我在 inetfirewalld 表中有一些 nftable 规则
chain filter_FWD_policy_externalTolxc {
jump filter_FWD_policy_externalTolxc_pre
jump filter_FWD_policy_externalTolxc_log
jump filter_FWD_policy_externalTolxc_deny
jump filter_FWD_policy_externalTolxc_allow
jump filter_FWD_policy_externalTolxc_post
log prefix "filter_FWD_policy_externalTolxc_REJECT: "
reject with icmpx admin-prohibited
}
chain filter_FWD_policy_externalTolxc_pre {
}
chain filter_FWD_policy_externalTolxc_log {
}
chain filter_FWD_policy_externalTolxc_deny {
}
chain filter_FWD_policy_externalTolxc_allow {
tcp dport 443 ct state { new, untracked } meta nftrace set 1 accept
tcp dport 80 ct state { new, untracked } accept
tcp dport 25 ct state { new, untracked } accept
tcp dport 587 ct state { new, untracked } accept
}
并且应该在 FORWARD 链上允许访问端口 443,当跟踪时我看到以下内容:
trace id 9d541079 inet firewalld filter_FWD_policy_externalTolxc_allow packet: iif "eth0" oif "lxc33eaff370fce" ether saddr d2:74:7f:6e:37:e3 ether daddr 96:00:01:a8:60
:90 ip saddr 197.232.61.231 ip daddr 172.20.4.138 ip dscp cs0 ip ecn not-ect ip ttl 49 ip id 14423 ip protocol tcp ip length 60 tcp sport 34150 tcp dport 443 tcp flags
== syn tcp window 64240
trace id 9d541079 inet firewalld filter_FWD_policy_externalTolxc_allow rule tcp dport 443 ct state { new, untracked } meta nftrace set 1 accept (verdict accept)
trace id 9d541079 ip mangle POSTROUTING packet: iif "eth0" oif "lxc33eaff370fce" ether saddr d2:74:7f:6e:37:e3 ether daddr 96:00:01:a8:60:90 ip saddr 197.232.61.231 ip daddr 172.20.4.138 ip dscp cs0 ip ecn not-ect ip ttl 49 ip id 14423 ip length 60 tcp sport 34150 tcp dport 443 tcp flags == syn tcp window 64240
trace id 9d541079 ip mangle POSTROUTING verdict continue
trace id 9d541079 ip mangle POSTROUTING policy accept
...
...
trace id 9d541079 inet firewalld nat_POST_trusted_allow verdict continue
trace id 9d541079 inet firewalld nat_POST_trusted rule jump nat_POST_trusted_post (verdict jump nat_POST_trusted_post)
trace id 9d541079 inet firewalld nat_POST_trusted_post verdict continue
trace id 9d541079 inet firewalld nat_POST_trusted rule jump nat_POSTROUTING_POLICIES_post (verdict jump nat_POSTROUTING_POLICIES_post)
trace id 9d541079 inet firewalld nat_POSTROUTING_POLICIES_post verdict continue
trace id 9d541079 inet firewalld nat_POST_trusted verdict continue
没有任何拒绝的迹象,但在防火墙的末端,我看到了拒绝:
[36250.863779] filter_FWD_policy_externalTolxc_REJECT: IN=eth0 OUT=lxc33eaff370fce MAC=96:00:01:a8:60:90:d2:74:7f:6e:37:e3:08:00 SRC=197.XXX.XXX.XXX DST=172.20.4.138 LEN=569 TOS=0x00 PREC=0x00 TTL=49 ID=40925 DF PROTO=TCP SPT=43482 DPT=443 WINDOW=502 RES=0x00 ACK PSH URGP=0
我如何找出问题所在?在被拒绝时我没发现还发生了什么,又该如何纠正?