为什么我的 nat iptables 规则不适用于标记数据包?

为什么我的 nat iptables 规则不适用于标记数据包?

系统: debian squeeze,Linux 服务器 2.6.32-5-amd64 #1 SMP 2014 年 5 月 13 日星期二 16:34:35 UTC x86_64 GNU/Linux,iptables v1.4.8

lsmod | grep iptable
iptable_security        2176  0
iptable_mangle          2817  1
iptable_filter          2258  0
iptable_raw             1867  0
iptable_nat             4283  1
nf_nat                 13308  2 ipt_REDIRECT,iptable_nat
nf_conntrack_ipv4       9833  3 iptable_nat,nf_nat
nf_conntrack           46391  3 iptable_nat,nf_nat,nf_conntrack_ipv4
ip_tables              13915  5 iptable_security,iptable_mangle,iptable_filter,iptable_raw,iptable_nat
x_tables               12845  11 ipt_REDIRECT,xt_mark,xt_MARK,xt_dscp,xt_DSCP,xt_tcpudp,xt_string,ipt_LOG,ip6_tables,iptable_nat,ip_tables

这些是我的规则:

iptables -t mangle -A PREROUTING -p tcp -s 192.168.1.2 --dport 80 -m string --algo kmp --string anystring -j LOG --log-prefix anystring1
iptables -t mangle -A PREROUTING -p tcp -s 192.168.1.2 --dport 80 -m string --algo kmp --string anystring -j MARK --set-mark 0x401
iptables -t nat -A PREROUTING -m mark --mark 0x401 -j LOG --log-prefix anystring11
iptables -t nat -A PREROUTING -p tcp -m mark --mark 0x401 -j REDIRECT --to-ports 911
iptables -t mangle -A INPUT -m mark --mark 0x401 -j LOG --log-prefix anystring111

系统日志:

May 22 10:17:01 server kernel: [51224.137665] anystring1IN=eth0 OUT= MAC=00:1b:b9:a1:b0:da:00:17:e0:78:3b:40:08:00 SRC=192.168.1.2 DST=192.168.1.1 LEN=224 TOS=0x00 PREC=0x00 TTL=62 ID=51913 DF PROTO=TCP SPT=54516 DPT=80 WINDOW=457 RES=0x00 ACK PSH URGP=0
May 22 10:17:01 server kernel: [51224.137692] anystring111IN=eth0 OUT= MAC=00:1b:b9:a1:b0:da:00:17:e0:78:3b:40:08:00 SRC=192.168.1.2 DST=192.168.1.1 LEN=224 TOS=0x00 PREC=0x00 TTL=62 ID=51913 DF PROTO=TCP SPT=54516 DPT=80 WINDOW=457 RES=0x00 ACK PSH URGP=0 MARK=0x401
May 22 10:17:01 server kernel: [51224.140909] anystring1IN=eth0 OUT= MAC=00:1b:b9:a1:b0:da:00:17:e0:78:3b:40:08:00 SRC=192.168.1.2 DST=192.168.1.1 LEN=154 TOS=0x00 PREC=0x00 TTL=62 ID=47231 DF PROTO=TCP SPT=54517 DPT=80 WINDOW=457 RES=0x00 ACK PSH URGP=0
May 22 10:17:01 server kernel: [51224.140934] anystring111IN=eth0 OUT= MAC=00:1b:b9:a1:b0:da:00:17:e0:78:3b:40:08:00 SRC=192.168.1.2 DST=192.168.1.1 LEN=154 TOS=0x00 PREC=0x00 TTL=62 ID=47231 DF PROTO=TCP SPT=54517 DPT=80 WINDOW=457 RES=0x00 ACK PSH URGP=0 MARK=0x401

我的桌子:

iptables -t nat -L -v

Chain PREROUTING (policy ACCEPT 9485 packets, 604K bytes)

pkts bytes target     prot opt in     out     source               destination
0     0 LOG        all  --  any    any     anywhere             anywhere            mark match 0x401 LOG level warning prefix `anystring11'
0     0 REDIRECT   tcp  --  any    any     anywhere             anywhere            mark match 0x401 redir ports 911

Chain POSTROUTING (policy ACCEPT 12570 packets, 850K bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 8009 packets, 564K bytes)

pkts bytes target     prot opt in     out     source               destination

iptables -t mangle -L -v

Chain PREROUTING (policy ACCEPT 339K packets, 101M bytes)

pkts bytes target     prot opt in     out     source               destination
6  1134 LOG        tcp  --  any    any     192.168.1.2      anywhere            tcp dpt:www STRING match "anystring" ALGO name kmp TO 65535 LOG level warning prefix `anystring1'
6  1134 MARK       tcp  --  any    any     192.168.1.2      anywhere            tcp dpt:www STRING match "anystring" ALGO name kmp TO 65535 MARK set 0x401

Chain INPUT (policy ACCEPT 211K packets, 88M bytes)

pkts bytes target     prot opt in     out     source               destination
6  1134 LOG        all  --  any    any     anywhere             anywhere            mark match 0x401 LOG level warning prefix `anystring111'

Chain FORWARD (policy ACCEPT 128K packets, 13M bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 192K packets, 139M bytes)

pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 317K packets, 152M bytes)

pkts bytes target     prot opt in     out     source               destination

iptables -t 过滤器 -L -v

Chain INPUT (policy ACCEPT 250K packets, 100M bytes)

pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 141K packets, 15M bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 229K packets, 157M bytes)

pkts bytes target     prot opt in     out     source               destination

iptables -t raw -L -v

Chain PREROUTING (policy ACCEPT 394K packets, 115M bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 234K packets, 158M bytes)

pkts bytes target     prot opt in     out     source               destination

iptables -t 安全 -L -v

Chain INPUT (policy ACCEPT 254K packets, 101M bytes)

pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 141K packets, 15M bytes)

pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 232K packets, 158M bytes)

pkts bytes target     prot opt in     out     source               destination

答案1

这似乎违反直觉,但只有 conntrack 不知道的数据包才会通过 NAT 表。这使得尝试使用字符串匹配进行 NAT 变得困难:当字符串出现在数据包中时,连接已经建立。

通常使用 iptables 字符串匹配是不明智的,您应该在更高层次上做一些事情来实现您的目标。

相关内容