我发现这个简单直接的方法来追踪 Iptables 在我的 kubernetes/calico 集群上做什么
https://www.opsist.com/blog/2015/08/11/how-do-i-see-what-iptables-is-doing.html
ipt_LOG 和 xt_LOG 输出设置都不适合我
root@xxx:/var/log# sysctl -w net.netfilter.nf_log.2="ipt_LOG"
sysctl: definição da chave "net.netfilter.nf_log.2": Arquivo ou diretório inexistente
net.netfilter.nf_log.2 = ipt_LOG
在写这个问题的时候,找到了这个答案。
看起来新的字距调整器使用了另一条路径
http://www.opensourcerers.org/how-to-trace-iptables-in-rhel7-centos7/
您需要做以下准备:
Load the (IPv4) netfilter log kernel module:
# modprobe nf_log_ipv4
Enable logging for the IPv4 (AF Family 2):
# sysctl net.netfilter.nf_log.2=nf_log_ipv4
reconfigure rsyslogd to log kernel messages (kern.*) to /var/log/messages:
# cat /etc/rsyslog.conf | grep -e "^kern"
kern.*;*.info;mail.none;authpriv.none;cron.none /var/log/messages
restart rsyslogd:
# systemctl restart rsyslog
Now check the raw tables – you’ll see that there are already entries coming from firewalld:
# iptables -t raw -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PREROUTING_direct all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain OUTPUT_direct (1 references)
target prot opt source destination
Chain PREROUTING_direct (1 references)
target prot opt source destination
We’ll want to add our tracing rules before the existing rules. In this example we’ll trace everything related to HTTP (port 80)
# iptables -t raw -j TRACE -p tcp --dport 80 -I PREROUTING 1
# iptables -t raw -j TRACE -p tcp --dport 80 -I OUTPUT 1