AI 助理
备案控制台
开发者社区 阿里云支持与服务 文章 正文

系统诊断小技巧(7):利用Iptables进行排查和诊断的简易方案

2017-08-24 6494
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
本文涉及的产品
云防火墙,500元 1000GB
日志服务 SLS,月写入数据量 50GB 1个月
简介: Iptables在内核网络栈放置了钩子。因此,妥善利用Iptables,可以探查网络包在内核中的处理信息。这对于排查和诊断无疑非常有用。但是,如何实施这个方案呢?有没有简易方案?

TL;DR

Iptables

严格说来,Iptables只是Linux系统防火墙用户空间的接口工具而已,但是,日常大家都以Iptables指称包括用户空间和内核空间在内的整个防火墙。这里我们也使用这个惯用法,但是,还是先明确下防火墙内核空间的名称(netfilter),这样大家容易理解为什么防火墙相关的命名往往有"nf"或者“netfilter”这样的字眼或者前缀。

Iptables在内核的网络栈放置了钩子。通过给这些钩子提供回调函数,我们可以在内核网络栈中注入我们的逻辑。明显的例子就是防火墙规则。当然,Iptables的用途肯定不止如此。比如,用之于探查某些网络包处理的流程,进而提取数据用于诊断和排查,也是不错的工具。

这里我们聊聊如何追踪Iptables的执行路径。这个技能既能用于诊断和排除防火墙自身的问题,也能用于填补Linux系统小技巧(6):刀锋组合-strace和wireshark工具留下的空白区。

Hooks

我们先从源码的视角看看Iptables的各色钩子。以下是源码片段,完整源码请参考include/uapi/linux/netfilter.h。慎重建议您耐心分析下后续的类似代码片段。

/* Responses from hook functions. */
#define NF_DROP 0
#define NF_ACCEPT 1
#define NF_STOLEN 2
#define NF_QUEUE 3
#define NF_REPEAT 4
#define NF_STOP 5    /* Deprecated, for userspace nf_queue compatibility. */
#define NF_MAX_VERDICT NF_STOP

enum nf_inet_hooks {
    NF_INET_PRE_ROUTING,
    NF_INET_LOCAL_IN,
    NF_INET_FORWARD,
    NF_INET_LOCAL_OUT,
    NF_INET_POST_ROUTING,
    NF_INET_NUMHOOKS
};

enum nf_dev_hooks {
    NF_NETDEV_INGRESS,
    NF_NETDEV_NUMHOOKS
};

enum {
    NFPROTO_UNSPEC =  0,
    NFPROTO_INET   =  1,
    NFPROTO_IPV4   =  2,
    NFPROTO_ARP    =  3,
    NFPROTO_NETDEV =  5,
    NFPROTO_BRIDGE =  7,
    NFPROTO_IPV6   = 10,
    NFPROTO_DECNET = 12,
    NFPROTO_NUMPROTO,
};

当然,我们经常比较疑惑的,是各个表和其各个链的执行顺序问题。这牵涉到执行优先级问题。每个钩子执行的操作都带有优先级。源码片段如下,完整源码请参考include/linux/netfilter.h

struct nf_hook_ops {
    /* User fills in from here down. */
    nf_hookfn        *hook;
    struct net_device    *dev;
    void            *priv;
    u_int8_t        pf;
    unsigned int        hooknum;
    /* Hooks are ordered in ascending priority. */
    int            priority; /* 优先级在这定义的 */
};

