TCPDUMP w/SNAT 配置在 ICMP 回复上显示私有 IP

tag-icon tag-icon networking iptables nat netfilter
TCPDUMP w/SNAT 配置在 ICMP 回复上显示私有 IP

问题:TCPDUMP icmp 回复莫名其妙地带有私有地址。我希望它有公共地址。

[router.box(1.2.3.4)]$ tcpdump -n -i br1 icmp
10:42:21.689215 IP 1.2.3.4 > 8.8.8.8: ICMP echo request, id 2935, seq 1, length 64
10:42:21.696828 IP 8.8.8.8 > 10.0.0.1: ICMP echo reply, id 2935, seq 1, length 64

我已将我的 Linux 盒子配置为对离开桥接接口的数据包执行 SNAT br1

[router.box(1.2.3.4)]$ iptables -t nat -L -n -v
Chain POSTROUTING (policy ACCEPT 75970 packets, 4560K bytes)
 pkts bytes target     prot opt in     out     source               destination                   
   62  3816 SNAT       all  --  *      br1     0.0.0.0/0            0.0.0.0/0            to:1.2.3.4

传出的 icmp 数据包正确地将其源地址从 更改为10.0.0.11.2.3.4但 icmp 回复数据包显示已被转换为私有地址 ( 10.0.0.1):

[local.box(10.0.0.1)]$ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=112 time=8.06 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=112 time=7.97 ms

[router.box(1.2.3.4)]$ tcpdump -n -i br1 icmp
10:42:21.689215 IP 1.2.3.4 > 8.8.8.8: ICMP echo request, id 2935, seq 1, length 64
10:42:21.696828 IP 8.8.8.8 > 10.0.0.1: ICMP echo reply, id 2935, seq 1, length 64

我的网络配置如下:

[router.box(1.2.3.4)]$ ip a
3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master br1 state UP group default qlen 1000
36: br1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  inet 1.2.3.4/26 ...
36: br3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  inet 10.0.0.2/24 ...

[router.box(1.2.3.4)]$ ip route
default via <gateway address> dev br1
10.0.0.1/24 dev br3 proto kernel scope link src 10.0.0.2

[local.box(10.0.0.1)]$ ip a
36: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
  inet 10.0.0.1/24 ...

[local.box(10.0.0.1)]$ ip route
default via 10.0.0.2 dev eno1

我是否误解了 TCPDUMP 从哪里收集数据包?是地址转换回源地址之后吗?

编辑:
看起来物理接口 ( eno2) 上的 tcpdump 产生了预期的结果:

[router.box(1.2.3.4)]$ sudo tcpdump -n -i eno2 icmp                                                                                                                 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno2, link-type EN10MB (Ethernet), capture size 262144 bytes
13:33:49.331086 IP 1.2.3.4 > 8.8.8.8: ICMP echo request, id 3011, seq 1, length 64
13:33:49.338641 IP 8.8.8.8 > 1.2.3.4: ICMP echo reply, id 3011, seq 1, length 64

eno2那么 SNAT 是否在进入物理接口 ( ) 之后、桥接接口 ( ) 之前应用br1

答案1

这是正常行为。如果您想查看 NAT 前和 NAT 后的 IP,请将接口替换为“any”

sudo tcpdump -eni any icmp

相关内容