传入数据包不打iptables INPUT链

我在泊坞窗容器中运行VPN客户端。 我试图通过端口8080从主机连接到在Docker容器中运行的Web服务器。当我尝试连接时，通过tcpdump在端口8080上看到我的传入数据包，但Web服务器从来没有看到它。 我已经添加了iptables'-j LOG'规则来处理所有可能的数据包状态转换​​，试图追踪它。 我看到的数据包在：

• 表'原料'，连锁PREROUTING
• 表“mangle”，链式PREROUTING
• table'nat，链PREROUTING

然后…什么都没有 经过一段时间后，数据包重新发送，我看到新数据包经过PREROUTING。 没有任何东西出现在破碎的input或破损链上 – 据我所知，这是不可能的 – 它必须击中其中之一。 有没有办法让数据包通过PREROUTING，但不打中INPUT或FORWARD？ 我的iptables如下：

root@87ff7ad8e4f9:/# iptables -t raw -L Chain PREROUTING (policy ACCEPT) target prot opt source destination NFLOG tcp -- anywhere anywhere tcp spt:http-alt nflog-prefix "raw pre-route Src incoming packet" NFLOG tcp -- anywhere anywhere tcp dpt:http-alt nflog-prefix "raw pre-route Dest incoming packet" Chain OUTPUT (policy ACCEPT) target prot opt source destination NFLOG tcp -- anywhere anywhere tcp dpt:http-alt nflog-prefix "Dest outgoing packet" NFLOG tcp -- anywhere anywhere tcp spt:http-alt nflog-prefix "Src outgoing packet" root@87ff7ad8e4f9:/# iptables -t mangle -L Chain PREROUTING (policy ACCEPT) target prot opt source destination NFLOG tcp -- anywhere anywhere tcp dpt:http-alt nflog-prefix "mangle PREROUTING Dest incoming packet" Chain INPUT (policy ACCEPT) target prot opt source destination NFLOG all -- anywhere anywhere nflog-prefix "mangle INPUT Dest incoming packet any2" Chain FORWARD (policy ACCEPT) target prot opt source destination NFLOG all -- anywhere anywhere nflog-prefix "mangle FORWARD Dest incoming packet any" Chain OUTPUT (policy ACCEPT) target prot opt source destination MARK tcp -- anywhere anywhere tcp spt:http-alt MARK set 0x1 MARK tcp -- anywhere anywhere tcp dpt:http-alt MARK set 0x1 NFLOG tcp -- anywhere anywhere tcp spt:http-alt nflog-prefix "MARK set 0x1" NFLOG tcp -- anywhere anywhere tcp dpt:http-alt nflog-prefix "Dest MARK set 0x1" Chain POSTROUTING (policy ACCEPT) target prot opt source destination root@87ff7ad8e4f9:/# iptables -t nat -L Chain PREROUTING (policy ACCEPT) target prot opt source destination NFLOG tcp -- anywhere anywhere tcp dpt:http-alt nflog-prefix "nat PREROUTING Dest incoming packet" Chain INPUT (policy ACCEPT) target prot opt source destination NFLOG tcp -- anywhere anywhere tcp dpt:http-alt nflog-prefix "nat INPUT Dest incoming packet" Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination root@87ff7ad8e4f9:/# iptables -t filter -L Chain INPUT (policy ACCEPT) target prot opt source destination NFLOG tcp -- anywhere anywhere nflog-prefix "connection made" NFLOG tcp -- anywhere anywhere tcp dpt:http-alt nflog-prefix "filter INPUT Dest incoming packet" Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere 172.17.0.0/16 ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere owner GID match vpn ACCEPT udp -- anywhere anywhere owner GID match vpn DROP all -- anywhere anywhere 

我的系统日志显示：

 Oct 4 07:22:56 87ff7ad8e4f9 raw pre-route Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39119 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 Oct 4 07:22:56 87ff7ad8e4f9 mangle PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39119 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 Oct 4 07:22:56 87ff7ad8e4f9 nat PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39119 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 Oct 4 07:22:57 87ff7ad8e4f9 raw pre-route Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39120 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 Oct 4 07:22:57 87ff7ad8e4f9 mangle PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39120 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 Oct 4 07:22:57 87ff7ad8e4f9 nat PREROUTING Dest incoming packet IN=eth0 OUT= MAC=02:42:ac:11:00:02:02:42:2e:2c:fd:2e:08:00 SRC=76.167.254.196 DST=172.17.0.2 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=39120 DF PROTO=TCP SPT=46644 DPT=8080 SEQ=4027056663 ACK=0 WINDOW=29200 SYN URGP=0 MARK=0 

• 在AIX上更改IPV6路由的接口
• 正确的地方宣传OpenVPN路由到EC2实例？
• 基于Windows Server 2008 R2中的源地址进行路由
• 获取openvpn客户端通过服务器转发所有stream量
• 如何通过站点将所有stream量路由到站点VPN隧道？

 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT --to-destination 172.17.0.2