那么, 优先级别是哪里定义的呢?下面是代码片段,完整源码请参考include/uapi/linux/netfilter_ipv4.h

enum nf_ip_hook_priorities {
    NF_IP_PRI_FIRST = INT_MIN,
    NF_IP_PRI_CONNTRACK_DEFRAG = -400,
    NF_IP_PRI_RAW = -300,
    NF_IP_PRI_SELINUX_FIRST = -225,
    NF_IP_PRI_CONNTRACK = -200,
    NF_IP_PRI_MANGLE = -150,
    NF_IP_PRI_NAT_DST = -100,
    NF_IP_PRI_FILTER = 0,
    NF_IP_PRI_SECURITY = 50,
    NF_IP_PRI_NAT_SRC = 100,
    NF_IP_PRI_SELINUX_LAST = 225,
    NF_IP_PRI_CONNTRACK_HELPER = 300,
    NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX,
    NF_IP_PRI_LAST = INT_MAX,
};

文字累人,再引图一张(原图在此

nf_packet_flow

但是,到此为止,我们也只是大致梳理了下Iptables的各个表和表的各个链的执行顺序而已。顺序究竟如何,还得追踪执行路径。这里要讨论一个建议的方案。

简易方案实施的模板

简易方案可行,关键在于,首先,从系统进出的网络包,不管其最终目的地为何,都要经过raw表的PREROUTING和OUTPUT链。这一点也可以从上图核实。二,从iptables-extensions可知,TRACE扩展目标能够记录Iptables处理一个网络包时经过的表、链和规则。

哪么,具体应该怎么做呢?

  1. 因为需要内核记录Iptables的行为,所以,我们首先要确保日志相关的模块被加载以及相关的配置完成
  2. 给raw表的PREROUTING和OUTPUT链设置合适的规则。

以追踪UDP作为例子。

首先,确认哪个日志模块可用

for m in ipt_LOG nf_log_ipv4;do\
  find /lib/modules/$(uname -r) \( -name "${m}.ko" -o -name "${m}.ko.xz" \) -type f | grep -q ${m}.ko && mod=${m} && break;\
done

继而,加载日志模块,并且配置之

modprobe ${mod}
modprobe nf_conntrack_ipv4
sysctl net.netfilter.nf_log.2=${mod}

最后一步,给raw设定规则(可以进一步限制,比如对什么协议执行追踪等)

iptables -t raw -A OUTPUT -p udp -j TRACE
iptables -t raw -A PREROUTING -p udp -j TRACE

具体例子

我们具体测试下建议方案的效果。测试拓扑图如下

vm_docker_udp_iptables_test

我们在虚拟机forwarder中启动docker,并且将docker的UDP端口10370开放出来(其实我们开放的端口不止一个)

docker run -it $(for p in $(seq 10300 10399);do echo "-p ${p}:${p}/udp" | xargs;done) ubuntu

而后,在docker中启动一个echo server进程。我们使用的是nmap提供的ncat工具。

默认ubuntu镜像中没有我们需要的软件包,因此,我们做些必要的安装。

apt-get update
apt-get -y install iproute2 nmap net-tools

现在启动echo server

ncat -u -e $(which cat) -k -l 10370

而后,我们在虚拟机forwarder上捕捉进出的网络包。

tcpdump -i eth0 -w pkts.pcap host vm_trigger_ip

而后,我们在虚机trigger上建立到虚机forwarder的连接

ncat -u vm_forwarder_ip 10370

最后,我们在虚机trigger上分别发送1483字节、1485字节和1498字节的数据。

接下来的工作,就是分析捕捉到的数据了。

首先,我们确认echo server工作正常。我们使用wireshark来分析抓到的网络包,并且配置了wireshark不要合并分片的网络包(如何配置,请参考IP Reassembly)。

