AP 中Netfilter/Ebtables/Iptables本地和转发流量的路径

最新推荐文章于 2024-04-12 01:31:48 发布
最新推荐文章于 2024-04-12 01:31:48 发布
阅读量3k 收藏 2
点赞数
分类专栏: Netfilter/Iptables/Ebtables 文章标签: netfilter iptables linux内核
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/zxygww/article/details/45046833
版权

Netfilter框架:



测试环境:



准备netfilter 环境:测试STA—>AP的流量

 

firewall-rules stop

 

iptables -t mangle -A PREROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_PRER_131_ICMP: "

iptables -t nat -A PREROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_PRER_131_ICMP: "

iptables -t mangle -A POSTROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_POSTR_131_ICMP: "

iptables -t nat -A POSTROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_POSTR_131_ICMP: "

iptables -t filter -A INPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_INPUT_131_ICMP: "

iptables -t filter -A OUTPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_OUTPUT_131_ICMP: "

iptables -t filter -A FORWARD -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_FORWARD_131_ICMP: "

iptables -t nat -A OUTPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_OUTPUT_131_ICMP: "

iptables -t mangle -A INPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_INPUT_131_ICMP: "

iptables -t mangle -A OUTPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_OUTPUT_131_ICMP: "

iptables -t mangle -A FORWARD -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_FORWARD_131_ICMP: "

 

iptables -t mangle -I PREROUTING -m mark --mark 0x5a -j LOG --log-prefix="IPT_MANGLE_PRER_EBT_INPUTMARK"

 

ebtables -t broute -I BROUTING -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_BROUTING_131_ICMP: "

ebtables -t nat -I PREROUTING -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_PREROUTING_131_ICMP: "

ebtables -t nat -I POSTROUTING -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_POSTROUTING_131_ICMP: "

ebtables -t nat -I OUTPUT -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_OUTPUT_131_ICMP: "

 

ebtables -I FORWARD -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_FORWARD_131_ICMP: "

ebtables -I INPUT -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_INPUT_131_ICMP: "

ebtables -I OUTPUT -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_OUTPUT_131_ICMP: "

 

ebtables -I INPUT -p IPv4 --ip-src 192.168.1.131 --ip-proto icmp --log-level info --log-prefix "" -j mark --mark-set 0x5a --mark-target CONTINUE

 

 

iptables -t mangle -L

iptables -t nat -L

iptables -t filter -L

 

ebtables -t broute -L

ebtables -t filter -L

ebtables -t nat -L

sysctl-w net.bridge.bridge-nf-call-iptables=0

STA执行命令:ping 192.168.1.1

如果没有连接跟踪表记录该流时,log如下:

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_FORWARD_131_ICMP:  IN=ath0.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

 

如果连接跟踪表记录该流时,log如下: 相同

EBT_BROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_FORWARD_131_ICMP:  IN=ath1.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

符合Netfilter流程图(不执行Netfilter路径上iptables hook点)

 

STA执行命令:ping 192.168.1.130

如果没有连接跟踪表记录该流时,log如下:多了IPT_NAT_PRER_131_ICMP

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800

EBT_INPUT_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_EBT_INPUTMARKIN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_NAT_PRER_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

 

如果连接跟踪表记录该流时,log如下;

 

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

 IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800

EBT_INPUT_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_EBT_INPUTMARKIN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

 

不符合Netfilter流程图:先走ebtables.INPUT再走iptables的PREROUTING,这是由于br_netfilter.c的br_nf_pre_routing()函数通过brnf_call_iptables变量提前返回了(不会执行该函数中的NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,br_nf_pre_routing_finish);调用),然后执行br_nf_local_in()。

 

sysctl -w net.bridge.bridge-nf-call-iptables=1

 

STA执行命令:ping 192.168.1.1

如果连接跟踪表记录该流时,log如下;

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=00:21:29:b6:b9:65:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528

EBT_FORWARD_131_ICMP:  IN=ath0.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_mangle_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath0.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528

IPT_FILTER_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath0.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 PHYSIN=ath0.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528

 

如果没有连接跟踪表记录该流时,log如下:(多了IPT_NAT_PRER_131_ICMPIPT_NAT_POSTR_131_ICMP

EBT_BROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=00:21:29:b6:b9:65:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

IPT_NAT_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=00:21:29:b6:b9:65:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

EBT_FORWARD_131_ICMP:  IN=ath1.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_mangle_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

