我有一台 openSUSE Linux 服务器,运行 Suricata 作为 IDS。该服务器有两个接口。第一个 (eth0) 用于纯管理,如 ssh。第二个接口 (eth5) 没有设置 IP,并通过连接在那里的交换机的镜像端口获取数据中心的完整流量。到目前为止,一切正常。
testsystem:/home/admin # ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 77:23:52:a5:26:e4 brd ff:ff:ff:ff:ff:ff
altname eno1
altname enp1s0f0
inet6 fe80::8218:44ff:fee2:9424/64 scope link
valid_lft forever preferred_lft forever
3: eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether 77:23:52:a5:26:e5 brd ff:ff:ff:ff:ff:ff
altname eno2
altname enp1s0f1
4: eth2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 77:23:52:a5:26:e6 brd ff:ff:ff:ff:ff:ff
altname eno3
altname enp2s0f0
5: eth3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether 77:23:52:a5:26:e7 brd ff:ff:ff:ff:ff:ff
altname eno4
altname enp2s0f1
6: eth4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
link/ether a5:33:d4:c7:21:34 brd ff:ff:ff:ff:ff:ff
altname enp4s0f0
7: eth5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether a5:33:d4:c7:21:38 brd ff:ff:ff:ff:ff:ff
altname enp4s0f1
inet6 fe80::a2d3:c1ff:fec6:e29c/64 scope link
valid_lft forever preferred_lft forever
8: vlan20@eth4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
link/ether a5:33:d4:c7:21:34 brd ff:ff:ff:ff:ff:ff
9: vlan30@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 77:23:52:a5:26:e4 brd ff:ff:ff:ff:ff:ff
inet 10.1.20.40/24 brd 10.1.20.255 scope global vlan30
valid_lft forever preferred_lft forever
inet6 fe80::8218:44ff:fee2:9424/64 scope link
valid_lft forever preferred_lft forever
现在我想使用 sslsplit 将传入流量拆分到 Web 服务器。由于我们拥有 Web 服务器的服务器密钥,因此这应该不是问题。传出流量仍将被加密。在端口 8443 上,sslsplit 现在正在监听并等待(仍然)加密的网络数据包。
我现在尝试使用 eth5 上的 iptables 将数据包重定向到 Web 服务器 (12.34.56.78) 和端口 443,重定向到在本地主机端口 8443 上运行的服务。我尝试了重定向以及预路由链中的 DNAT。不幸的是,没有数据包通过那里的规则,尽管可以使用 tcpdump 查看数据包。
testsystem:/home/admin # iptables -t nat -A PREROUTING -d 12.34.56.78 -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:8443
testsystem:/home/admin # iptables -nvL
Chain INPUT (policy ACCEPT 39388 packets, 7552K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 65264 packets, 204M bytes)
pkts bytes target prot opt in out source destination
testsystem:/home/admin # iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 325 packets, 26961 bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT tcp -- * * 0.0.0.0/0 12.34.56.78 tcp dpt:443 to:127.0.0.1:8443
Chain INPUT (policy ACCEPT 2 packets, 408 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 1 packets, 147 bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 1 packets, 147 bytes)
pkts bytes target prot opt in out source destination
testsystem:/home/admin # tcpdump -i eth5 -n host 12.34.56.78 and port 443
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth5, link-type EN10MB (Ethernet), capture size 262144 bytes
11:50:57.253814 IP xx.xx.xx.xx.42260 > 12.34.56.78.443: Flags [S], seq 3314657542, win 62727, options [mss 1460,sackOK,TS val 24135814 ecr 0,nop,wscale 7], length 0
11:50:57.253995 IP 12.34.56.78.443 > xx.xx.xx.xx.42260: Flags [S.], seq 20818400, ack 3314657543, win 28960, options [mss 1460,sackOK,TS val 1082431744 ecr 24135814,nop,wscale 7], length 0
11:50:57.355763 IP xx.xx.xx.xx.42260 > 12.34.56.78.443: Flags [.], ack 1, win 491, options [nop,nop,TS val 24135916 ecr 1082431744], length 0
11:50:57.358522 IP xx.xx.xx.xx.42260 > 12.34.56.78.443: Flags [P.], seq 1:518, ack 1, win 491, options [nop,nop,TS val 24135919 ecr 1082431744], length 517
11:50:57.358667 IP 12.34.56.78.443 > xx.xx.xx.xx.42260: Flags [.], ack 518, win 235, options [nop,nop,TS val 1082431770 ecr 24135919], length 0
