iptables 咋又遇到问题了...
我在10.10.80.12/24这个机器上做SNAT, 给一个小网段10.8.0.0/16提供出口服务. 这么配的:
-t nat -A POSTROUTING -s 10.8.0.0/16 ! -d 10.8.0.0/16 -j SNAT --to-source 10.10.80.12
然后在在10.8.0.6上面ping 180.97.33.108:
20:58:20.103451 IP 10.8.0.6 > 180.97.33.108: ICMP echo request, id 22332, seq 1, length 64
20:58:20.103524 IP 10.10.80.12 > 180.97.33.108: ICMP echo request, id 22332, seq 1, length 64
20:58:20.103531 IP 10.10.80.12 > 180.97.33.108: ICMP echo request, id 22332, seq 1, length 64
20:58:20.104900 IP 180.97.33.108 > 10.10.80.12: ICMP echo reply, id 22332, seq 1, length 64
20:58:20.104968 IP 180.97.33.108 > 10.10.80.12: ICMP echo reply, id 22332, seq 1, length 64
能看到request报文是正常的, 而reply报文的目标地址没有换回来.(10.10.80.12地址配在一个网桥上, 抓包用-i any, 所以会抓到重复包, 没问题)
reply报文收到了, 但是用conntrack -L能看到这个连接处于UNREPLIED状态.
icmp 1 16 src=10.8.0.6 dst=180.97.33.108 type=8 code=0 id=22332 [UNREPLIED] src=180.97.33.108 dst=10.10.80.12 type=0 code=0 id=22332 mark=0 use=2
然后在iptables各个chain里面加了日志, 日志是这样的:
raw-PREROUTING IN=brq78e460d0-36 OUT= PHYSIN=enp3s0f0 MAC=0c:c4:7a:2a:75:1a:00:e0:0f:8e:95:64:08:00 SRC=180.97.33.108 DST=10.10.80.12 LEN=84 TOS=0x00 PREC=0x00 TTL=56 ID=29612 DF PROTO=ICMP TYPE=0 CODE=0 ID=22193 SEQ=1
mangle-PREROUTING IN=brq78e460d0-36 OUT= PHYSIN=enp3s0f0 MAC=0c:c4:7a:2a:75:1a:00:e0:0f:8e:95:64:08:00 SRC=180.97.33.108 DST=10.10.80.12 LEN=84 TOS=0x00 PREC=0x00 TTL=56 ID=29612 DF PROTO=ICMP TYPE=0 CODE=0 ID=22193 SEQ=1
mangle-INPUT IN=brq78e460d0-36 OUT= PHYSIN=enp3s0f0 MAC=0c:c4:7a:2a:75:1a:00:e0:0f:8e:95:64:08:00 SRC=180.97.33.108 DST=10.10.80.12 LEN=84 TOS=0x00 PREC=0x00 TTL=56 ID=29612 DF PROTO=ICMP TYPE=0 CODE=0 ID=22193 SEQ=1
filter-INPUT IN=brq78e460d0-36 OUT= PHYSIN=enp3s0f0 MAC=0c:c4:7a:2a:75:1a:00:e0:0f:8e:95:64:08:00 SRC=180.97.33.108 DST=10.10.80.12 LEN=84 TOS=0x00 PREC=0x00 TTL=56 ID=29612 DF PROTO=ICMP TYPE=0 CODE=0 ID=22193 SEQ=1
按我的理解, 应该走到mangle-PREROUTING之后, 就应该把地址换回去, 再FORWARD而日志显示竟然是INPUT. 奇怪吧