IPT_FILTER_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

符合Netfilter流程图

 

STA执行命令:ping 192.168.1.130

 

如果连接跟踪表记录该流时,log如下;

EBT_BROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2535

EBT_INPUT_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2535

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2535

 

如果没有连接跟踪表记录该流时,log如下:(多了IPT_NAT_PRER_131_ICMP

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

IPT_NAT_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

EBT_INPUT_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

符合Netfilter流程图

 

测试APàSTA发送的流量

 

 

 

firewall-rules stop

 

 

iptables -t mangle -A PREROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_PRER_131_ICMP: "

iptables -t nat -A PREROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_PRER_131_ICMP: "

iptables -t mangle -A POSTROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_POSTR_131_ICMP: "

iptables -t nat -A POSTROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_POSTR_131_ICMP: "

iptables -t filter -A INPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_INPUT_131_ICMP: "

iptables -t filter -A OUTPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_OUTPUT_131_ICMP: "

iptables -t filter -A FORWARD -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_FORWARD_131_ICMP: "

iptables -t nat -A OUTPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_OUTPUT_131_ICMP: "

iptables -t mangle -A INPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_INPUT_131_ICMP: "

iptables -t mangle -A OUTPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_OUTPUT_131_ICMP: "

iptables -t mangle -A FORWARD -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_FORWARD_131_ICMP: "

 

 

 

ebtables -t broute -I BROUTING -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_BROUTING_131_ICMP: "

ebtables -t nat -I PREROUTING -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_PREROUTING_131_ICMP: "

ebtables -t nat -I POSTROUTING -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_POSTROUTING_131_ICMP: "

ebtables -t nat -I OUTPUT -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_NAT_OUTPUT_131_ICMP: "

 

ebtables -I FORWARD -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_FORWARD_131_ICMP: "

ebtables -I INPUT -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_INPUT_131_ICMP: "

ebtables -I OUTPUT -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_OUTPUT_131_ICMP: "

 

iptables -t mangle -L

iptables -t nat -L

iptables -t filter -L

 

ebtables -t broute -L

ebtables -t filter -L

ebtables -t nat -L

 

 

sysctl -w net.bridge.bridge-nf-call-iptables=0

AP执行命令:ping 192.168.1.131

 

如果连接跟踪表记录该流时,log如下;

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

 

如果没有连接跟踪表记录该流时,log如下:没有差异

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

符合Netfilter流程图

 

sysctl -w net.bridge.bridge-nf-call-iptables=1

AP执行命令:ping 192.168.1.131

如果连接跟踪表记录该流时,log如下;

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

 

 

如果没有连接跟踪表记录该流时,log如下:相同

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

 

符合Netfilter流程图

 


