iptables 预路由规则中没有转发数据包

iptables 预路由规则中没有转发数据包

我有一个 iptables 预路由规则,用于将端口转发到另一台主机。这是规则:ipv4 nat PREROUTING 0 -m addrtype --dst-type LOCAL -p tcp --dport 445 -j DNAT --to-destination 192.168.123.103

具有预路由规则的主机 A 的 IP 地址是192.168.123.1。要转发流量到的主机 B 的 IP 地址是192.168.123.103192.168.123.11

此规则适用于连接到 A 的其他主机,但当从 B 发出请求时,该规则不起作用。192.168.123.1:445在 iptables 跟踪中,似乎存在预路由,但没有转发。值得注意的是,192.168.123.103:445直接在 B 上访问是有效的。

我已检查 sysctl 标志net.ipv4.ip_forwardnet.ipv4.conf.all.forwarding已正确设置为1

日志:

Working:
trace id 3202082b ip raw PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip raw PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 522 bytes 29484 meta nftrace set 1 (verdict continue)
trace id 3202082b ip raw PREROUTING verdict continue
trace id 3202082b ip raw PREROUTING policy accept
trace id 3202082b inet firewalld mangle_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip protocol tcp ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b inet firewalld mangle_PREROUTING rule jump mangle_PREROUTING_ZONES (verdict jump mangle_PREROUTING_ZONES)
trace id 3202082b inet firewalld mangle_PREROUTING_ZONES rule goto mangle_PRE_trusted (verdict goto mangle_PRE_trusted)
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_pre (verdict jump mangle_PREROUTING_POLICIES_pre)
trace id 3202082b inet firewalld mangle_PREROUTING_POLICIES_pre rule jump mangle_PRE_policy_allow-host-ipv6 (verdict jump mangle_PRE_policy_allow-host-ipv6)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_pre (verdict jump mangle_PRE_policy_allow-host-ipv6_pre)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_pre verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_log (verdict jump mangle_PRE_policy_allow-host-ipv6_log)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_log verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_deny (verdict jump mangle_PRE_policy_allow-host-ipv6_deny)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_deny verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_allow (verdict jump mangle_PRE_policy_allow-host-ipv6_allow)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_allow verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_post (verdict jump mangle_PRE_policy_allow-host-ipv6_post)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_post verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 verdict continue
trace id 3202082b inet firewalld mangle_PREROUTING_POLICIES_pre verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_pre (verdict jump mangle_PRE_trusted_pre)
trace id 3202082b inet firewalld mangle_PRE_trusted_pre verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_log (verdict jump mangle_PRE_trusted_log)
trace id 3202082b inet firewalld mangle_PRE_trusted_log verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_deny (verdict jump mangle_PRE_trusted_deny)
trace id 3202082b inet firewalld mangle_PRE_trusted_deny verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_allow (verdict jump mangle_PRE_trusted_allow)
trace id 3202082b inet firewalld mangle_PRE_trusted_allow verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_post (verdict jump mangle_PRE_trusted_post)
trace id 3202082b inet firewalld mangle_PRE_trusted_post verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_post (verdict jump mangle_PREROUTING_POLICIES_post)
trace id 3202082b inet firewalld mangle_PREROUTING_POLICIES_post verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted verdict continue
trace id 3202082b inet firewalld mangle_PREROUTING verdict continue
trace id 3202082b inet firewalld mangle_PREROUTING policy accept
trace id 3202082b ip nat PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip nat PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 3018 bytes 180952 dnat to 192.168.123.103 (verdict accept)
trace id 3202082b inet firewalld filter_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip protocol tcp ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b inet firewalld filter_PREROUTING verdict continue
trace id 3202082b inet firewalld filter_PREROUTING policy accept
trace id 3202082b ip mangle FORWARD packet: iif "virbr1" oif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:b1:8b:eb ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip mangle FORWARD verdict continue
trace id 3202082b ip mangle FORWARD policy accept
trace id 3202082b ip filter FORWARD packet: iif "virbr1" oif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:b1:8b:eb ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip filter FORWARD verdict continue
trace id 3202082b ip filter FORWARD policy accept
trace id 3202082b inet firewalld filter_FORWARD packet: iif "virbr1" oif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:b1:8b:eb ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip protocol tcp ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b inet firewalld filter_FORWARD rule ct status dnat accept (verdict accept)

