Netfilter/Ebtables/Iptables本地和转发流量的路径

Netfilter框架:



测试环境:



准备netfilter 环境:测试STA—>AP的流量

 

firewall-rules stop

 

iptables -t mangle -A PREROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_PRER_131_ICMP: "

iptables -t nat -A PREROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_PRER_131_ICMP: "

iptables -t mangle -A POSTROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_POSTR_131_ICMP: "

iptables -t nat -A POSTROUTING -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_POSTR_131_ICMP: "

iptables -t filter -A INPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_INPUT_131_ICMP: "

iptables -t filter -A OUTPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_OUTPUT_131_ICMP: "

iptables -t filter -A FORWARD -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_FORWARD_131_ICMP: "

iptables -t nat -A OUTPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_OUTPUT_131_ICMP: "

iptables -t mangle -A INPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_INPUT_131_ICMP: "

iptables -t mangle -A OUTPUT -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_OUTPUT_131_ICMP: "

iptables -t mangle -A FORWARD -s 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_FORWARD_131_ICMP: "

 

iptables -t mangle -I PREROUTING -m mark --mark 0x5a -j LOG --log-prefix="IPT_MANGLE_PRER_EBT_INPUTMARK"

 

ebtables -t broute -I BROUTING -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_BROUTING_131_ICMP: "

ebtables -t nat -I PREROUTING -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_PREROUTING_131_ICMP: "

ebtables -t nat -I POSTROUTING -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_POSTROUTING_131_ICMP: "

ebtables -t nat -I OUTPUT -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_OUTPUT_131_ICMP: "

 

ebtables -I FORWARD -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_FORWARD_131_ICMP: "

ebtables -I INPUT -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_INPUT_131_ICMP: "

ebtables -I OUTPUT -p ipv4 --ip-proto ICMP --ip-src 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_OUTPUT_131_ICMP: "

 

ebtables -I INPUT -p IPv4 --ip-src 192.168.1.131 --ip-proto icmp --log-level info --log-prefix "" -j mark --mark-set 0x5a --mark-target CONTINUE

 

 

iptables -t mangle -L

iptables -t nat -L

iptables -t filter -L

 

ebtables -t broute -L

ebtables -t filter -L

ebtables -t nat -L

sysctl -w net.bridge.bridge-nf-call-iptables=0

ping 192.168.1.1

如果没有连接跟踪表记录该流时,log如下:

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_FORWARD_131_ICMP:  IN=ath0.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

 

如果连接跟踪表记录该流时,log如下: 相同

EBT_BROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_FORWARD_131_ICMP:  IN=ath1.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

符合Netfilter流程图(不执行Netfilter路径上iptables hook点)

 

ping192.168.1.130

如果没有连接跟踪表记录该流时,log如下:多了IPT_NAT_PRER_131_ICMP

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1 IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800

EBT_INPUT_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_EBT_INPUTMARKIN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_NAT_PRER_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19538 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2547 MARK=0x5a

 

如果连接跟踪表记录该流时,log如下;

 

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

 IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800

EBT_INPUT_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_EBT_INPUTMARKIN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=19540 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2549 MARK=0x5a

不符合Netfilter流程图

 

sysctl -w net.bridge.bridge-nf-call-iptables=1

 

ping192.168.1.1

如果连接跟踪表记录该流时,log如下;

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=00:21:29:b6:b9:65:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528

EBT_FORWARD_131_ICMP:  IN=ath0.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_mangle_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath0.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528

IPT_FILTER_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath0.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 PHYSIN=ath0.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14516 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2528

 

如果没有连接跟踪表记录该流时,log如下:(多了IPT_NAT_PRER_131_ICMPIPT_NAT_POSTR_131_ICMP

EBT_BROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=00:21:29:b6:b9:65:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

IPT_NAT_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=00:21:29:b6:b9:65:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

EBT_FORWARD_131_ICMP:  IN=ath1.0 OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_mangle_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

IPT_FILTER_FORWARD_131_ICMP: IN=br-lan0 OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

EBT_POSTROUTING_131_ICMP:  IN= OUT=eth0.0 MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 00:21:29:b6:b9:65 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.1, IP tos=0x00, IP proto=1

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 PHYSIN=ath1.0 PHYSOUT=eth0.0 SRC=192.168.1.131 DST=192.168.1.1 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14569 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2530

符合Netfilter流程图

 

ping 192.168.1.130

 

如果连接跟踪表记录该流时,log如下;

EBT_BROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2535

EBT_INPUT_131_ICMP:  IN=ath1.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2535

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath1.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14588 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2535

