我只添加了一些规则来记录通过 OUTPUT 链的数据包,但根本没有通过 NAT 表。从这里的 NAT 表链的计数器(计数器为零)可以清楚地看出:
sudo iptables-save
# Generated by iptables-save v1.8.4 on Tue Feb 13 03:49:55 2024
*raw
:PREROUTING ACCEPT [197:319667]
:OUTPUT ACCEPT [178:12147]
COMMIT
# Completed on Tue Feb 13 03:49:55 2024
# Generated by iptables-save v1.8.4 on Tue Feb 13 03:49:55 2024
*mangle
:PREROUTING ACCEPT [197:319667]
:INPUT ACCEPT [197:319667]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [178:12147]
:POSTROUTING ACCEPT [178:12147]
COMMIT
# Completed on Tue Feb 13 03:49:55 2024
# Generated by iptables-save v1.8.4 on Tue Feb 13 03:49:55 2024
*filter
:INPUT ACCEPT [1491:3438016]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1687:231563]
-A OUTPUT -j LOG --log-prefix "SEP [filter-OUTPUT] "
COMMIT
# Completed on Tue Feb 13 03:49:55 2024
# Generated by iptables-save v1.8.4 on Tue Feb 13 03:49:55 2024
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:test - [0:0]
-A OUTPUT -j LOG --log-prefix "SEP [nat-OUTPUT] "
COMMIT
# Completed on Tue Feb 13 03:49:55 2024
我还启用了 ipv4 ip 转发,如下所示:
sudo sysctl -w net.ipv4.ip_forward=1
但问题仍然存在。
答案1
答案是,如果链中没有添加非终止目标,则该链不会运行!LOG 目标本身是非终止的,因此链和整个表根本不会运行!因此,在我向表中添加了一些终止操作后,日志开始运行,计数器开始增加。