系统诊断小技巧(7):利用Iptables进行排查和诊断的简易方案

TL;DR

Iptables

严格说来,Iptables只是Linux系统防火墙用户空间的接口工具而已,但是,日常大家都以Iptables指称包括用户空间和内核空间在内的整个防火墙。这里我们也使用这个惯用法,但是,还是先明确下防火墙内核空间的名称(netfilter),这样大家容易理解为什么防火墙相关的命名往往有"nf"或者“netfilter”这样的字眼或者前缀。

Iptables在内核的网络栈放置了钩子。通过给这些钩子提供回调函数,我们可以在内核网络栈中注入我们的逻辑。明显的例子就是防火墙规则。当然,Iptables的用途肯定不止如此。比如,用之于探查某些网络包处理的流程,进而提取数据用于诊断和排查,也是不错的工具。

这里我们聊聊如何追踪Iptables的执行路径。这个技能既能用于诊断和排除防火墙自身的问题,也能用于填补Linux系统小技巧(6):刀锋组合-strace和wireshark工具留下的空白区。

Hooks

我们先从源码的视角看看Iptables的各色钩子。以下是源码片段,完整源码请参考include/uapi/linux/netfilter.h。慎重建议您耐心分析下后续的类似代码片段。

/* Responses from hook functions. */
#define NF_DROP 0
#define NF_ACCEPT 1
#define NF_STOLEN 2
#define NF_QUEUE 3
#define NF_REPEAT 4
#define NF_STOP 5    /* Deprecated, for userspace nf_queue compatibility. */
#define NF_MAX_VERDICT NF_STOP

enum nf_inet_hooks {
    NF_INET_PRE_ROUTING,
    NF_INET_LOCAL_IN,
    NF_INET_FORWARD,
    NF_INET_LOCAL_OUT,
    NF_INET_POST_ROUTING,
    NF_INET_NUMHOOKS
};

enum nf_dev_hooks {
    NF_NETDEV_INGRESS,
    NF_NETDEV_NUMHOOKS
};

enum {
    NFPROTO_UNSPEC =  0,
    NFPROTO_INET   =  1,
    NFPROTO_IPV4   =  2,
    NFPROTO_ARP    =  3,
    NFPROTO_NETDEV =  5,
    NFPROTO_BRIDGE =  7,
    NFPROTO_IPV6   = 10,
    NFPROTO_DECNET = 12,
    NFPROTO_NUMPROTO,
};

当然,我们经常比较疑惑的,是各个表和其各个链的执行顺序问题。这牵涉到执行优先级问题。每个钩子执行的操作都带有优先级。源码片段如下,完整源码请参考include/linux/netfilter.h

struct nf_hook_ops {
    /* User fills in from here down. */
    nf_hookfn        *hook;
    struct net_device    *dev;
    void            *priv;
    u_int8_t        pf;
    unsigned int        hooknum;
    /* Hooks are ordered in ascending priority. */
    int            priority; /* 优先级在这定义的 */
};

那么, 优先级别是哪里定义的呢?下面是代码片段,完整源码请参考include/uapi/linux/netfilter_ipv4.h

enum nf_ip_hook_priorities {
    NF_IP_PRI_FIRST = INT_MIN,
    NF_IP_PRI_CONNTRACK_DEFRAG = -400,
    NF_IP_PRI_RAW = -300,
    NF_IP_PRI_SELINUX_FIRST = -225,
    NF_IP_PRI_CONNTRACK = -200,
    NF_IP_PRI_MANGLE = -150,
    NF_IP_PRI_NAT_DST = -100,
    NF_IP_PRI_FILTER = 0,
    NF_IP_PRI_SECURITY = 50,
    NF_IP_PRI_NAT_SRC = 100,
    NF_IP_PRI_SELINUX_LAST = 225,
    NF_IP_PRI_CONNTRACK_HELPER = 300,
    NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX,
    NF_IP_PRI_LAST = INT_MAX,
};

文字累人,再引图一张(原图在此

系统诊断小技巧(7):利用Iptables进行排查和诊断的简易方案

但是,到此为止,我们也只是大致梳理了下Iptables的各个表和表的各个链的执行顺序而已。顺序究竟如何,还得追踪执行路径。这里要讨论一个建议的方案。

简易方案实施的模板

简易方案可行,关键在于,首先,从系统进出的网络包,不管其最终目的地为何,都要经过raw表的PREROUTING和OUTPUT链。这一点也可以从上图核实。二,从iptables-extensions可知,TRACE扩展目标能够记录Iptables处理一个网络包时经过的表、链和规则。

哪么,具体应该怎么做呢?