 

如果没有连接跟踪表记录该流时,log如下:(多了IPT_NAT_PRER_131_ICMP

EBT_BROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

EBT_PREROUTING_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_MANGLE_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

IPT_NAT_PRER_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

EBT_INPUT_131_ICMP:  IN=ath0.0 OUT= MAC source = 3c:a9:f4:b5:0d:cc MAC dest = 70:f1:a1:aa:bd:60 proto = 0x0800 IP SRC=192.168.1.131 IP DST=192.168.1.130, IP tos=0x00, IP proto=1

IPT_mangle_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

IPT_FILTER_INPUT_131_ICMP: IN=br-lan0 OUT= PHYSIN=ath0.0 MAC=70:f1:a1:aa:bd:60:3c:a9:f4:b5:0d:cc:08:00 SRC=192.168.1.131 DST=192.168.1.130 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=14495 PROTO=ICMP TYPE=8 CODE=0 ID=1 SEQ=2521

符合Netfilter流程图

 

测试APàSTA发送的流量

 

 

 

firewall-rules stop

 

 

iptables -t mangle -A PREROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_PRER_131_ICMP: "

iptables -t nat -A PREROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_PRER_131_ICMP: "

iptables -t mangle -A POSTROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_MANGLE_POSTR_131_ICMP: "

iptables -t nat -A POSTROUTING -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_POSTR_131_ICMP: "

iptables -t filter -A INPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_INPUT_131_ICMP: "

iptables -t filter -A OUTPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_OUTPUT_131_ICMP: "

iptables -t filter -A FORWARD -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_FILTER_FORWARD_131_ICMP: "

iptables -t nat -A OUTPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_NAT_OUTPUT_131_ICMP: "

iptables -t mangle -A INPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_INPUT_131_ICMP: "

iptables -t mangle -A OUTPUT -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_OUTPUT_131_ICMP: "

iptables -t mangle -A FORWARD -d 192.168.1.131 -p icmp -j LOG --log-prefix="IPT_mangle_FORWARD_131_ICMP: "

 

 

 

ebtables -t broute -I BROUTING -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_BROUTING_131_ICMP: "

ebtables -t nat -I PREROUTING -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_PREROUTING_131_ICMP: "

ebtables -t nat -I POSTROUTING -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_POSTROUTING_131_ICMP: "

ebtables -t nat -I OUTPUT -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_NAT_OUTPUT_131_ICMP: "

 

ebtables -I FORWARD -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_FORWARD_131_ICMP: "

ebtables -I INPUT -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_INPUT_131_ICMP: "

ebtables -I OUTPUT -p ipv4 --ip-proto ICMP --ip-dst 192.168.1.131 --log-level info --log-ip --log-prefix "EBT_OUTPUT_131_ICMP: "

 

iptables -t mangle -L

iptables -t nat -L

iptables -t filter -L

 

ebtables -t broute -L

ebtables -t filter -L

ebtables -t nat -L

 

 

sysctl -w net.bridge.bridge-nf-call-iptables=0

ping 192.168.1.131

 

如果连接跟踪表记录该流时,log如下;

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

 

如果没有连接跟踪表记录该流时,log如下:没有差异

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=468 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

符合Netfilter流程图

 

sysctl -w net.bridge.bridge-nf-call-iptables=1

ping 192.168.1.131

如果连接跟踪表记录该流时,log如下;

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

 

 

如果没有连接跟踪表记录该流时,log如下:相同

IPT_mangle_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_FILTER_OUTPUT_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_MANGLE_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

IPT_NAT_POSTR_131_ICMP: IN= OUT=br-lan0 SRC=192.168.1.130 DST=192.168.1.131 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2462 SEQ=0

EBT_NAT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_OUTPUT_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

EBT_POSTROUTING_131_ICMP:  IN= OUT=ath0.0 MAC source = 70:f1:a1:aa:bd:60 MAC dest = 3c:a9:f4:b5:0d:cc proto = 0x0800 IP SRC=192.168.1.130 IP DST=192.168.1.131, IP tos=0x00, IP proto=1

 

符合Netfilter流程图

 




本页内容版权归属为原作者,如有侵犯您的权益,请通知我们删除。

linux 系统启动过程 - 2015-06-07 09:06:09

学习自《鸟哥的linux私房菜》        对于计算机系统启动,计算机是由硬件和软件(包括操作系统软件)组成的,对于运行与同一台计算机硬件上的操作系统而言,系统所配备的硬件是公共的,而不同的系统则 需要运行不同的操作系统软件。因此,在用户按下开机键时,计算机硬件会主动的读取BIOS来加载硬件信息,之后系统就会按照在BIOS中设置的开启启动项去读取第一个可以支 持开机的装置,就是我们经常设置的硬盘,软盘,U盘等,这样计算机就进入了开机管理程序了,就是传说中的bootloader,此时计算机便开始由boo

