络包,并且配置了不要合并分片的网络包(如何配置,请参考)。
很明显,trigger、forwarder和echo server之间的链路的是1500,echo server也工作正常。
进一步,让我们看下相关的内核日志
Aug 24 11:14:47 forwarder kernel: [594576.178700] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.178732] TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.178743] TRACE: nat:PREROUTING:rule:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.178759] TRACE: nat:DOCKER:rule:31 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.178773] TRACE: mangle:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.178779] TRACE: filter:FORWARD:rule:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.178790] TRACE: filter:DOCKER-ISOLATION:return:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.178794] TRACE: filter:FORWARD:rule:2 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.178799] TRACE: filter:DOCKER:rule:30 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.178804] TRACE: security:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.178808] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.178815] TRACE: nat:POSTROUTING:policy:102 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.179972] TRACE: raw:PREROUTING:policy:2 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=64 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.179979] TRACE: mangle:PREROUTING:policy:1 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=64 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.179987] TRACE: mangle:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.179991] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.179998] TRACE: filter:DOCKER-ISOLATION:return:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.180003] TRACE: filter:FORWARD:rule:4 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.180007] TRACE: security:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491Aug 24 11:14:47 forwarder kernel: [594576.180010] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 PHYSIN=veth79e0ef5 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491Aug 24 11:15:11 forwarder kernel: [594600.593744] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1513 TOS=0x00 PREC=0x00 TTL=57 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593773] TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1513 TOS=0x00 PREC=0x00 TTL=57 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593788] TRACE: mangle:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593795] TRACE: filter:FORWARD:rule:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593808] TRACE: filter:DOCKER-ISOLATION:return:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593813] TRACE: filter:FORWARD:rule:2 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593820] TRACE: filter:DOCKER:rule:30 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593825] TRACE: security:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593830] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593942] TRACE: raw:PREROUTING:policy:2 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=64 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593948] TRACE: mangle:PREROUTING:policy:1 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=64 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593957] TRACE: mangle:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593962] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593969] TRACE: filter:DOCKER-ISOLATION:return:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593975] TRACE: filter:FORWARD:rule:4 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593979] TRACE: security:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493Aug 24 11:15:11 forwarder kernel: [594600.593982] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 PHYSIN=veth79e0ef5 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493Aug 24 11:15:32 forwarder kernel: [594621.306336] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1526 TOS=0x00 PREC=0x00 TTL=57 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306366] TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1526 TOS=0x00 PREC=0x00 TTL=57 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306381] TRACE: mangle:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306387] TRACE: filter:FORWARD:rule:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306400] TRACE: filter:DOCKER-ISOLATION:return:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306405] TRACE: filter:FORWARD:rule:2 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306413] TRACE: filter:DOCKER:rule:30 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306418] TRACE: security:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306423] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306530] TRACE: raw:PREROUTING:policy:2 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=64 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306535] TRACE: mangle:PREROUTING:policy:1 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=64 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306544] TRACE: mangle:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306548] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306556] TRACE: filter:DOCKER-ISOLATION:return:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306560] TRACE: filter:FORWARD:rule:4 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306564] TRACE: security:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506Aug 24 11:15:32 forwarder kernel: [594621.306567] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 PHYSIN=veth79e0ef5 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
考虑到有同学可能会细致分析,我们也给出相关的规则(篇幅期间,删除了部分大同小异规则)
root@forwarder:~# for t in filter mangle nat security raw;do echo '############################################';echo $t; echo '############################################';iptables -L -n -v -t $t;echo;done############################################filter############################################Chain INPUT (policy ACCEPT 8134 packets, 566K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER-ISOLATION all -- * * 0.0.0.0/0 0.0.0.0/0 0 0 DOCKER all -- * docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- * docker0 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED 0 0 ACCEPT all -- docker0 !docker0 0.0.0.0/0 0.0.0.0/0 0 0 ACCEPT all -- docker0 docker0 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 6362 packets, 2498K bytes) pkts bytes target prot opt in out source destination Chain DOCKER (1 references) pkts bytes target prot opt in out source destination 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10399 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10398 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10397 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10396 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10395 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10394 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10393 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10392 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10391 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10390 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10389 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10388 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10387 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10386 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10385 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10384 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10383 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10382 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10381 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10380 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10379 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10378 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10377 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10376 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10375 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10374 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10373 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10372 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10371 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10370# ... ... 