Not working:
trace id fea3c476 ip raw PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 ip raw PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 96 bytes 5732 meta nftrace set 1 (verdict continue)
trace id fea3c476 ip raw PREROUTING verdict continue
trace id fea3c476 ip raw PREROUTING policy accept
trace id fea3c476 inet firewalld mangle_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip protocol tcp ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 inet firewalld mangle_PREROUTING rule jump mangle_PREROUTING_ZONES (verdict jump mangle_PREROUTING_ZONES)
trace id fea3c476 inet firewalld mangle_PREROUTING_ZONES rule goto mangle_PRE_trusted (verdict goto mangle_PRE_trusted)
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_pre (verdict jump mangle_PREROUTING_POLICIES_pre)
trace id fea3c476 inet firewalld mangle_PREROUTING_POLICIES_pre rule jump mangle_PRE_policy_allow-host-ipv6 (verdict jump mangle_PRE_policy_allow-host-ipv6)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_pre (verdict jump mangle_PRE_policy_allow-host-ipv6_pre)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_pre verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_log (verdict jump mangle_PRE_policy_allow-host-ipv6_log)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_log verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_deny (verdict jump mangle_PRE_policy_allow-host-ipv6_deny)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_deny verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_allow (verdict jump mangle_PRE_policy_allow-host-ipv6_allow)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_allow verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_post (verdict jump mangle_PRE_policy_allow-host-ipv6_post)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_post verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 verdict continue
trace id fea3c476 inet firewalld mangle_PREROUTING_POLICIES_pre verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_pre (verdict jump mangle_PRE_trusted_pre)
trace id fea3c476 inet firewalld mangle_PRE_trusted_pre verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_log (verdict jump mangle_PRE_trusted_log)
trace id fea3c476 inet firewalld mangle_PRE_trusted_log verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_deny (verdict jump mangle_PRE_trusted_deny)
trace id fea3c476 inet firewalld mangle_PRE_trusted_deny verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_allow (verdict jump mangle_PRE_trusted_allow)
trace id fea3c476 inet firewalld mangle_PRE_trusted_allow verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_post (verdict jump mangle_PRE_trusted_post)
trace id fea3c476 inet firewalld mangle_PRE_trusted_post verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_post (verdict jump mangle_PREROUTING_POLICIES_post)
trace id fea3c476 inet firewalld mangle_PREROUTING_POLICIES_post verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted verdict continue
trace id fea3c476 inet firewalld mangle_PREROUTING verdict continue
trace id fea3c476 inet firewalld mangle_PREROUTING policy accept
trace id fea3c476 ip nat PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 ip nat PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 2881 bytes 172708 dnat to 192.168.123.103 (verdict accept)
trace id fea3c476 inet firewalld filter_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip protocol tcp ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 inet firewalld filter_PREROUTING verdict continue
trace id fea3c476 inet firewalld filter_PREROUTING policy accept

IP 地址:

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 0a:e0:af:c6:00:d0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic noprefixroute enp6s0
       valid_lft 39944sec preferred_lft 39944sec
3: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:54:6b:5e brd ff:ff:ff:ff:ff:ff
    inet 192.168.123.1/24 brd 192.168.123.255 scope global virbr1
       valid_lft forever preferred_lft forever

IP 路由:

default via 192.168.1.1 dev enp6s0 proto dhcp src 192.168.1.10 metric 100
192.168.1.0/24 dev enp6s0 proto kernel scope link src 192.168.1.10 metric 100
192.168.123.0/24 dev virbr1 proto kernel scope link src 192.168.123.1

Nft 列表规则集:

table ip filter {
    chain INPUT {
        type filter hook input priority filter; policy accept;
        meta l4proto tcp counter packets 2283119 bytes 12047540484 jump f2b-sshd
    }

    chain f2b-sshd {
        counter packets 2278196 bytes 12047096552 return
    }

    chain FORWARD {
        type filter hook forward priority filter; policy accept;
    }
}
table ip nat {
    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
        meta l4proto tcp fib daddr type local tcp dport 445 counter packets 3128 bytes 187556 dnat to 192.168.123.103
    }

