我正在使用 iptables 跟踪来调试问题,但我注意到输出流量没有 nat POSTROUTING:
[18101.430307] TRACE: raw:PREROUTING:policy:4 IN=ens3 OUT= SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430360] TRACE: mangle:PREROUTING:rule:1 IN=ens3 OUT= SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430370] TRACE: mangle:cali-PREROUTING:rule:3 IN=ens3 OUT= SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430377] TRACE: mangle:cali-from-host-endpoint:return:1 IN=ens3 OUT= SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430383] TRACE: mangle:cali-PREROUTING:return:5 IN=ens3 OUT= SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430390] TRACE: mangle:PREROUTING:policy:2 IN=ens3 OUT= SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430398] TRACE: nat:PREROUTING:rule:1 IN=ens3 OUT= SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430419] TRACE: nat:cali-PREROUTING:rule:1 IN=ens3 OUT= SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430427] TRACE: nat:cali-fip-dnat:return:1 IN=ens3 OUT= SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430436] TRACE: nat:cali-PREROUTING:return:2 IN=ens3 OUT= SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430442] TRACE: nat:PREROUTING:rule:2 IN=ens3 OUT= SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430453] TRACE: nat:KUBE-SERVICES:return:18 IN=ens3 OUT= SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430459] TRACE: nat:PREROUTING:policy:4 IN=ens3 OUT= SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430482] TRACE: mangle:FORWARD:policy:1 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430489] TRACE: filter:FORWARD:rule:1 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430498] TRACE: filter:cali-FORWARD:rule:1 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430505] TRACE: filter:cali-FORWARD:rule:2 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430513] TRACE: filter:cali-from-hep-forward:return:1 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430520] TRACE: filter:cali-FORWARD:rule:4 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430536] TRACE: filter:cali-to-wl-dispatch:rule:3 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430546] TRACE: filter:cali-tw-cali77ae8ddeb6a:rule:3 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430554] TRACE: filter:cali-tw-cali77ae8ddeb6a:rule:4 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430561] TRACE: filter:cali-pri-kns.fabedge:rule:1 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN
[18101.430569] TRACE: filter:cali-pri-kns.fabedge:rule:2 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430577] TRACE: filter:cali-tw-cali77ae8ddeb6a:rule:5 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430583] TRACE: filter:cali-FORWARD:rule:5 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430591] TRACE: filter:cali-to-hep-forward:return:1 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430598] TRACE: filter:cali-FORWARD:rule:6 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430604] TRACE: filter:cali-cidr-block:return:1 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430611] TRACE: filter:cali-FORWARD:return:7 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430617] TRACE: filter:FORWARD:rule:2 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430624] TRACE: filter:KUBE-FORWARD:return:5 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430630] TRACE: filter:FORWARD:rule:3 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430636] TRACE: filter:KUBE-SERVICES:return:1 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430643] TRACE: filter:FORWARD:rule:4 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430649] TRACE: filter:KUBE-EXTERNAL-SERVICES:return:1 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430655] TRACE: filter:FORWARD:rule:5 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430661] TRACE: filter:DOCKER-USER:return:1 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430668] TRACE: filter:FORWARD:rule:6 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430674] TRACE: filter:DOCKER-ISOLATION-STAGE-1:return:2 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430680] TRACE: filter:FORWARD:rule:11 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430691] TRACE: filter:FABEDGE-FORWARD:return:4 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430698] TRACE: filter:FORWARD:rule:12 IN=ens3 OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430704] TRACE: mangle:POSTROUTING:rule:1 IN= OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430710] TRACE: mangle:cali-POSTROUTING:rule:1 IN= OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430715] TRACE: mangle:POSTROUTING:policy:2 IN= OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430720] TRACE: nat:POSTROUTING:rule:1 IN= OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430728] TRACE: nat:cali-POSTROUTING:rule:1 IN= OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430735] TRACE: nat:cali-fip-snat:return:1 IN= OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430742] TRACE: nat:cali-POSTROUTING:rule:2 IN= OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430751] TRACE: nat:cali-nat-outgoing:return:2 IN= OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430758] TRACE: nat:cali-POSTROUTING:return:4 IN= OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430763] TRACE: nat:POSTROUTING:rule:2 IN= OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430768] TRACE: nat:FABEDGE-POSTROUTING:return:4 IN= OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430773] TRACE: nat:POSTROUTING:rule:3 IN= OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430779] TRACE: nat:KUBE-POSTROUTING:return:1 IN= OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430784] TRACE: nat:POSTROUTING:policy:5 IN= OUT=cali77ae8ddeb6a SRC=10.22.48.33 DST=10.233.75.36 ID=10084 PROTO=TCP SPT=48690 DPT=3030 SYN MARK=0x10000
[18101.430854] TRACE: raw:PREROUTING:policy:4 IN=cali77ae8ddeb6a OUT= SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN MARK=0x40000
[18101.430862] TRACE: mangle:PREROUTING:rule:1 IN=cali77ae8ddeb6a OUT= SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN MARK=0x40000
[18101.430868] TRACE: mangle:cali-PREROUTING:rule:1 IN=cali77ae8ddeb6a OUT= SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN MARK=0x40000
[18101.430876] TRACE: mangle:FORWARD:policy:1 IN=cali77ae8ddeb6a OUT=ens3 SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN MARK=0x40000
[18101.430882] TRACE: filter:FORWARD:rule:1 IN=cali77ae8ddeb6a OUT=ens3 SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN MARK=0x40000
[18101.430888] TRACE: filter:cali-FORWARD:rule:1 IN=cali77ae8ddeb6a OUT=ens3 SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN MARK=0x40000
[18101.430894] TRACE: filter:cali-FORWARD:rule:2 IN=cali77ae8ddeb6a OUT=ens3 SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN
[18101.430900] TRACE: filter:cali-from-hep-forward:return:1 IN=cali77ae8ddeb6a OUT=ens3 SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN
[18101.430905] TRACE: filter:cali-FORWARD:rule:3 IN=cali77ae8ddeb6a OUT=ens3 SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN
[18101.430911] TRACE: filter:cali-from-wl-dispatch:rule:3 IN=cali77ae8ddeb6a OUT=ens3 SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN
[18101.430917] TRACE: filter:cali-fw-cali77ae8ddeb6a:rule:1 IN=cali77ae8ddeb6a OUT=ens3 SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN
[18101.430922] TRACE: mangle:POSTROUTING:rule:1 IN= OUT=ens3 SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN
[18101.430926] TRACE: mangle:cali-POSTROUTING:rule:2 IN= OUT=ens3 SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN
[18101.430930] TRACE: mangle:cali-POSTROUTING:return:5 IN= OUT=ens3 SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN
[18101.430934] TRACE: mangle:POSTROUTING:policy:2 IN= OUT=ens3 SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN
[18102.462024] TRACE: raw:PREROUTING:policy:4 IN=cali77ae8ddeb6a OUT= SRC=10.233.75.36 DST=10.22.48.33 ID=0 PROTO=TCP SPT=3030 DPT=48690 SYN MARK=0x40000
您可以直接在跟踪记录末尾的行“mangle:POSTROUTING:policy:2”后跟“raw:PREROUTING”而不是 nat:POSTROUTING,为什么?
我的跟踪规则:
-A PREROUTING -p tcp -m tcp --sport 3030 -j TRACE
-A PREROUTING -p tcp -m tcp --dport 3030 -j TRACE
-A OUTPUT -p tcp -m tcp --sport 3030 -j TRACE