  1. 因为需要内核记录Iptables的行为,所以,我们首先要确保日志相关的模块被加载以及相关的配置完成
  2. 给raw表的PREROUTING和OUTPUT链设置合适的规则。

以追踪UDP作为例子。

首先,确认哪个日志模块可用

for m in ipt_LOG nf_log_ipv4;do\
  find /lib/modules/$(uname -r) \( -name "${m}.ko" -o -name "${m}.ko.xz" \) -type f | grep -q ${m}.ko && mod=${m} && break;\
done

继而,加载日志模块,并且配置之

modprobe ${mod}
modprobe nf_conntrack_ipv4
sysctl net.netfilter.nf_log.2=${mod}

最后一步,给raw设定规则(可以进一步限制,比如对什么协议执行追踪等)

iptables -t raw -A OUTPUT -p udp -j TRACE
iptables -t raw -A PREROUTING -p udp -j TRACE

具体例子

我们具体测试下建议方案的效果。测试拓扑图如下

系统诊断小技巧(7):利用Iptables进行排查和诊断的简易方案

我们在虚拟机forwarder中启动docker,并且将docker的UDP端口10370开放出来(其实我们开放的端口不止一个)

docker run -it $(for p in $(seq 10300 10399);do echo "-p ${p}:${p}/udp" | xargs;done) ubuntu

而后,在docker中启动一个echo server进程。我们使用的是nmap提供的ncat工具。

默认ubuntu镜像中没有我们需要的软件包,因此,我们做些必要的安装。

apt-get update
apt-get -y install iproute2 nmap net-tools

现在启动echo server

ncat -u -e $(which cat) -k -l 10370

而后,我们在虚拟机forwarder上捕捉进出的网络包。

tcpdump -i eth0 -w pkts.pcap host vm_trigger_ip

而后,我们在虚机trigger上建立到虚机forwarder的连接

ncat -u vm_forwarder_ip 10370

最后,我们在虚机trigger上分别发送1483字节、1485字节和1498字节的数据。

接下来的工作,就是分析捕捉到的数据了。

首先,我们确认echo server工作正常。我们使用wireshark来分析抓到的网络包,并且配置了wireshark不要合并分片的网络包(如何配置,请参考IP Reassembly)。

系统诊断小技巧(7):利用Iptables进行排查和诊断的简易方案

很明显,trigger、forwarder和echo server之间的链路的MTU是1500,echo server也工作正常。

进一步,让我们看下相关的内核日志

Aug 24 11:14:47 forwarder kernel: [594576.178700] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178732] TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178743] TRACE: nat:PREROUTING:rule:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178759] TRACE: nat:DOCKER:rule:31 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178773] TRACE: mangle:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178779] TRACE: filter:FORWARD:rule:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178790] TRACE: filter:DOCKER-ISOLATION:return:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178794] TRACE: filter:FORWARD:rule:2 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178799] TRACE: filter:DOCKER:rule:30 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178804] TRACE: security:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178808] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178815] TRACE: nat:POSTROUTING:policy:102 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.179972] TRACE: raw:PREROUTING:policy:2 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=64 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.179979] TRACE: mangle:PREROUTING:policy:1 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=64 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.179987] TRACE: mangle:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.179991] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.179998] TRACE: filter:DOCKER-ISOLATION:return:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.180003] TRACE: filter:FORWARD:rule:4 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.180007] TRACE: security:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.180010] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 PHYSIN=veth79e0ef5 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:15:11 forwarder kernel: [594600.593744] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1513 TOS=0x00 PREC=0x00 TTL=57 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593773] TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1513 TOS=0x00 PREC=0x00 TTL=57 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593788] TRACE: mangle:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593795] TRACE: filter:FORWARD:rule:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593808] TRACE: filter:DOCKER-ISOLATION:return:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593813] TRACE: filter:FORWARD:rule:2 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593820] TRACE: filter:DOCKER:rule:30 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593825] TRACE: security:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593830] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593942] TRACE: raw:PREROUTING:policy:2 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=64 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593948] TRACE: mangle:PREROUTING:policy:1 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=64 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593957] TRACE: mangle:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593962] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593969] TRACE: filter:DOCKER-ISOLATION:return:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593975] TRACE: filter:FORWARD:rule:4 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593979] TRACE: security:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593982] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 PHYSIN=veth79e0ef5 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:32 forwarder kernel: [594621.306336] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1526 TOS=0x00 PREC=0x00 TTL=57 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306366] TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1526 TOS=0x00 PREC=0x00 TTL=57 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306381] TRACE: mangle:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306387] TRACE: filter:FORWARD:rule:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306400] TRACE: filter:DOCKER-ISOLATION:return:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306405] TRACE: filter:FORWARD:rule:2 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306413] TRACE: filter:DOCKER:rule:30 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306418] TRACE: security:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306423] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306530] TRACE: raw:PREROUTING:policy:2 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=64 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306535] TRACE: mangle:PREROUTING:policy:1 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=64 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306544] TRACE: mangle:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306548] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306556] TRACE: filter:DOCKER-ISOLATION:return:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306560] TRACE: filter:FORWARD:rule:4 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306564] TRACE: security:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306567] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 PHYSIN=veth79e0ef5 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506

