本地连接是否由 iptables 处理？

Question

好吧，这并不是那么难。

rules.txt：

*raw
-A PREROUTING -p tcp --dport 80 -j LOG --log-prefix "*** IPTABLES (in): "
-A OUTPUT -p tcp --sport 80 -j LOG --log-prefix "*** IPTABLES (out): "
COMMIT

然后，

# iptables-restore rules.txt

# tcpdump -ni any port 80
19:01:43.885176 IP 127.0.0.1.34390 > 127.0.0.1.80: Flags [S], seq 3166048564, win 65495, options [mss 65495,sackOK,TS val 525562685 ecr 0,nop,wscale 7], length 0
19:01:43.885205 IP 127.0.0.1.80 > 127.0.0.1.34390: Flags [S.], seq 2120053914, ack 3166048565, win 65483, options [mss 65495,sackOK,TS val 525562685 ecr 525562685,nop,wscale 7], length 0
19:01:43.885217 IP 127.0.0.1.34390 > 127.0.0.1.80: Flags [.], ack 1, win 512, options [nop,nop,TS val 525562685 ecr 525562685], length 0
19:01:43.885296 IP 127.0.0.1.34390 > 127.0.0.1.80: Flags [P.], seq 1:77, ack 1, win 512, options [nop,nop,TS val 525562685 ecr 525562685], length 76: HTTP: GET / HTTP/1.1
19:01:43.885312 IP 127.0.0.1.80 > 127.0.0.1.34390: Flags [.], ack 77, win 511, options [nop,nop,TS val 525562685 ecr 525562685], length 0
19:01:43.886101 IP 127.0.0.1.80 > 127.0.0.1.34390: Flags [P.], seq 1:220, ack 77, win 512, options [nop,nop,TS val 525562686 ecr 525562685], length 219: HTTP: HTTP/1.1 500 Internal Server Error
19:01:43.886121 IP 127.0.0.1.34390 > 127.0.0.1.80: Flags [.], ack 220, win 511, options [nop,nop,TS val 525562686 ecr 525562686], length 0
19:01:43.886259 IP 127.0.0.1.34390 > 127.0.0.1.80: Flags [F.], seq 77, ack 220, win 512, options [nop,nop,TS val 525562686 ecr 525562686], length 0
19:01:43.886315 IP 127.0.0.1.80 > 127.0.0.1.34390: Flags [F.], seq 220, ack 78, win 512, options [nop,nop,TS val 525562686 ecr 525562686], length 0
19:01:43.886328 IP 127.0.0.1.34390 > 127.0.0.1.80: Flags [.], ack 221, win 512, options [nop,nop,TS val 525562686 ecr 525562686], length 0

# journalctl -ef
Jun 28 19:01:43 yuri kernel: *** IPTABLES (in): IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12191 DF PROTO=TCP SPT=34390 DPT=80 WINDOW=65495 RES=0x00 SYN URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (out): IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=34390 WINDOW=65483 RES=0x00 ACK SYN URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (in): IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=12192 DF PROTO=TCP SPT=34390 DPT=80 WINDOW=512 RES=0x00 ACK URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (in): IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=12193 DF PROTO=TCP SPT=34390 DPT=80 WINDOW=512 RES=0x00 ACK PSH URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (out): IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=18992 DF PROTO=TCP SPT=80 DPT=34390 WINDOW=511 RES=0x00 ACK URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (out): IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=271 TOS=0x00 PREC=0x00 TTL=64 ID=18993 DF PROTO=TCP SPT=80 DPT=34390 WINDOW=512 RES=0x00 ACK PSH URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (in): IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=12194 DF PROTO=TCP SPT=34390 DPT=80 WINDOW=511 RES=0x00 ACK URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (in): IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=12195 DF PROTO=TCP SPT=34390 DPT=80 WINDOW=512 RES=0x00 ACK FIN URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (out): IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=18994 DF PROTO=TCP SPT=80 DPT=34390 WINDOW=512 RES=0x00 ACK FIN URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (in): IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=12196 DF PROTO=TCP SPT=34390 DPT=80 WINDOW=512 RES=0x00 ACK URGP=0

