为什么 iptables 不应用相同的规则?

tag-icon tag-icon networking iptables netfilter strongswan
为什么 iptables 不应用相同的规则?

由于某种原因,我的网络遇到“目的地不可达,无路由”错误,这个错误定期发生,后来我发现这是我的程序的一个错误。

但在这期间,我发现了一个奇怪的问题:如果我在网络正常的情况下开始ping,那么即使网络出现路由问题,ping仍然可以继续工作。我使用 iptables 跟踪,发现 ping 进程运行时应用了这些 iptables 规则:

raw:PREROUTING:policy:2
nat:PREROUTING:policy:1
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
nat:POSTROUTING:rule:1
nat:FABEDGE-NAT-OUTGOING:rule:2
nat:POSTROUTING:policy:2
raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1

如您所见,当处理第一个 ICMP6 数据包时,将应用这些规则:

raw:PREROUTING:policy:2
nat:PREROUTING:policy:1
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
nat:POSTROUTING:rule:1
nat:FABEDGE-NAT-OUTGOING:rule:2
nat:POSTROUTING:policy:2

以下 ICMP6 数据包使用不同的规则进行处理:

raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1

看起来所有 nat 表规则都被跳过,我不知道为什么会发生这种情况。每个 ICMP6 数据包不应该经历相同的规则吗?

我应该提到的是,这些数据包将通过由 Strongswan 进程创建的 VPN 隧道,我认为这不会影响 iptables。

这些是我的 iptables 规则:

ip6tables -t raw -S
-P PREROUTING ACCEPT
-P OUTPUT ACCEPT
-A PREROUTING -s fd96:ee88:2:2::/64 -j TRACE

[root@edge1 ~]# ip6tables  -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FABEDGE-FORWARD
-A FORWARD -j FABEDGE-FORWARD
-A FABEDGE-FORWARD -s fd96:ee88:2:2::/64 -j ACCEPT
-A FABEDGE-FORWARD -d fd96:ee88:2:2::/64 -j ACCEPT

ip6tables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N FABEDGE-NAT-OUTGOING
-A POSTROUTING -j FABEDGE-NAT-OUTGOING
-A FABEDGE-NAT-OUTGOING -m set --match-set FABEDGE-LOOP-BACK6 dst,dst,src -j MASQUERADE
-A FABEDGE-NAT-OUTGOING -s fd96:ee88:2:2::/64 -m set --match-set FABEDGE-PEER-CIDR6 dst -j RETURN
-A FABEDGE-NAT-OUTGOING -s fd96:ee88:2:2::/64 -d fd96:ee88:2:2::/64 -j RETURN
-A FABEDGE-NAT-OUTGOING -s fd96:ee88:2:2::/64 -j MASQUERADE

更详细的 iptables 跟踪:

[505397.327144] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327183] TRACE: nat:PREROUTING:policy:1 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327207] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327215] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327223] TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 PHYSIN=veth74551420 SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327241] TRACE: nat:FABEDGE-NAT-OUTGOING:rule:2 IN= OUT=eth0 PHYSIN=veth74551420 SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327246] TRACE: nat:POSTROUTING:policy:2 IN= OUT=eth0 PHYSIN=veth74551420 SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505398.328257] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=2
[505398.328290] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=2
[505398.328299] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=2
[505399.329386] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=3
[505399.329431] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=3
[505399.329440] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=3
[505400.329280] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=4
[505400.329315] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=4
[505400.329324] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=4

答案1

根据这个问题,nat 规则似乎仅适用于初始数据包:https://serverfault.com/questions/741104/iptables-redirect-works-only-for-first-packet

这是另一个解释

nat链类型允许您执行NAT。这种链类型具有特殊的语义:

流的第一个数据包用于查找为该流设置 NAT 绑定的匹配规则。这也会相应​​地操作第一个数据包。

流中的后续数据包不会进行规则查找:NAT 引擎使用第一个数据包已设置的 NAT 绑定信息来执行数据包操作。

相关内容