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10310 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10309 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10308 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10307 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10306 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10305 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10304 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10303 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10302 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10301 0 0 ACCEPT udp -- !docker0 docker0 0.0.0.0/0 172.18.0.2 udp dpt:10300Chain DOCKER-ISOLATION (1 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0 ############################################mangle############################################Chain PREROUTING (policy ACCEPT 146 packets, 9205 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 146 packets, 9205 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 123 packets, 70493 bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 123 packets, 70493 bytes) pkts bytes target prot opt in out source destination ############################################nat############################################Chain PREROUTING (policy ACCEPT 371 packets, 20868 bytes) pkts bytes target prot opt in out source destination 1193 73848 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCALChain INPUT (policy ACCEPT 371 packets, 20868 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 538 packets, 34120 bytes) pkts bytes target prot opt in out source destination 0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCALChain POSTROUTING (policy ACCEPT 538 packets, 34120 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- * !docker0 172.18.0.0/16 0.0.0.0/0 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10399 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10398 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10397 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10396 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10395 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10394 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10393 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10392 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10391 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10390 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10389 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10388 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10387 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10386 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10385 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10384 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10383 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10382 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10381 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10380 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10379 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10378 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10377 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10376 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10375 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10374 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10373 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10372 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10371 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10370# ... ... 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10310 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10309 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10308 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10307 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10306 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10305 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10304 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10303 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10302 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10301 0 0 MASQUERADE udp -- * * 172.18.0.2 172.18.0.2 udp dpt:10300Chain DOCKER (2 references) pkts bytes target prot opt in out source destination 0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10399 to:172.18.0.2:10399 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10398 to:172.18.0.2:10398 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10397 to:172.18.0.2:10397 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10396 to:172.18.0.2:10396 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10395 to:172.18.0.2:10395 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10394 to:172.18.0.2:10394 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10393 to:172.18.0.2:10393 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10392 to:172.18.0.2:10392 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10391 to:172.18.0.2:10391 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10390 to:172.18.0.2:10390 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10389 to:172.18.0.2:10389 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10388 to:172.18.0.2:10388 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10387 to:172.18.0.2:10387 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10386 to:172.18.0.2:10386 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10385 to:172.18.0.2:10385 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10384 to:172.18.0.2:10384 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10383 to:172.18.0.2:10383 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10382 to:172.18.0.2:10382 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10381 to:172.18.0.2:10381 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10380 to:172.18.0.2:10380 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10379 to:172.18.0.2:10379 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10378 to:172.18.0.2:10378 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10377 to:172.18.0.2:10377 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10376 to:172.18.0.2:10376 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10375 to:172.18.0.2:10375 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10374 to:172.18.0.2:10374 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10373 to:172.18.0.2:10373 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10372 to:172.18.0.2:10372 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10371 to:172.18.0.2:10371 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10370 to:172.18.0.2:10370# ... ... 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10311 to:172.18.0.2:10311 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10310 to:172.18.0.2:10310 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10309 to:172.18.0.2:10309 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10308 to:172.18.0.2:10308 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10307 to:172.18.0.2:10307 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10306 to:172.18.0.2:10306 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10305 to:172.18.0.2:10305 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10304 to:172.18.0.2:10304 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10303 to:172.18.0.2:10303 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10302 to:172.18.0.2:10302 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10301 to:172.18.0.2:10301 0 0 DNAT udp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:10300 to:172.18.0.2:10300############################################security############################################Chain INPUT (policy ACCEPT 146 packets, 9257 bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 114 packets, 77993 bytes) pkts bytes target prot opt in out source destination ############################################raw############################################Chain PREROUTING (policy ACCEPT 50 packets, 3203 bytes) pkts bytes target prot opt in out source destination 0 0 TRACE udp -- * * 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 41 packets, 55987 bytes) pkts bytes target prot opt in out source destination 0 0 TRACE udp -- * * 0.0.0.0/0 0.0.0.0/0
结论
综上可知,有简易方案可以追踪的执行路径。通过这种方案,用于排查和诊断,能够探查包在内核中处理信息。无疑这种简易有其独到之处。
注意,执行追踪后,因为默认加载的nf_conntrack*模块会有限制,最好重启下恢复到改动前状态。参考
- )
转载地址:http://jgsuo.baihongyu.com/
你可能感兴趣的文章
IPv6的渗透率比人们想象的要快速?
查看>>
针对Windows零日漏洞,微软是不是太过“无作为”了?
查看>>
推特解散商业团队 终止开发“Buy”按钮
查看>>
英特尔SSD:17年将专注于3D NAND和PCIe
查看>>
python (3):wxPython打包app,报错
查看>>
给网站更换服务器需要注意什么?
查看>>
成长型企业ERP系统实施的八大准则
查看>>
nginx重启脚本
查看>>
理解Linux系统/etc/init.d目录和/etc/rc.local脚本
查看>>
代码整洁之道
查看>>
svm 预测标签的概率输出
查看>>
ActiveMQ(25):优化与建议
查看>>
使用Intelij Idea经过的坑
查看>>
微信 token
查看>>
【原创】JAVA通过过滤器防止脚本注入
查看>>
马哥linux第8周作业
查看>>
gnu autotools
查看>>
在AIX上增加文件系统空间
查看>>
svchost cpu占用率过高电脑卡死
查看>>
【中小企业经典案例分析一】基础架构描述
查看>>