_2017_08_24_16_27_33

很明显,trigger、forwarder和echo server之间的链路的MTU是1500,echo server也工作正常。

进一步,让我们看下相关的内核日志

Aug 24 11:14:47 forwarder kernel: [594576.178700] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178732] TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178743] TRACE: nat:PREROUTING:rule:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178759] TRACE: nat:DOCKER:rule:31 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1511 TOS=0x00 PREC=0x00 TTL=57 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178773] TRACE: mangle:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178779] TRACE: filter:FORWARD:rule:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178790] TRACE: filter:DOCKER-ISOLATION:return:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178794] TRACE: filter:FORWARD:rule:2 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178799] TRACE: filter:DOCKER:rule:30 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178804] TRACE: security:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178808] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.178815] TRACE: nat:POSTROUTING:policy:102 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1511 TOS=0x00 PREC=0x00 TTL=56 ID=17397 PROTO=UDP SPT=38495 DPT=10370 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.179972] TRACE: raw:PREROUTING:policy:2 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=64 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.179979] TRACE: mangle:PREROUTING:policy:1 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=64 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.179987] TRACE: mangle:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.179991] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.179998] TRACE: filter:DOCKER-ISOLATION:return:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.180003] TRACE: filter:FORWARD:rule:4 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.180007] TRACE: security:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:14:47 forwarder kernel: [594576.180010] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 PHYSIN=veth79e0ef5 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1511 TOS=0x00 PREC=0x00 TTL=63 ID=43856 PROTO=UDP SPT=10370 DPT=38495 LEN=1491
Aug 24 11:15:11 forwarder kernel: [594600.593744] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1513 TOS=0x00 PREC=0x00 TTL=57 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593773] TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1513 TOS=0x00 PREC=0x00 TTL=57 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593788] TRACE: mangle:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593795] TRACE: filter:FORWARD:rule:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593808] TRACE: filter:DOCKER-ISOLATION:return:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593813] TRACE: filter:FORWARD:rule:2 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593820] TRACE: filter:DOCKER:rule:30 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593825] TRACE: security:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593830] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1513 TOS=0x00 PREC=0x00 TTL=56 ID=17398 PROTO=UDP SPT=38495 DPT=10370 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593942] TRACE: raw:PREROUTING:policy:2 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=64 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593948] TRACE: mangle:PREROUTING:policy:1 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=64 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593957] TRACE: mangle:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593962] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593969] TRACE: filter:DOCKER-ISOLATION:return:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593975] TRACE: filter:FORWARD:rule:4 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593979] TRACE: security:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:11 forwarder kernel: [594600.593982] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 PHYSIN=veth79e0ef5 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1513 TOS=0x00 PREC=0x00 TTL=63 ID=44215 PROTO=UDP SPT=10370 DPT=38495 LEN=1493
Aug 24 11:15:32 forwarder kernel: [594621.306336] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1526 TOS=0x00 PREC=0x00 TTL=57 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306366] TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.17.128.213 LEN=1526 TOS=0x00 PREC=0x00 TTL=57 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306381] TRACE: mangle:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306387] TRACE: filter:FORWARD:rule:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306400] TRACE: filter:DOCKER-ISOLATION:return:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306405] TRACE: filter:FORWARD:rule:2 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306413] TRACE: filter:DOCKER:rule:30 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306418] TRACE: security:FORWARD:policy:1 IN=eth0 OUT=docker0 MAC=00:16:3e:03:f4:3f:ee:ff:ff:ff:ff:ff:08:00 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306423] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=docker0 SRC=xxx.xxx.xxx.113 DST=172.18.0.2 LEN=1526 TOS=0x00 PREC=0x00 TTL=56 ID=17399 PROTO=UDP SPT=38495 DPT=10370 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306530] TRACE: raw:PREROUTING:policy:2 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=64 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306535] TRACE: mangle:PREROUTING:policy:1 IN=docker0 OUT= PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=64 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306544] TRACE: mangle:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306548] TRACE: filter:FORWARD:rule:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306556] TRACE: filter:DOCKER-ISOLATION:return:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306560] TRACE: filter:FORWARD:rule:4 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306564] TRACE: security:FORWARD:policy:1 IN=docker0 OUT=eth0 PHYSIN=veth79e0ef5 MAC=02:42:59:be:ab:24:02:42:ac:12:00:02:08:00 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506
Aug 24 11:15:32 forwarder kernel: [594621.306567] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 PHYSIN=veth79e0ef5 SRC=172.18.0.2 DST=xxx.xxx.xxx.113 LEN=1526 TOS=0x00 PREC=0x00 TTL=63 ID=45186 PROTO=UDP SPT=10370 DPT=38495 LEN=1506