    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
    }
}
table inet firewalld {
    chain mangle_PREROUTING {
        type filter hook prerouting priority mangle + 10; policy accept;
        jump mangle_PREROUTING_ZONES
    }

    chain mangle_PREROUTING_POLICIES_pre {
        jump mangle_PRE_policy_allow-host-ipv6
    }

    chain mangle_PREROUTING_ZONES {
        iifname "enp6s0" goto mangle_PRE_public
        goto mangle_PRE_trusted
    }

    chain mangle_PREROUTING_POLICIES_post {
    }

    chain nat_PREROUTING {
        type nat hook prerouting priority dstnat + 10; policy accept;
        jump nat_PREROUTING_ZONES
    }

    chain nat_PREROUTING_POLICIES_pre {
        jump nat_PRE_policy_allow-host-ipv6
    }

    chain nat_PREROUTING_ZONES {
        iifname "enp6s0" goto nat_PRE_public
        goto nat_PRE_trusted
    }

    chain nat_PREROUTING_POLICIES_post {
    }

    chain nat_POSTROUTING {
        type nat hook postrouting priority srcnat + 10; policy accept;
        jump nat_POSTROUTING_ZONES
    }

    chain nat_POSTROUTING_POLICIES_pre {
    }

    chain nat_POSTROUTING_ZONES {
        oifname "enp6s0" goto nat_POST_public
        goto nat_POST_trusted
    }

    chain nat_POSTROUTING_POLICIES_post {
    }

    chain filter_PREROUTING {
        type filter hook prerouting priority filter + 10; policy accept;
        icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
        meta nfproto ipv6 fib saddr . mark . iif oif missing drop
    }

    chain filter_INPUT {
        type filter hook input priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        jump filter_INPUT_ZONES
        ct state { invalid } drop
        reject with icmpx type admin-prohibited
    }

    chain filter_FORWARD {
        type filter hook forward priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
        jump filter_FORWARD_ZONES
        ct state { invalid } drop
        reject with icmpx type admin-prohibited
    }

    chain filter_OUTPUT {
        type filter hook output priority filter + 10; policy accept;
        ct state { established, related } accept
        oifname "lo" accept
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
        jump filter_OUTPUT_POLICIES_pre
        jump filter_OUTPUT_POLICIES_post
    }

    chain filter_INPUT_POLICIES_pre {
        jump filter_IN_policy_allow-host-ipv6
    }

    chain filter_INPUT_ZONES {
        iifname "enp6s0" goto filter_IN_public
        goto filter_IN_trusted
    }

    chain filter_INPUT_POLICIES_post {
    }

    chain filter_FORWARD_POLICIES_pre {
    }

    chain filter_FORWARD_ZONES {
        iifname "enp6s0" goto filter_FWD_public
        goto filter_FWD_trusted
    }

    chain filter_FORWARD_POLICIES_post {
    }

    chain filter_OUTPUT_POLICIES_pre {
    }

    chain filter_OUTPUT_POLICIES_post {
    }

    chain filter_IN_trusted {
        jump filter_INPUT_POLICIES_pre
        jump filter_IN_trusted_pre
        jump filter_IN_trusted_log
        jump filter_IN_trusted_deny
        jump filter_IN_trusted_allow
        jump filter_IN_trusted_post
        jump filter_INPUT_POLICIES_post
        accept
    }

    chain filter_IN_trusted_pre {
    }

    chain filter_IN_trusted_log {
    }

    chain filter_IN_trusted_deny {
    }

    chain filter_IN_trusted_allow {
    }

    chain filter_IN_trusted_post {
    }

    chain nat_POST_trusted {
        jump nat_POSTROUTING_POLICIES_pre
        jump nat_POST_trusted_pre
        jump nat_POST_trusted_log
        jump nat_POST_trusted_deny
        jump nat_POST_trusted_allow
        jump nat_POST_trusted_post
        jump nat_POSTROUTING_POLICIES_post
    }

    chain nat_POST_trusted_pre {
    }

    chain nat_POST_trusted_log {
    }

    chain nat_POST_trusted_deny {
    }

    chain nat_POST_trusted_allow {
    }

    chain nat_POST_trusted_post {
    }

    chain filter_FWD_trusted {
        jump filter_FORWARD_POLICIES_pre
        jump filter_FWD_trusted_pre
        jump filter_FWD_trusted_log
        jump filter_FWD_trusted_deny
        jump filter_FWD_trusted_allow
        jump filter_FWD_trusted_post
        jump filter_FORWARD_POLICIES_post
        accept
    }