中下游国外我
关注
  • 0
    点赞
  • 2
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Linux防火墙netfilter/ebtables简介
deanzhang5757的专栏
12-27 940
备注:本文翻译于ebtables官方用户手册,翻译有用词不当的地方请指正 NAME ebtables (v2.0.10-1) - Ethernet bridge frame table administration SYNOPSIS(概要) ebtables [-t table ] -[ACDI] chain rule specification [match extensions] [wa...
netfilter/iptables(简称为iptables
01-09
netfilter/iptables(简称为iptables)组成Linux平台下的包过滤防火墙,与大多数的Linux软件一样,这个包过滤防火墙是免费的,它可以代替昂贵的商业防火墙解决方案,完成封包过滤、封包重定向和网络地址转换(NAT)...
ebtables的使用
热门推荐
OpenWrt/WLAN/驱动/Android/嵌入式开发总结
12-06 1万+
http://blog.163.com/dyc_888@126/blog/static/10044335120111255249503/ http://blog.chinaunix.net/uid-10694051-id-2935976.html 一:ebtables简介 ebtables和iptables类似,都是Linux系统下网络数据包过滤的配置工具。既然称之为配置工具,就是说过滤功能
iptables/ebtables学习笔记
最新发布
CrystalGabrielle的博客
04-12 970
iptables/ebtables学习笔记
iptables流量
qq_45691577的博客
05-01 3001
centos默认不适用iptables,因此如果需要使用iptables,需要停止firewalld systemctl stop firewalld 再centos上使用iptables需要安装iptables依赖,即iptables-services、iptables-devel这两个包 sudo yum install iptables-services iptables-devel 启动iptables systemctl enable iptables.service && s
iptables 端口转发
ailx10
07-11 1667
这次实验通过iptables 实现本地22端口转发和远程3389端口转发,同样从黑客视角只能看到跳板机到黑客IP的流量,但是在跳板机上可以看到双向流量,不管是本地转发还是远程转发,都是在跳板机上操作的,这一点和端口转发工具 rinetd一摸一样,可见,控制了跳板机,就控制了内网~实验1:将本地端口转发到本地端口iptables -t nat -A PREROUTING -p tcp --dport...
如何设置iptables,让网络流量转发给内部容器mysql
不积跬步,无以至千里;不积小流,无以成江海。
07-22 513
完成上述步骤后,当有外部请求进入系统的 13306端口时,iptables 将会将流量转发给内部容器 MySQL 服务的 3306 端口,从而实现端口转发。如果你的系统上启用了防火墙(例如 UFW),请确保允许相应的端口通过防火墙。命令保存和加载规则:这是一种简单的方法,当系统重启时会自动加载保存的规则。规则之后,将其保存并加载,以便规则在系统重启后仍然生效。这将允许外部主机连接到你的系统的 13306端口。为你的 MySQL 容器实际的 IP 地址。服务将自动加载保存的规则。服务将自动加载保存的规则。
Linux netfilter/iptables知识点详解
09-14
在本篇文章里小编给大家整理的是关于Linux netfilter/iptables知识点详解,有兴趣的朋友们可以参考下。
LinuxNetfilter/iptables的研究与应用 (2014年)
05-15
应用Netfilter/iptables的包过滤特性建立了内外网间的防火墙,通过手动配置iptables规则的方式对数据包进行有目标性的过滤,防止非法数据攻击,实现了阻隔Ping洪水攻击、拦截特定网段数据包、数据包入队等待后续...
linux ebtables iptables关联图
06-27
很强大的linux协议栈ebtables\iptables数据处理流程图
iptablesebtables指南
03-12
非常不错的东西与大家分享,包括iptables指南与ebtables指南
ebtables与iptables之间的交互技巧
sxd2001的博客
06-12 2089
ebtables与iptables之间的交互操作进行了分析,并剖析了broute的DROP不同用法之间的实质差异,避免broute的DROP起不到强制路由作用
防火墙转发流量的原理
u011029104的专栏
04-05 1147
切忌搞清楚转发原理(理解防火墙怎样的执行顺序至关重要) 简单概要防火墙包转发顺序: 千万要注意: 防火墙包转发的第一步也是最重要的一步是查询会话表 一: 外网访问内网(通过目标nat映射的情况) (访问流量) 外网口接收报文-->查询会话表-->(会话记录不存在)创建会话-->查询nat映射(有的情况,无直接拒绝)-->查找路由表-->安全检查(如安全策略)---...
iptablesebtables、arptables
安子自语
09-16 4324
http://www.360doc.com/content/11/1103/13/1964482_161328892.shtml Ebtables即是以太网桥防火墙,以太网桥工作在数据链路层,Ebtables来过滤数据链路层数据包。 2.6内核内置了Ebtables,要使用它必须先安装Ebtables的用户空间工具(ebtables-v2.0.6),安装完成后就可以使用ebtable
iptables配置NAT实现端口转发与ss命令的讲解
weixin_47680367的博客
08-08 1万+
nat的使用与ss命令
ebtables介绍
kv110的专栏
08-23 6660
ebtables 参考文档 http://ebtables.netfilter.org/misc/ebtables-man.html external/ebtables/docs/how_it_works.html
走进Linux内核之Netfilter框架
maimang1001的专栏
05-24 1109
走进Linux内核之Netfilter框架 - 掘金笔者此前对Linux内核相关模块稍有研究,实现内核级通信加密、视频流加密等。话不多说直接上才艺,现在带你走进Linux内核之Netfilter框架。https://juejin.cn/post/7008945265021288484 本文正在参与 “走过Linux三十年”话题征文活动 笔者此前对Linux内核相关模块稍有研究,实现内核级通信加密、视频流加密等,涉及:Linux内核网络协议栈、Linux内核通信模块、Linux内核加密模块、秘钥生成分发
Netfilter源代码分析详解
06-22
介绍了Netfilter/IPTables的发展历程和设计理念,以及其在Linux防火墙机制的重要性和作用。Netfilter的模块化设计和可扩充性为其提供了很高的灵活性和功能性,使得用户能够根据自身需求对数据报进行灵活的处理和...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值