考虑到有同学可能会细致分析,我们也给出相关的Iptables规则(篇幅期间,删除了部分大同小异规则)

root@forwarder:~# for t in filter mangle nat security raw;do echo '############################################';echo $t; echo '############################################';iptables -L -n -v -t $t;echo;done
############################################
filter
############################################
Chain INPUT (policy ACCEPT 8134 packets, 566K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 6362 packets, 2498K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10399
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10398
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10397
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10396
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10395
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10394
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10393
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10392
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10391
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10390
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10389
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10388
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10387
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10386
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10385
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10384
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10383
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10382
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10381
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10380
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10379
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10378
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10377
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10376
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10375
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10374
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10373
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10372
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10371
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10370
# ... ...
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10310
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10309
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10308
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10307
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10306
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10305
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10304
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10303
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10302
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10301
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10300

Chain DOCKER-ISOLATION (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

############################################
mangle
############################################
Chain PREROUTING (policy ACCEPT 146 packets, 9205 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 146 packets, 9205 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 123 packets, 70493 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 123 packets, 70493 bytes)
 pkts bytes target     prot opt in     out     source               destination         

############################################
nat
############################################
Chain PREROUTING (policy ACCEPT 371 packets, 20868 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1193 73848 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 371 packets, 20868 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 538 packets, 34120 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 538 packets, 34120 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.18.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10399
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10398
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10397
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10396
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10395
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10394
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10393
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10392
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10391
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10390
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10389
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10388
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10387
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10386
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10385
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10384
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10383
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10382
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10381
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10380
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10379
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10378
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10377
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10376
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10375
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10374
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10373
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10372
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10371
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10370
# ... ...
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10310
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10309
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10308
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10307
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10306
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10305
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10304
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10303
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10302
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10301
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10300

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10399 to:172.18.0.2:10399
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10398 to:172.18.0.2:10398
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10397 to:172.18.0.2:10397
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10396 to:172.18.0.2:10396
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10395 to:172.18.0.2:10395
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10394 to:172.18.0.2:10394
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10393 to:172.18.0.2:10393
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10392 to:172.18.0.2:10392
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10391 to:172.18.0.2:10391
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10390 to:172.18.0.2:10390
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10389 to:172.18.0.2:10389
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10388 to:172.18.0.2:10388
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10387 to:172.18.0.2:10387
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10386 to:172.18.0.2:10386
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10385 to:172.18.0.2:10385
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10384 to:172.18.0.2:10384
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10383 to:172.18.0.2:10383
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10382 to:172.18.0.2:10382
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10381 to:172.18.0.2:10381
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10380 to:172.18.0.2:10380
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10379 to:172.18.0.2:10379
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10378 to:172.18.0.2:10378
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10377 to:172.18.0.2:10377
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10376 to:172.18.0.2:10376
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10375 to:172.18.0.2:10375
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10374 to:172.18.0.2:10374
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10373 to:172.18.0.2:10373
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10372 to:172.18.0.2:10372
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10371 to:172.18.0.2:10371
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10370 to:172.18.0.2:10370
# ... ...
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10311 to:172.18.0.2:10311
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10310 to:172.18.0.2:10310
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10309 to:172.18.0.2:10309
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10308 to:172.18.0.2:10308
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10307 to:172.18.0.2:10307
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10306 to:172.18.0.2:10306
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10305 to:172.18.0.2:10305
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10304 to:172.18.0.2:10304
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10303 to:172.18.0.2:10303
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10302 to:172.18.0.2:10302
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10301 to:172.18.0.2:10301
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10300 to:172.18.0.2:10300

############################################
security
############################################
Chain INPUT (policy ACCEPT 146 packets, 9257 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 114 packets, 77993 bytes)
 pkts bytes target     prot opt in     out     source               destination         

############################################
raw
############################################
Chain PREROUTING (policy ACCEPT 50 packets, 3203 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TRACE      udp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 41 packets, 55987 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TRACE      udp  --  *      *       0.0.0.0/0            0.0.0.0/0

结论

综上可知,有简易方案可以追踪Iptables的执行路径。通过这种方案,用于排查和诊断,能够探查包在内核中处理信息。无疑这种简易有其独到之处。
注意,执行追踪后,因为默认加载的nf_conntrack*模块会有限制,最好重启下恢复到改动前状态。

参考

  1. Towards the perfect ruleset
  2. iptables debugging
  3. How to Enable IPtables TRACE Target on Debian Squeeze (6)
  4. Iptables (简体中文))
上一篇:读取配置文件


下一篇:三个小时学会wordpress模板制作