    chain filter_FWD_trusted_pre {
    }

    chain filter_FWD_trusted_log {
    }

    chain filter_FWD_trusted_deny {
    }

    chain filter_FWD_trusted_allow {
    }

    chain filter_FWD_trusted_post {
    }

    chain nat_PRE_trusted {
        jump nat_PREROUTING_POLICIES_pre
        jump nat_PRE_trusted_pre
        jump nat_PRE_trusted_log
        jump nat_PRE_trusted_deny
        jump nat_PRE_trusted_allow
        jump nat_PRE_trusted_post
        jump nat_PREROUTING_POLICIES_post
    }

    chain nat_PRE_trusted_pre {
    }

    chain nat_PRE_trusted_log {
    }

    chain nat_PRE_trusted_deny {
    }

    chain nat_PRE_trusted_allow {
    }

    chain nat_PRE_trusted_post {
    }

    chain mangle_PRE_trusted {
        jump mangle_PREROUTING_POLICIES_pre
        jump mangle_PRE_trusted_pre
        jump mangle_PRE_trusted_log
        jump mangle_PRE_trusted_deny
        jump mangle_PRE_trusted_allow
        jump mangle_PRE_trusted_post
        jump mangle_PREROUTING_POLICIES_post
    }

    chain mangle_PRE_trusted_pre {
    }

    chain mangle_PRE_trusted_log {
    }

    chain mangle_PRE_trusted_deny {
    }

    chain mangle_PRE_trusted_allow {
    }

    chain mangle_PRE_trusted_post {
    }

    chain filter_IN_policy_allow-host-ipv6 {
        jump filter_IN_policy_allow-host-ipv6_pre
        jump filter_IN_policy_allow-host-ipv6_log
        jump filter_IN_policy_allow-host-ipv6_deny
        jump filter_IN_policy_allow-host-ipv6_allow
        jump filter_IN_policy_allow-host-ipv6_post
    }

    chain filter_IN_policy_allow-host-ipv6_pre {
    }

    chain filter_IN_policy_allow-host-ipv6_log {
    }

    chain filter_IN_policy_allow-host-ipv6_deny {
    }

    chain filter_IN_policy_allow-host-ipv6_allow {
        icmpv6 type nd-neighbor-advert accept
        icmpv6 type nd-neighbor-solicit accept
        icmpv6 type nd-router-advert accept
        icmpv6 type nd-redirect accept
    }

    chain filter_IN_policy_allow-host-ipv6_post {
    }

    chain nat_PRE_policy_allow-host-ipv6 {
        jump nat_PRE_policy_allow-host-ipv6_pre
        jump nat_PRE_policy_allow-host-ipv6_log
        jump nat_PRE_policy_allow-host-ipv6_deny
        jump nat_PRE_policy_allow-host-ipv6_allow
        jump nat_PRE_policy_allow-host-ipv6_post
    }

    chain nat_PRE_policy_allow-host-ipv6_pre {
    }

    chain nat_PRE_policy_allow-host-ipv6_log {
    }

    chain nat_PRE_policy_allow-host-ipv6_deny {
    }

    chain nat_PRE_policy_allow-host-ipv6_allow {
    }

    chain nat_PRE_policy_allow-host-ipv6_post {
    }

    chain mangle_PRE_policy_allow-host-ipv6 {
        jump mangle_PRE_policy_allow-host-ipv6_pre
        jump mangle_PRE_policy_allow-host-ipv6_log
        jump mangle_PRE_policy_allow-host-ipv6_deny
        jump mangle_PRE_policy_allow-host-ipv6_allow
        jump mangle_PRE_policy_allow-host-ipv6_post
    }

    chain mangle_PRE_policy_allow-host-ipv6_pre {
    }

    chain mangle_PRE_policy_allow-host-ipv6_log {
    }

    chain mangle_PRE_policy_allow-host-ipv6_deny {
    }

    chain mangle_PRE_policy_allow-host-ipv6_allow {
    }

    chain mangle_PRE_policy_allow-host-ipv6_post {
    }

    chain filter_IN_public {
        jump filter_INPUT_POLICIES_pre
        jump filter_IN_public_pre
        jump filter_IN_public_log
        jump filter_IN_public_deny
        jump filter_IN_public_allow
        jump filter_IN_public_post
        jump filter_INPUT_POLICIES_post
        meta l4proto { icmp, ipv6-icmp } accept
        reject with icmpx type admin-prohibited
    }

    chain filter_IN_public_pre {
    }

    chain filter_IN_public_log {
    }

    chain filter_IN_public_deny {
    }

    chain filter_IN_public_allow {
        tcp dport 22 ct state { new, untracked } accept
        ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
    }

