发表Linux dev12 分钟读完 (大约1869个字)0次访问

如何调试iptables [CentOS 7]

首先,来一张非常有用的图:

基础知识

iptables可以jump到TRACE目标,开启_包追踪_(packet tracing)选项。 iptables有一个raw表,基本上是iptables最先处理包的地方。

开始调试

在最入口的位置给符合条件的包开启包追踪,比如对所有进入的icmp包:

1
iptables -t raw -I PREROUTING -p icmp -j TRACE

有的时候,还需要加载需要的模块(CentOS 7下):

1
modprobe nf_log_ipv4

然后你就可以在/var/log/messages日志中看到包追踪信息了。

关闭

删除掉TRACE规则即可:

1
iptables -t raw -D PREROUTING 1

这是一次对机器ping产生的trace信息:

_ 可以看到,firewalld强行加戏:)_

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
Oct 21 15:34:50 vultr kernel: TRACE: raw:PREROUTING:policy:3 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:PREROUTING:rule:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:PREROUTING_direct:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:PREROUTING:rule:2 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:PREROUTING_ZONES_SOURCE:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:PREROUTING:rule:3 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:PREROUTING_ZONES:rule:2 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:PRE_public:rule:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:PRE_public_log:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:PRE_public:rule:2 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:PRE_public_deny:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:PRE_public:rule:3 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:PRE_public_allow:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:PRE_public:return:4 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:PREROUTING:policy:4 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:PREROUTING:rule:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:PREROUTING_direct:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:PREROUTING:rule:2 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:PREROUTING_ZONES_SOURCE:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:PREROUTING:rule:3 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:PREROUTING_ZONES:rule:2 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:PRE_public:rule:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:PRE_public_log:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:PRE_public:rule:2 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:PRE_public_deny:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:PRE_public:rule:3 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:PRE_public_allow:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:PRE_public:return:4 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:PREROUTING:rule:4 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:DOCKER:return:2 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:PREROUTING:policy:5 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:INPUT:rule:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:INPUT_direct:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: mangle:INPUT:policy:2 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: filter:INPUT:rule:3 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: filter:INPUT_direct:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: filter:INPUT:rule:4 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: filter:INPUT_ZONES_SOURCE:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: filter:INPUT:rule:5 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: filter:INPUT_ZONES:rule:2 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: filter:IN_public:rule:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: filter:IN_public_log:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: filter:IN_public:rule:2 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: filter:IN_public_deny:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: filter:IN_public:rule:3 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: filter:IN_public_allow:return:13 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: filter:IN_public:rule:4 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: security:INPUT:rule:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: security:INPUT_direct:return:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: security:INPUT:policy:2 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0
Oct 21 15:34:50 vultr kernel: TRACE: nat:INPUT:policy:1 IN=eth0 OUT= MAC=56:00:00:7c:40:0c:fe:00:00:7c:40:0c:08:00 SRC=183.192.89.160 DST=1.2.53.225 LEN=84 TOS=0x04 PREC=0x00 TTL=43 ID=32583 PROTO=ICMP TYPE=8 CODE=0 ID=8765 SEQ=0

参考资料

如何调试iptables [CentOS 7]

https://robberphex.com/how-to-debug-iptables-at-centos-7/

作者

Robert Lu

发布于

2017-10-21

许可协议

评论

目录

×