iptables NAT PREROUTING包过滤分析

NAT PREROUTING测试

参考链接：https://serverfault.com/questions/1065983/iptables-prerouting-not-in-effect?rq=1

# 本机IP：192.168.0.10
# 测试一：
	ping -i 0.01 192.168.0.10   #通过快速ping,然后查看iptables的packet 数量就知道经过哪些过滤了

# 结果：
	raw表：PREROUTING OUTPUT均有数据包
	mangle表：PREROUTING、INPUT、OUTPUT、POSTROUTING 均有数据包
	NAT表：没有数据包经过
	filter表：INPUT、OUTPUT

# 可知过滤顺序为（NAT没有参与过滤，原因待查）
	OUTPUT -> POSTROUTING -> PREROUTING -> INPUT

# 测试二：
	ping -i 0.01 127.0.0.1(同localhost)

# 结果
	raw表：PREROUTING、OUTPUT
	mangle表：PREROUTING、INPUT、OUTPUT、POSTROUTING
	nat表：没有数据包
	filter表：INPUT、OUTPUT

# 测试三：外部机器ping 192.168.0.10
	ping -t 192.168.0.10

# 结果：
	raw表：PREROUTING
	mangle表：PREROUTING,INPUT，OUTPUT POSTROUTING
	nat表：几乎都没有packet，纠正：只有在第一次连接的时候会匹配这个规则，当TCP连接或者其他连接建立后，一直在传输数据此时SOCKET 状态由 NEW -> ESTABLISHED，后续数据的传输不会进入NAT表的PREROUTING
	filter表：INPUT OUTPUT

# 测试四：外部机器ping 192.168.0.10

# 清空iptbales
[root@boy ~]# iptables -t nat -Z
[root@boy ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination 

# 外部机器ping 192.168.0.10
C:\Users\JiaYu>ping 192.168.0.10

正在 Ping 192.168.0.10 具有 32 字节的数据:
来自 192.168.0.10 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.0.10 的回复: 字节=32 时间<1ms TTL=64
来自 192.168.0.10 的回复: 字节=32 时间=1ms TTL=64
来自 192.168.0.10 的回复: 字节=32 时间<1ms TTL=64

192.168.0.10 的 Ping 统计信息:
    数据包: 已发送 = 4，已接收 = 4，丢失 = 0 (0% 丢失)，
往返行程的估计时间(以毫秒为单位):
    最短 = 0ms，最长 = 1ms，平均 = 0ms

# 查看iptables,可以发现只增加了一个包过滤匹配
[root@boy ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 1 packets, 60 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1 packets, 76 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 1 packets, 76 bytes)
 pkts bytes target     prot opt in     out     source               destination 
 

# 结论：只有在增加新连接的时候，NAT表的4个chin才会有包过滤

# 测试5：外部机器curl 192.168.0.10:80

[root@boy ~]# docker run -d -p 80:80 nginx
4de65a9af070ee5cf7446a591da86a52391427a73f3f907864e3dd31cba4db5f
[root@boy ~]# iptables -t nat -Z
[root@boy ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 4 packets, 304 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 4 packets, 304 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.17.0.2:80

# 本机测试访问，（可以发现本机PREROUTING并没有包过滤，原因：本机程序产生的数据包不会经过NAT PREROUTING）
[root@boy ~]# for i in {1..1000} ; do curl localhost &>/dev/null ; done
[root@boy ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1012 packets, 60912 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 1012 packets, 60912 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.17.0.2:80

# 外部测试访问，请求次数和 PREROUTING pkts相等
C:\Users\JiaYu>tcping 192.168.0.10 80

Probing 192.168.0.10:80/tcp - Port is open - time=1.123ms
Probing 192.168.0.10:80/tcp - Port is open - time=1.294ms
Probing 192.168.0.10:80/tcp - Port is open - time=1.222ms
Probing 192.168.0.10:80/tcp - Port is open - time=2.052ms

Ping statistics for 192.168.0.10:80
     4 probes sent.
     4 successful, 0 failed.  (0.00% fail)
Approximate trip times in milli-seconds:
     Minimum = 1.123ms, Maximum = 2.052ms, Average = 1.423ms

[root@boy ~]# iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    4   208 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1024 packets, 61824 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 1028 packets, 62032 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  tcp  --  *      *       172.17.0.2           172.17.0.2           tcp dpt:80

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    4   208 DNAT       tcp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 to:172.17.0.2:80

注：

1. The PREROUTING chain is not evaluated on packets generated by local processes
2. the first packet in a flow initiated by a local process doesn’t traverse nat/PREROUTING
3. but it does traverse nat/OUTPUT
4. only the first packet (state NEW) of a connection traverses the nat table (so further packets like replies don’t matter here anyway)