考虑到有同学可能会细致分析,我们也给出相关的Iptables规则(篇幅期间,删除了部分大同小异规则)

root@forwarder:~# for t in filter mangle nat security raw;do echo '############################################';echo $t; echo '############################################';iptables -L -n -v -t $t;echo;done
############################################
filter
############################################
Chain INPUT (policy ACCEPT 8134 packets, 566K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER-ISOLATION  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DOCKER     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  *      docker0  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  docker0 !docker0  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  docker0 docker0  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 6362 packets, 2498K bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain DOCKER (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10399
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10398
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10397
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10396
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10395
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10394
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10393
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10392
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10391
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10390
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10389
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10388
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10387
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10386
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10385
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10384
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10383
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10382
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10381
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10380
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10379
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10378
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10377
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10376
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10375
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10374
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10373
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10372
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10371
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10370
# ... ...
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10310
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10309
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10308
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10307
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10306
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10305
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10304
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10303
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10302
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10301
    0     0 ACCEPT     udp  --  !docker0 docker0  0.0.0.0/0            172.18.0.2           udp dpt:10300

Chain DOCKER-ISOLATION (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

############################################
mangle
############################################
Chain PREROUTING (policy ACCEPT 146 packets, 9205 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 146 packets, 9205 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 123 packets, 70493 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 123 packets, 70493 bytes)
 pkts bytes target     prot opt in     out     source               destination         

############################################
nat
############################################
Chain PREROUTING (policy ACCEPT 371 packets, 20868 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 1193 73848 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 371 packets, 20868 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 538 packets, 34120 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 538 packets, 34120 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  *      !docker0  172.18.0.0/16        0.0.0.0/0           
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10399
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10398
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10397
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10396
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10395
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10394
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10393
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10392
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10391
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10390
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10389
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10388
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10387
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10386
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10385
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10384
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10383
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10382
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10381
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10380
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10379
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10378
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10377
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10376
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10375
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10374
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10373
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10372
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10371
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10370
# ... ...
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10310
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10309
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10308
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10307
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10306
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10305
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10304
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10303
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10302
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10301
    0     0 MASQUERADE  udp  --  *      *       172.18.0.2           172.18.0.2           udp dpt:10300

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     all  --  docker0 *       0.0.0.0/0            0.0.0.0/0           
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10399 to:172.18.0.2:10399
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10398 to:172.18.0.2:10398
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10397 to:172.18.0.2:10397
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10396 to:172.18.0.2:10396
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10395 to:172.18.0.2:10395
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10394 to:172.18.0.2:10394
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10393 to:172.18.0.2:10393
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10392 to:172.18.0.2:10392
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10391 to:172.18.0.2:10391
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10390 to:172.18.0.2:10390
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10389 to:172.18.0.2:10389
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10388 to:172.18.0.2:10388
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10387 to:172.18.0.2:10387
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10386 to:172.18.0.2:10386
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10385 to:172.18.0.2:10385
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10384 to:172.18.0.2:10384
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10383 to:172.18.0.2:10383
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10382 to:172.18.0.2:10382
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10381 to:172.18.0.2:10381
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10380 to:172.18.0.2:10380
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10379 to:172.18.0.2:10379
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10378 to:172.18.0.2:10378
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10377 to:172.18.0.2:10377
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10376 to:172.18.0.2:10376
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10375 to:172.18.0.2:10375
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10374 to:172.18.0.2:10374
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10373 to:172.18.0.2:10373
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10372 to:172.18.0.2:10372
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10371 to:172.18.0.2:10371
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10370 to:172.18.0.2:10370
# ... ...
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10311 to:172.18.0.2:10311
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10310 to:172.18.0.2:10310
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10309 to:172.18.0.2:10309
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10308 to:172.18.0.2:10308
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10307 to:172.18.0.2:10307
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10306 to:172.18.0.2:10306
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10305 to:172.18.0.2:10305
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10304 to:172.18.0.2:10304
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10303 to:172.18.0.2:10303
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10302 to:172.18.0.2:10302
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10301 to:172.18.0.2:10301
    0     0 DNAT       udp  --  !docker0 *       0.0.0.0/0            0.0.0.0/0            udp dpt:10300 to:172.18.0.2:10300

