NAT PREROUTING测试
参考链接:https://serverfault.com/questions/1065983/iptables-prerouting-not-in-effect?rq=1
# 本机IP:192.168.0.10
# 测试一:
ping -i 0.01 192.168.0.10 #通过快速ping,然后查看iptables的packet 数量就知道经过哪些过滤了
# 结果:
raw表:PREROUTING OUTPUT均有数据包
mangle表:PREROUTING、INPUT、OUTPUT、POSTROUTING 均有数据包
NAT表:没有数据包经过
filter表:INPUT、OUTPUT
# 可知过滤顺序为(NAT没有参与过滤,原因待查)
OUTPUT -> POSTROUTING -> PREROUTING -> INPUT
# 测试二:
ping -i 0.01 127.0.0.1(同localhost)
# 结果
raw表:PREROUTING、OUTPUT
mangle表:PREROUTING、INPUT、OUTPUT、POSTROUTING
nat表:没有数据包
filter表:INPUT、OUTPUT
# 测试三:外部机器ping 192.168.0.10
ping -t 192.168.0.10
# 结果:
raw表:PREROUTING
mangle表:PREROUTING,INPUT,OUTPUT POSTROUTING
nat表:几乎都没有packet,纠正:只有在第一次连接的时候会匹配这个规则,当TCP连接或者其他连接建立后,一直在传输数据此时SOCKET 状态由 NEW -> ESTABLISHED,后续数据的传输不会进入NAT表的PREROUTING
filter表:INPUT OUTPUT
# 测试四:外部机器ping 192.168.0.10
# 清空iptbales
[root@boy ~]# iptables -t nat -Z
[root@boy ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
# 外部机器ping 192.168.0.10
C:\Users\JiaYu>ping 192.168.0.10
正在 Ping 192.168.0.10 具有 32 字节的数据:
来自 192.168.0.10 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.0.10 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.0.10 的回复: 字节=32 时间=1ms TTL=64
来自 192.168.0.10 的回复: 字节=32 时间<1ms TTL=64
192.168.0.10 的 Ping 统计信息:
数据包: 已发送 = 4,已接收 = 4,丢失 = 0 (0% 丢失),
往返行程的估计时间(以毫秒为单位):
最短 = 0ms,最长 = 1ms,平均 = 0ms
# 查看iptables,可以发现只增加了一个包过滤匹配
[root@boy ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
Chain INPUT (policy ACCEPT 1 packets, 60 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
pkts bytes target prot opt in out source destination
# 结论:只有在增加新连接的时候,NAT表的4个chin才会有包过滤
# 测试5:外部机器curl 192.168.0.10:80
[root@boy ~]# docker run -d -p 80:80 nginx
4de65a9af070ee5cf7446a591da86a52391427a73f3f907864e3dd31cba4db5f
[root@boy ~]# iptables -t nat -Z
[root@boy ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 4 packets, 304 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 4 packets, 304 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.17.0.2:80
# 本机测试访问,(可以发现本机PREROUTING并没有包过滤,原因:本机程序产生的数据包不会经过NAT PREROUTING)
[root@boy ~]# for i in {1..1000} ; do curl localhost &>/dev/null ; done
[root@boy ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1012 packets, 60912 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 1012 packets, 60912 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
0 0 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.17.0.2:80
# 外部测试访问,请求次数和 PREROUTING pkts相等
C:\Users\JiaYu>tcping 192.168.0.10 80
Probing 192.168.0.10:80/tcp - Port is open - time=1.123ms
Probing 192.168.0.10:80/tcp - Port is open - time=1.294ms
Probing 192.168.0.10:80/tcp - Port is open - time=1.222ms
Probing 192.168.0.10:80/tcp - Port is open - time=2.052ms
Ping statistics for 192.168.0.10:80
4 probes sent.
4 successful, 0 failed. (0.00% fail)
Approximate trip times in milli-seconds:
Minimum = 1.123ms, Maximum = 2.052ms, Average = 1.423ms
[root@boy ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4 208 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1024 packets, 61824 bytes)
pkts bytes target prot opt in out source destination
0 0 DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 1028 packets, 62032 bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.17.0.2 172.17.0.2 tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
4 208 DNAT tcp -- !docker0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 to:172.17.0.2:80
注:
- The PREROUTING chain is not evaluated on packets generated by local processes
- the first packet in a flow initiated by a local process doesn’t traverse nat/PREROUTING
- but it does traverse nat/OUTPUT
- only the first packet (state NEW) of a connection traverses the nat table (so further packets like replies don’t matter here anyway)