如何阅读 iptables TRACE 日志(策略编号)
How to read iptables TRACE logs (policy numbers)
所以我添加了
sudo iptables -t raw -A PREROUTING -p tcp --dport 25 -j TRACE
以及
sudo iptables -t raw -A OUTPUT -p tcp --dport 25 -j TRACE
当我为 TRACE grep 我的系统日志时,我得到如下所示的输出
Jan 19 09:14:46 dev109 kernel: [29067248.683235] TRACE: raw:OUTPUT:rule:2 IN= OUT=eth0 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683244] TRACE: raw:OUTPUT:policy:5 IN= OUT=eth0 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683254] TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth0 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683262] TRACE: filter:OUTPUT:policy:1 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683269] TRACE: mangle:POSTROUTING:policy:1 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683432] TRACE: raw:OUTPUT:rule:4 IN= OUT=eth0 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683441] TRACE: raw:OUTPUT:policy:5 IN= OUT=eth0 ...
我想了解保单编号指的是什么,policy:1 == ACCEPT?如果是,policy:5 是什么意思?
policy:1 是 type:rulenum。或者换一种说法 type="policy" 和 rulenum=1.
仔细阅读this。具体来说:
TRACE
This target marks packes so that the kernel will log every rule which match the packets as those traverse the tables, chains,
rules. (The ipt_LOG or ip6t_LOG module is required for the logging.) The packets are logged with the string prefix:
"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for plain rule, "return" for implicit rule at the end of a user
defined chain and "policy" for the policy of the built in chains.
It can only be used in the raw table.
现在让我们从问题 TRACE: mangle:OUTPUT:policy:1 中提取其中一个前缀并应用我们学到的知识:
tablename = mangle
chainname = OUTPUT
type = policy]
rulenum = 1
我想根据@OscarAkaElvis 和其他人写的答案提供一个简单的解释。
每条链都有一个默认策略,打印出规则就可以看到。在这里,我们可以看到 filter table 中的 INPUT 链具有默认策略 ACCEPT:
# iptables -L -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere /* 000 accept all icmp */
ACCEPT all -- anywhere anywhere /* 001 accept all to lo interface */
REJECT all -- anywhere 127.0.0.0/8 /* 002 reject local traffic not on loopback interface */ reject-with icmp-port-unreachable
如 https://backreference.org/2010/06/11/iptables-debugging/ 所述,日志消息的格式为 TRACE: tablename:chainname:type:rulenum.
对于政策,格式的最后一部分是 type:rulenum。 rulenum 数字指的是策略的默认规则,即最后一条规则。它基本上是“您添加到链中的规则数”+ 1。
这里有两个使用原问题中提出的链的解释:
mangle:OUTPUT:policy:1 此链 (mangle:OUTPUT) 不包含任何规则。默认规则是第一个也是唯一的规则。因此数字是 :1.raw:OUTPUT:policy:5 这个链条包含 4 个规则。因此,默认为规则#5。
所以我添加了
sudo iptables -t raw -A PREROUTING -p tcp --dport 25 -j TRACE
以及
sudo iptables -t raw -A OUTPUT -p tcp --dport 25 -j TRACE
当我为 TRACE grep 我的系统日志时,我得到如下所示的输出
Jan 19 09:14:46 dev109 kernel: [29067248.683235] TRACE: raw:OUTPUT:rule:2 IN= OUT=eth0 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683244] TRACE: raw:OUTPUT:policy:5 IN= OUT=eth0 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683254] TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth0 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683262] TRACE: filter:OUTPUT:policy:1 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683269] TRACE: mangle:POSTROUTING:policy:1 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683432] TRACE: raw:OUTPUT:rule:4 IN= OUT=eth0 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683441] TRACE: raw:OUTPUT:policy:5 IN= OUT=eth0 ...
我想了解保单编号指的是什么,policy:1 == ACCEPT?如果是,policy:5 是什么意思?
policy:1 是 type:rulenum。或者换一种说法 type="policy" 和 rulenum=1.
仔细阅读this。具体来说:
TRACE This target marks packes so that the kernel will log every rule which match the packets as those traverse the tables, chains, rules. (The ipt_LOG or ip6t_LOG module is required for the logging.) The packets are logged with the string prefix:
"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for plain rule, "return" for implicit rule at the end of a user defined chain and "policy" for the policy of the built in chains. It can only be used in the raw table.
现在让我们从问题 TRACE: mangle:OUTPUT:policy:1 中提取其中一个前缀并应用我们学到的知识:
tablename = mangle
chainname = OUTPUT
type = policy]
rulenum = 1
我想根据@OscarAkaElvis 和其他人写的答案提供一个简单的解释。
每条链都有一个默认策略,打印出规则就可以看到。在这里,我们可以看到 filter table 中的 INPUT 链具有默认策略 ACCEPT:
# iptables -L -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere /* 000 accept all icmp */
ACCEPT all -- anywhere anywhere /* 001 accept all to lo interface */
REJECT all -- anywhere 127.0.0.0/8 /* 002 reject local traffic not on loopback interface */ reject-with icmp-port-unreachable
如 https://backreference.org/2010/06/11/iptables-debugging/ 所述,日志消息的格式为 TRACE: tablename:chainname:type:rulenum.
对于政策,格式的最后一部分是 type:rulenum。 rulenum 数字指的是策略的默认规则,即最后一条规则。它基本上是“您添加到链中的规则数”+ 1。
这里有两个使用原问题中提出的链的解释:
mangle:OUTPUT:policy:1此链 (mangle:OUTPUT) 不包含任何规则。默认规则是第一个也是唯一的规则。因此数字是:1.raw:OUTPUT:policy:5这个链条包含 4 个规则。因此,默认为规则#5。