############################################
security
############################################
Chain INPUT (policy ACCEPT 146 packets, 9257 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 114 packets, 77993 bytes)
 pkts bytes target     prot opt in     out     source               destination         

############################################
raw
############################################
Chain PREROUTING (policy ACCEPT 50 packets, 3203 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TRACE      udp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 41 packets, 55987 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 TRACE      udp  --  *      *       0.0.0.0/0            0.0.0.0/0

结论

综上可知,有简易方案可以追踪Iptables的执行路径。通过这种方案,用于排查和诊断,能够探查包在内核中处理信息。无疑这种简易有其独到之处。
注意,执行追踪后,因为默认加载的nf_conntrack*模块会有限制,最好重启下恢复到改动前状态。

参考

  1. Towards the perfect ruleset
  2. iptables debugging
  3. How to Enable IPtables TRACE Target on Debian Squeeze (6)
  4. Iptables (简体中文))
文章标签:
云防火墙
日志服务
Linux
容器
Docker
Shell
网络安全
宁希波若
目录
相关文章
jianz123
|
3月前
|
运维 安全 Java
主机入侵痕迹排查指导手册(一)排查概述、排查思路
【8月更文挑战第11天】此文档提供了一线服务交付人员在攻防演练期间对主机进行入侵痕迹排查的指导。主要内容包括:1) 排查概述,明确了手册的目标是传递知识与经验,帮助一线人员高效完成排查工作;2) 排查思路,首先介绍排查流程,强调从网络连接、进程信息等多角度入手;其次提出注意事项,如避免误操作导致业务中断,以及在发现疑似异常文件时应谨慎处理。该指南适用于Windows与Linux系统,并关注Web应用的安全检查。
jianz123
91 0
周周的奇妙编程
|
5月前
|
容器 Perl Kubernetes
深入 Kubernetes 网络:实战K8s网络故障排查与诊断策略
本文介绍了Kubernetes网络的基础知识和故障排查经验,重点讨论了私有化环境中Kubernetes网络的挑战。首先,文章阐述了Kubernetes网络模型的三大核心要素:Pod网络、Service网络和CNI,并强调了其在容器通信和服务发现中的作用。接着,通过三个具体的故障案例,展示了网络冲突、主节点DNS配置更改导致的服务中断以及容器网络抖动问题的解决过程,强调了网络规划、配置管理和人员培训的重要性。最后,提到了KubeSkoop exporter工具在监控和定位网络抖动问题中的应用。通过这些案例,读者可以深入了解Kubernetes网络的复杂性,并学习到实用的故障排查方法。
周周的奇妙编程
147402 19
真的很搞笑
|
5月前
|
关系型数据库 分布式数据库 数据库
PolarDB产品使用合集之诊断内核问题时,除了增加日志还有什么诊断手段
PolarDB是阿里云推出的一种云原生数据库服务,专为云设计,提供兼容MySQL、PostgreSQL的高性能、低成本、弹性可扩展的数据库解决方案,可以有效地管理和优化PolarDB实例,确保数据库服务的稳定、高效运行。以下是使用PolarDB产品的一些建议和最佳实践合集。
真的很搞笑
56 1
流子
|
12月前
|
监控 Linux
Linux网络流量实时监控工具-ifstat
Linux网络流量实时监控工具-ifstat
流子
93 0
征服Bug
|
域名解析 网络协议 网络安全
网络 | 排错五大步骤,没有解决不了的网络故障准达信息准达信息
网络 | 排错五大步骤,没有解决不了的网络故障准达信息准达信息
征服Bug
99 0
猫头虎
|
Prometheus Cloud Native 安全
硬件故障诊断:快速定位问题
硬件故障诊断:快速定位问题
猫头虎
183 0
yuanfan_2012
|
运维 安全 应用服务中间件
记一次"非常诡异"的云安全组规则问题排查过程
记一次"非常诡异"的云安全组规则问题排查过程
yuanfan_2012
152 0
记一次"非常诡异"的云安全组规则问题排查过程
uzl2tcffzmkty
|
SQL 缓存 监控
聊聊什么是慢查、如何监控?如何排查?
今天我要跟你分享的话题是:“聊聊什么是慢查、如何监控?如何排查?”
uzl2tcffzmkty
287 0
ai_wx_3307623172
|
监控 网络协议 安全
VoIP系统故障排除:7个常见问题处理方法
VoIP呼叫已成为世界各地公司的主要通信方式。事实上,2020年美国的VoIP服务市场规模约为71亿美元。
ai_wx_3307623172
526 0
余二五
|
Web App开发 测试技术 网络安全
防火墙故障问题排查步骤
余二五
1223 0

