如何在 ubuntu 18.04 服务器上启用 IPTABLES 跟踪

如何在 ubuntu 18.04 服务器上启用 IPTABLES 跟踪

我发现这个简单直接的方法来追踪 Iptables 在我的 kubernetes/calico 集群上做什么

https://www.opsist.com/blog/2015/08/11/how-do-i-see-what-iptables-is-doing.html

ipt_LOG 和 xt_LOG 输出设置都不适合我

root@xxx:/var/log# sysctl -w net.netfilter.nf_log.2="ipt_LOG"
sysctl: definição da chave "net.netfilter.nf_log.2": Arquivo ou diretório inexistente
net.netfilter.nf_log.2 = ipt_LOG

在写这个问题的时候,找到了这个答案。
看起来新的字距调整器使用了另一条路径

http://www.opensourcerers.org/how-to-trace-iptables-in-rhel7-centos7/

您需要做以下准备:

Load the (IPv4) netfilter log kernel module:
# modprobe nf_log_ipv4
Enable logging for the IPv4 (AF Family 2):
# sysctl net.netfilter.nf_log.2=nf_log_ipv4
reconfigure rsyslogd to log kernel messages (kern.*) to /var/log/messages:
# cat /etc/rsyslog.conf | grep -e "^kern"
kern.*;*.info;mail.none;authpriv.none;cron.none                /var/log/messages
restart rsyslogd:
# systemctl restart rsyslog
Now check the raw tables – you’ll see that there are already entries coming from firewalld:

# iptables -t raw -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PREROUTING_direct all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere

Chain OUTPUT_direct (1 references)
target prot opt source destination

Chain PREROUTING_direct (1 references)
target prot opt source destination
We’ll want to add our tracing rules before the existing rules. In this example we’ll trace everything related to HTTP (port 80)

# iptables -t raw -j TRACE -p tcp --dport 80 -I PREROUTING 1
# iptables -t raw -j TRACE -p tcp --dport 80 -I OUTPUT 1

相关内容