11:50:57.359046 IP 12.34.56.78.443 > xx.xx.xx.xx.42260: Flags [.], seq 1:1449, ack 518, win 235, options [nop,nop,TS val 1082431770 ecr 24135919], length 1448
11:50:57.359058 IP 12.34.56.78.443 > xx.xx.xx.xx.42260: Flags [.], seq 1449:2897, ack 518, win 235, options [nop,nop,TS val 1082431770 ecr 24135919], length 1448
11:50:57.359074 IP 12.34.56.78.443 > xx.xx.xx.xx.42260: Flags [P.], seq 2897:4097, ack 518, win 235, options [nop,nop,TS val 1082431770 ecr 24135919], length 1200
11:50:57.359079 IP 12.34.56.78.443 > xx.xx.xx.xx.42260: Flags [.], seq 4097:5545, ack 518, win 235, options [nop,nop,TS val 1082431770 ecr 24135919], length 1448
11:50:57.359090 IP 12.34.56.78.443 > xx.xx.xx.xx.42260: Flags [.], seq 5545:6993, ack 518, win 235, options [nop,nop,TS val 1082431770 ecr 24135919], length 1448
11:50:57.359103 IP 12.34.56.78.443 > xx.xx.xx.xx.42260: Flags [.], seq 6993:8441, ack 518, win 235, options [nop,nop,TS val 1082431770 ecr 24135919], length 1448
11:50:57.359118 IP 12.34.56.78.443 > xx.xx.xx.xx.42260: Flags [.], seq 8441:9889, ack 518, win 235, options [nop,nop,TS val 1082431770 ecr 24135919], length 1448
11:50:57.359120 IP 12.34.56.78.443 > xx.xx.xx.xx.42260: Flags [P.], seq 9889:10061, ack 518, win 235, options [nop,nop,TS val 1082431770 ecr 24135919], length 172
11:50:57.373545 IP 12.34.56.78.443 > xx.xx.xx.xx.42260: Flags [P.], seq 10061:10664, ack 518, win 235, options [nop,nop,TS val 1082431773 ecr 24135919], length 603
11:50:57.460834 IP xx.xx.xx.xx.42260 > 12.34.56.78.443: Flags [.], ack 2897, win 469, options [nop,nop,TS val 24136022 ecr 1082431770], length 0
11:50:57.460853 IP xx.xx.xx.xx.42260 > 12.34.56.78.443: Flags [.], ack 4097, win 460, options [nop,nop,TS val 24136022 ecr 1082431770], length 0
11:50:57.460861 IP xx.xx.xx.xx.42260 > 12.34.56.78.443: Flags [.], ack 6993, win 438, options [nop,nop,TS val 24136022 ecr 1082431770], length 0
11:50:57.460875 IP xx.xx.xx.xx.42260 > 12.34.56.78.443: Flags [.], ack 10061, win 415, options [nop,nop,TS val 24136022 ecr 1082431770], length 0
11:50:57.475328 IP xx.xx.xx.xx.42260 > 12.34.56.78.443: Flags [.], ack 10664, win 443, options [nop,nop,TS val 24136036 ecr 1082431773], length 0
11:50:57.558250 IP xx.xx.xx.xx.42260 > 12.34.56.78.443: Flags [P.], seq 518:644, ack 10664, win 443, options [nop,nop,TS val 24136119 ecr 1082431773], length 126
11:50:57.558868 IP 12.34.56.78.443 > xx.xx.xx.xx.42260: Flags [P.], seq 10664:10938, ack 644, win 235, options [nop,nop,TS val 1082431820 ecr 24136119], length 274
11:50:57.660641 IP xx.xx.xx.xx.42260 > 12.34.56.78.443: Flags [.], ack 10938, win 443, options [nop,nop,TS val 24136221 ecr 1082431820], length 0
11:50:57.680227 IP xx.xx.xx.xx.42260 > 12.34.56.78.443: Flags [P.], seq 644:829, ack 10938, win 443, options [nop,nop,TS val 24136241 ecr 1082431820], length 185
11:50:57.680435 IP 12.34.56.78.443 > xx.xx.xx.xx.42260: Flags [P.], seq 10938:11502, ack 829, win 243, options [nop,nop,TS val 1082431850 ecr 24136241], length 564
11:50:57.782216 IP xx.xx.xx.xx.42260 > 12.34.56.78.443: Flags [.], ack 11502, win 443, options [nop,nop,TS val 24136343 ecr 1082431850], length 0
11:50:57.986870 IP xx.xx.xx.xx.42396 > 12.34.56.78.443: Flags [S], seq 502575886, win 62727, options [mss 1460,sackOK,TS val 24136548 ecr 0,nop,wscale 7], length 0
11:50:57.987011 IP 12.34.56.78.443 > xx.xx.xx.xx.42396: Flags [S.], seq 2750760101, ack 502575887, win 28960, options [mss 1460,sackOK,TS val 1082431927 ecr 24136548,nop,wscale 7], length 0
^C
27 packets captured
355 packets received by filter
210 packets dropped by kernel
在我看来,预路由链被忽略了,因为数据包的总计数器也太低了。有人有想法并能进一步提供帮助吗?