iptables 规则不起作用

tag-icon tag-icon iptables
iptables 规则不起作用

我正在使用一个名为logstash的应用程序,我需要从UDP端口514接收数据。问题是logstash不允许侦听端口514。为了解决这个问题,我决定使用iptables nat表:

iptables -t nat -A PREROUTING -p udp --dport 514 -j REDIRECT --to-port 5140

之后,我使用以下命令检查了发往 udp 端口​​ 514 的数据包是否被该规则捕获:

iptables -t nat -nxvL

输出是:

Chain PREROUTING (policy ACCEPT 608395 packets, 392277304 bytes)
    pkts      bytes target     prot opt in     out     source               destination

       1      594 REDIRECT   udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:514 redir ports 5140

       0        0 REDIRECT   tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:514 redir ports 5140

Chain INPUT (policy ACCEPT 1716 packets, 638207 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 8906 packets, 538280 bytes)
    pkts      bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 8906 packets, 538280 bytes)
    pkts      bytes target     prot opt in     out     source               destination

正如您可能知道的那样,该规则仅捕获一个数据包,即使有多个数据包到达该端口。

tcpdump -nni any -port 514

上面的命令有以下输出:

12:58:22.222661 IP 100.100.200.2.8587 > 10.93.33.115.514: SYSLOG local7.notice, length: 545
12:58:22.232715 IP 100.100.200.2.10099 > 10.93.33.115.514: SYSLOG local7.notice, length: 519
12:58:22.233787 IP 100.100.200.2.8587 > 10.93.33.115.514: SYSLOG local7.info, length: 699
12:58:22.237041 IP 100.100.200.2.8587 > 10.93.33.115.514: SYSLOG local7.info, length: 550
12:58:22.237100 IP 100.100.200.2.8587 > 10.93.33.115.514: SYSLOG local7.info, length: 564
12:58:22.242670 IP 100.100.200.2.5006 > 10.93.33.115.514: SYSLOG local7.notice, length: 542
12:58:22.242722 IP 100.100.200.2.5006 > 10.93.33.115.514: SYSLOG local7.notice, length: 542
12:58:22.246941 IP 100.100.200.2.8587 > 10.93.33.115.514: SYSLOG local7.warning, length: 746
12:58:22.247627 IP 100.100.200.2.8587 > 10.93.33.115.514: SYSLOG local7.notice, length: 687
12:58:22.247654 IP 100.100.200.2.8587 > 10.93.33.115.514: SYSLOG local7.notice, length: 687
12:58:22.252840 IP 100.100.200.2.8587 > 10.93.33.115.514: SYSLOG local7.notice, length: 604
12:58:22.254676 IP 100.100.200.2.23295 > 10.93.33.115.514: SYSLOG local7.notice, length: 687
12:58:22.254704 IP 100.100.200.2.23295 > 10.93.33.115.514: SYSLOG local7.notice, length: 687
12:58:22.258491 IP 100.100.200.2.8587 > 10.93.33.115.514: SYSLOG local7.notice, length: 677
12:58:22.260588 IP 100.100.200.2.8587 > 10.93.33.115.514: SYSLOG local7.info, length: 581
12:58:22.261878 IP 100.100.200.2.23295 > 10.93.33.115.514: SYSLOG local7.notice, length: 542
12:58:22.261908 IP 100.100.200.2.10099 > 10.93.33.115.514: SYSLOG local7.notice, length: 542
12:58:22.261917 IP 100.100.200.2.23295 > 10.93.33.115.514: SYSLOG local7.notice, length: 540
12:58:22.262554 IP 100.100.200.2.5006 > 10.93.33.115.514: SYSLOG local7.notice, length: 542
12:58:22.262568 IP 100.100.200.2.8587 > 10.93.33.115.514: SYSLOG local7.notice, length: 542
12:58:22.266295 IP 100.100.200.2.5006 > 10.93.33.115.514: SYSLOG local7.notice, length: 639
^C

824 packets captured
855 packets received by filter
18 packets dropped by kernel

为什么规则不起作用?每个到达端口 514 的 UDP 数据包都应该被重定向。我真的看不出是什么原因造成的。 iptables-service 已启动并正在运行,firewalld 已禁用。

答案1

来自 ServerFault 的答案适用:

nat表规则始终仅适用于连接中的第一个数据包。同一连接的后续数据包永远不会遍历nat规则列表,仅由 conntrack 代码支持。

由于 UDP 本质上是无连接的,因此这里的“连接”仅由地址、端口和超时定义。因此,如果具有相同源端口和地址以及相同目标端口和地址的第二个 UDP 数据包在超时时间内到达,Linux 认为它属于已建立的“连接”,并且根本不评估nat其规则表,而是重用对前一个数据包发出的判决。

因此,即使该规则在您的情况下仅捕获一个数据包,所有相关数据包也可能被重定向。没有什么可担心的,除非数据包没有到达您的应用程序(但它们应该到达)。

相关内容