Redis 性能测试 - 2015-06-07 09:06:08

Redis 性能测试 Redis 性能测试是通过同时执行多个命令实现的。 语法 redis 性能测试的基本命令如下: redis - benchmark [ option ] [ option value ] 实例 以下实例同时执行 10000 个请求来检测性能: redis - benchmark - n 10000 PING_INLINE : 141043.72 requests per secondPING_BULK : 142857.14 requests per secondSET : 1414
电脑上原来有个win7, 由于要在 ubuntu 环境下开发, 所以要装个 ubuntu 。 在 win7 下, 通过压缩卷, 腾出来了 150G 的空间。 安装 ubuntu 的时候, 提示说我电脑上没有操作系统。 选择分区的地方, 看到的只有整个硬盘设备, 看不到硬盘上的分区。   网上找了些资料, 通过命令: sudo parted /dev/sda 进去后, 输入 print 提示: 可能是由不理解 GPT 分区表的程序导致的。或者您删除了 GPT 表,现在使用 msdos 分区表。这是 GPT
 9种企业常用的Linux和Unix服务器 介绍下9种企业常用的Linux和Unix服务器 1.CentOS: https://www.centos.org/ CentOS-5,CentOS-6,CentOS-7:http://wiki.centos.org/Download 2.Debian: https://www.debian.org/ Debian 8.0:https://www.debian.org/releases/stable/debian-installer/ Old Debian A
如果你的IPTABLES基础知识还不了解,建议先去看看。 们来配置一个filter表的防火墙 1、查看本机关于IPTABLES的设置情况 [root@tp ~]# iptables -L -n Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) t

Linux进程的堆 - 2015-06-07 06:06:20

进程的地址空间中有很大的一块区域是被称作“堆”的区域 其地址空间是在进程的.data和.bss的地址增长方向到动态库区域的低地址部分的范围 堆可以理解成是进程的一大块内存区域(已经分配实际物理内存,但并不是所有的地址空间都分配了物理内存,其大小根据系统类型和版本来定) 用来供进程中的程序动态分配内存空间 通常,进程通过向操作系统批发一大块实际的内存空间交给glibc管理以提高动态内存请求和释放的效率 在程序要请求动态分配比较小的内存空间的时候,glibc从这一大块内存空间中分配之 当程序要请求动态分配较大
这几天准备把设计模式好好看一下,顺带着做下笔记,设计模式以前零零散散看过一些,做项目时也用过或见到过一些设计模式,但是可能只是停留在见到那种设计模式时有点印象,有的时候也将名称弄混,希望这次系统学习的机会能让我对设计模式有个更加深刻的印象吧。 这次学习设计模式主要的参考资料有: 《大话设计模式》 http://www.dofactory.com/net/design-patterns 上面两个都是用C#实现的,但是我准备用C++的代码实现一遍,权当加深下对C++的印象。 首先从最简单的简单工厂模式开始。
    微软终于猛回头了!     原文:http://digi.tech.qq.com/a/20150508/051180.htm [ 摘要 ]随着Windows 10的发布,今后Windows 10可能和谷歌的Chrome浏览器一样只做定期的更新,而没有人再去关注它的版本号。 腾讯数码讯 (Hamish)“现在我们正在发布Windows 10,因为这是我们最后的一版Windows,所以我们仍在开发完善它。”微软的一名开发者布道师杰瑞·尼克松(Jerry Nixon)在本周举办的Ignite大会上这样表
centos6.5 x64 安装 gitlab 7.9.2 安装 gitlab 注意,以下一到五 步骤 都需要用 root 用户操作 一:初始化安装环境 yum -ygroupinstall 'Development Tools' yum -yinstall readline readline-devel ncurses-devel gdbm-devel glibc-develtcl-devel openssl-devel curl-devel expat-devel db4-devel byaccsql
都说现在的HTTPS更好,更安全,也给自己的网站添加了HTTPS.以此记录此过程. 访问 http://andaily.com 试试. -硬件环境 操作系统:   Ubuntu 12.04.1 LTS 服务器:       Apache Server 2.2.22 SSL证书:   沃通免费SSL证书G2  (申请地址 https://buy.wosign.com/ApplyForSSL.html 选择第一个免费SSL) -主要步骤 1.申请免费SSL后会去下载SSL证书,文件,Apache 的证书文件有