也是同样的道理ETH0_IP。

Answer 1

好吧，这并不是那么难。

rules.txt：

*raw
-A PREROUTING -p tcp --dport 80 -j LOG --log-prefix "*** IPTABLES (in): "
-A OUTPUT -p tcp --sport 80 -j LOG --log-prefix "*** IPTABLES (out): "
COMMIT

然后，

# iptables-restore rules.txt

# tcpdump -ni any port 80
19:01:43.885176 IP 127.0.0.1.34390 > 127.0.0.1.80: Flags [S], seq 3166048564, win 65495, options [mss 65495,sackOK,TS val 525562685 ecr 0,nop,wscale 7], length 0
19:01:43.885205 IP 127.0.0.1.80 > 127.0.0.1.34390: Flags [S.], seq 2120053914, ack 3166048565, win 65483, options [mss 65495,sackOK,TS val 525562685 ecr 525562685,nop,wscale 7], length 0
19:01:43.885217 IP 127.0.0.1.34390 > 127.0.0.1.80: Flags [.], ack 1, win 512, options [nop,nop,TS val 525562685 ecr 525562685], length 0
19:01:43.885296 IP 127.0.0.1.34390 > 127.0.0.1.80: Flags [P.], seq 1:77, ack 1, win 512, options [nop,nop,TS val 525562685 ecr 525562685], length 76: HTTP: GET / HTTP/1.1
19:01:43.885312 IP 127.0.0.1.80 > 127.0.0.1.34390: Flags [.], ack 77, win 511, options [nop,nop,TS val 525562685 ecr 525562685], length 0
19:01:43.886101 IP 127.0.0.1.80 > 127.0.0.1.34390: Flags [P.], seq 1:220, ack 77, win 512, options [nop,nop,TS val 525562686 ecr 525562685], length 219: HTTP: HTTP/1.1 500 Internal Server Error
19:01:43.886121 IP 127.0.0.1.34390 > 127.0.0.1.80: Flags [.], ack 220, win 511, options [nop,nop,TS val 525562686 ecr 525562686], length 0
19:01:43.886259 IP 127.0.0.1.34390 > 127.0.0.1.80: Flags [F.], seq 77, ack 220, win 512, options [nop,nop,TS val 525562686 ecr 525562686], length 0
19:01:43.886315 IP 127.0.0.1.80 > 127.0.0.1.34390: Flags [F.], seq 220, ack 78, win 512, options [nop,nop,TS val 525562686 ecr 525562686], length 0
19:01:43.886328 IP 127.0.0.1.34390 > 127.0.0.1.80: Flags [.], ack 221, win 512, options [nop,nop,TS val 525562686 ecr 525562686], length 0

# journalctl -ef
Jun 28 19:01:43 yuri kernel: *** IPTABLES (in): IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=12191 DF PROTO=TCP SPT=34390 DPT=80 WINDOW=65495 RES=0x00 SYN URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (out): IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=34390 WINDOW=65483 RES=0x00 ACK SYN URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (in): IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=12192 DF PROTO=TCP SPT=34390 DPT=80 WINDOW=512 RES=0x00 ACK URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (in): IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=128 TOS=0x00 PREC=0x00 TTL=64 ID=12193 DF PROTO=TCP SPT=34390 DPT=80 WINDOW=512 RES=0x00 ACK PSH URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (out): IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=18992 DF PROTO=TCP SPT=80 DPT=34390 WINDOW=511 RES=0x00 ACK URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (out): IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=271 TOS=0x00 PREC=0x00 TTL=64 ID=18993 DF PROTO=TCP SPT=80 DPT=34390 WINDOW=512 RES=0x00 ACK PSH URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (in): IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=12194 DF PROTO=TCP SPT=34390 DPT=80 WINDOW=511 RES=0x00 ACK URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (in): IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=12195 DF PROTO=TCP SPT=34390 DPT=80 WINDOW=512 RES=0x00 ACK FIN URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (out): IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=18994 DF PROTO=TCP SPT=80 DPT=34390 WINDOW=512 RES=0x00 ACK FIN URGP=0
Jun 28 19:01:43 yuri kernel: *** IPTABLES (in): IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=12196 DF PROTO=TCP SPT=34390 DPT=80 WINDOW=512 RES=0x00 ACK URGP=0

也是同样的道理ETH0_IP。

本地连接是否由 iptables 处理？

答案1

相关内容