iptables - 根据字符串匹配在 FORWARD 链中丢弃数据包不起作用

iptables - 根据字符串匹配在 FORWARD 链中丢弃数据包不起作用

我正在尝试将流量从一个主机转发到另一个主机。它正在工作,但我想添加 url 白名单。以下 iptables-save 规则仍然阻止访问 http://host:8383/api/test

我错过了什么?

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [7:517]
:POSTROUTING ACCEPT [2:161]
-A PREROUTING -p tcp -m tcp --dport 8383 -j DNAT --to-destination x.x.x.x:8001
-A POSTROUTING ! -s 127.0.0.1/32 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

-A FORWARD -p tcp  -m string --string "GET /api" --algo bm --icase -j ACCEPT
-P FORWARD DROP

COMMIT
sudo iptables -nvL
Chain INPUT (policy ACCEPT 49 packets, 2356 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 5 packets, 200 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            STRING match  "GET /api" ALGO name bm TO 65535 ICASE

Chain OUTPUT (policy ACCEPT 38 packets, 3060 bytes)
 pkts bytes target     prot opt in     out     source               destination

相关内容