阿里云支持与服务

热门文章

最新文章

  • 1
    常见浏览器User-Agent大全
  • 2
    未来已来!阿里小蜜AI技术揭秘
  • 3
    Flink: 实时规则引擎助力新零售发展
  • 4
    Apache Flink 进阶(三):Checkpoint 原理解析与应用实践
  • 5
    weex-html5 组件进阶
  • 6
    群智能算法:灰狼优化算法(GWO)的详细解读
  • 7
    Amazon 的IoT之路
  • 8
    hp M1530一体机无法在OEM系统下安装驱动
  • 9
    NumPy Cookbook 带注释源码 十、Scikit 中的乐趣
  • 10
    潮流设计:15个创意的 3D 字体版式作品欣赏
  • 1
    springboot配置hosts文件
    24
  • 2
    maven项目的pom.xml文件常用标签使用介绍
    23
  • 3
    天气预报-腾讯天气-7天-地址查询版免费API接口
    19
  • 4
    第四届人文,智慧教育与服务管理国际学术会议(HWESM 2025) 2025 4th International Conference on Humanities, Wisdom Education and Service Management
    19
  • 5
    2025电气自动化与电机系统国际学术会议(EAMS 2025) 2025 International Conference on Electrical Automation and Motor System
    19
  • 6
    大厂面试高频:什么是自旋锁?Java 实现自旋锁的原理?
    16
  • 7
    C++ 之 perf+火焰图分析与调试
    16
  • 8
    面试高频:Synchronized 原理,建议收藏备用 !
    13
  • 9
    SQL 中,通配符
    12
  • 10
    鸿蒙next版开发:相机开发-适配不同折叠状态的摄像头变更(ArkTS)
    18

    • 相关课程

    更多
  • 使用Kubernetes监控定位Pod状态异常根因
  • 运维监控系统
  • 线上Linux服务器优化经验
  • 智能运维赛(复赛):利用数据和算法,快速定位系统异常并进行根因分析
  • 如何使用Kubernetes监控定位慢调用

    • 相关电子书

    更多
  • 基于日志trace的智能故障定位系统
  • 网络流量异常行为分析系统
  • 美团crash监控分析系统优化之路

    • 相关实验场景

    更多
  • ECS操作系统无法登录诊断能力
  • 通过云拨测对指定服务器进行Ping/DNS监测
  • 日志服务之告警接入与管理
  • 通过实例健康诊断发现问题
  • 应用性能管理场景下自动探查风险
    • 下一篇
    无影云桌面