    chain filter_IN_public_post {
    }

    chain nat_POST_public {
        jump nat_POSTROUTING_POLICIES_pre
        jump nat_POST_public_pre
        jump nat_POST_public_log
        jump nat_POST_public_deny
        jump nat_POST_public_allow
        jump nat_POST_public_post
        jump nat_POSTROUTING_POLICIES_post
    }

    chain nat_POST_public_pre {
    }

    chain nat_POST_public_log {
    }

    chain nat_POST_public_deny {
    }

    chain nat_POST_public_allow {
        meta nfproto ipv4 oifname != "lo" masquerade
    }

    chain nat_POST_public_post {
    }

    chain filter_FWD_public {
        jump filter_FORWARD_POLICIES_pre
        jump filter_FWD_public_pre
        jump filter_FWD_public_log
        jump filter_FWD_public_deny
        jump filter_FWD_public_allow
        jump filter_FWD_public_post
        jump filter_FORWARD_POLICIES_post
        reject with icmpx type admin-prohibited
    }

    chain filter_FWD_public_pre {
    }

    chain filter_FWD_public_log {
    }

    chain filter_FWD_public_deny {
    }

    chain filter_FWD_public_allow {
        oifname "enp6s0" accept
    }

    chain filter_FWD_public_post {
    }

    chain nat_PRE_public {
        jump nat_PREROUTING_POLICIES_pre
        jump nat_PRE_public_pre
        jump nat_PRE_public_log
        jump nat_PRE_public_deny
        jump nat_PRE_public_allow
        jump nat_PRE_public_post
        jump nat_PREROUTING_POLICIES_post
    }

    chain nat_PRE_public_pre {
    }

    chain nat_PRE_public_log {
    }

    chain nat_PRE_public_deny {
    }

    chain nat_PRE_public_allow {
    }

    chain nat_PRE_public_post {
    }

    chain mangle_PRE_public {
        jump mangle_PREROUTING_POLICIES_pre
        jump mangle_PRE_public_pre
        jump mangle_PRE_public_log
        jump mangle_PRE_public_deny
        jump mangle_PRE_public_allow
        jump mangle_PRE_public_post
        jump mangle_PREROUTING_POLICIES_post
    }

    chain mangle_PRE_public_pre {
    }

    chain mangle_PRE_public_log {
    }

    chain mangle_PRE_public_deny {
    }

    chain mangle_PRE_public_allow {
    }

    chain mangle_PRE_public_post {
    }
}
table ip raw {
    chain PREROUTING {
        type filter hook prerouting priority raw; policy accept;
        meta l4proto tcp fib daddr type local tcp dport 445 counter packets 974 bytes 53844 meta nftrace set 1
    }

    chain OUTPUT {
        type filter hook output priority raw; policy accept;
    }
}
table ip mangle {
    chain FORWARD {
        type filter hook forward priority mangle; policy accept;
    }
}

答案1

对话期间https://chat.stackexchange.com/rooms/139576/discussion-on-answer-by-gapsf-no-forward-packet-with-iptables-prerouting-rule

主机 A 有一个接口,其中有两个来自同一子网的 IP

B# arp -a
(192.168.123.11) at 52:54:00:b1:8b:eb [ether] on virbr1 
(192.168.123.13) at 52:54:00:17:47:13 [ether] on virbr1
(192.168.123.103) at 52:54:00:b1:8b:eb [ether] on virbr1

提问者希望来自 A 的 123.11 的数据包到达 B virbr1 23.1 后通过 virbr1 转发回 A 的 123.103。出于某种原因,来自 123.11 的数据包在预路由后消失,根据跟踪日志,数据包既没有进入转发链,也没有进入输入链。

A (123.11/24 eth0 123.103/24)
   |                   ^
   v                   |
B (virbr1 123.1/24   dnat)

因此在路由决策中会发生一些事情。

第一个答案
目前,您已使用 iptables 和 nftables 配置了 nat 规则。您不应同时使用 iptables 和 nftables,因为这会导致不可预测的结果。使用一个工具。如果您使用firewalld并且其后端是 nftables,请坚持使用 nftables 并刷新所有 iptables 规则

https://unix.stackexchange.com/a/596497/153329

答案2

事实证明,对我而言,有效的方法是禁止桥接数据包穿越 iptables 规则。这可以通过设置 sysctl 标志来实现。

sysctl -w net.bridge.bridge-nf-call-iptables=0
sysctl -w net.bridge.bridge-nf-call-ip6tables=0
sysctl -w net.bridge.bridge-nf-call-arptables=0

相关内容