我试图拦截路由中的IPstream量使用Linux,iptables和源路由。
我的设置有4个命名空间
命名空间“neta”和“netb”被configuration为将接口伸入“主机”命名空间和设置的路由,以便它们可以相互ping通。
命名空间“防火墙”有veth和gre接口伸入“主机”命名空间。
L3交通转向设置
简短的实验描述:
想法是,转移到防火墙的ICMP请求将从防火墙反弹回来,并继续其向netb的旅程。
然而,观察到的行为有点令人惊讶 – 来自neta的ICMP请求被转移到防火墙,反弹回主机命名空间,在iptables -t mangle -A PREROUTING -j LOG ,然后作为火星人被丢弃。
IN = firewall-tun OUT = MAC = SRC = 10.112.0.16 DST = 10.112.0.8 LEN = 84 TOS = 0x00 PREC = 0x00 TTL = 62 ID = 7131 DF PROTO = ICMP TYPE = 8 CODE = 0 ID = 13094 SEQ = 1
IPv4:来自10.112.0.16的火星源10.112.0.8,在dev防火墙上
从防火墙收到的数据包看起来完全一样,根本没有被转移,它不符合rfc1812的条件 ,据我所知,但Linux下降。
问题:有谁知道为什么Linux把这种数据包视为火星人?
更多细节:
$ ip rule list 0: from all lookup local 32763: from all fwmark 0x1 lookup 1 32764: from all lookup 2 32766: from all lookup main 32767: from all lookup default $ ip ro list table 1 10.112.0.0/24 dev firewall-tun scope link $ ip ro list table 2 10.112.0.8 dev neta scope link 10.112.0.16 dev netb scope link $ ip link show neta 9: neta@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP mode DEFAULT group default link/ether 0a:67:16:21:c2:85 brd ff:ff:ff:ff:ff:ff link-netnsid 1 $ ip link show netb 10: netb@if3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP mode DEFAULT group default link/ether 32:be:7f:43:4d:d9 brd ff:ff:ff:ff:ff:ff link-netnsid 2 $ ip link show firewall 11: firewall@if12: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000 link/ether 12:f3:df:d4:6f:30 brd ff:ff:ff:ff:ff:ff link-netnsid 3 $ ip link show firewall-tun 15: firewall-tun@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1 link/gre 10.200.100.1 peer 10.200.100.2 $ exec-neta ip -4 a show eth0 3: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default link-netnsid 0 inet 10.112.0.8/32 scope global eth0 valid_lft forever preferred_lft forever $ exec-neta ip ro default via 10.200.100.1 dev eth0 10.200.100.1 dev eth0 scope link $ exec-netb ip -4 a show eth0 3: eth0@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc noqueue state UP group default link-netnsid 0 inet 10.112.0.16/32 scope global eth0 valid_lft forever preferred_lft forever $ exec-netb ip -4 ro default via 10.200.100.1 dev eth0 10.200.100.1 dev eth0 scope link $ sudo ip netns exec firewall ip -4 a 12: eth0@if11: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link-netnsid 0 inet 10.200.100.2/32 scope global eth0 valid_lft forever preferred_lft forever $ sudo ip netns exec firewall ip -4 link show host 4: host@NONE: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1476 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1 link/gre 10.200.100.2 peer 10.200.100.1 # step 1, clean iptables $ sudo iptables -nv -t mangle -L PREROUTING Chain PREROUTING (policy ACCEPT 90 packets, 17435 bytes) pkts bytes target prot opt in out source destination 2 168 MARK all -- firewall-tun * 0.0.0.0/0 0.0.0.0/0 MARK and 0x0 11 774 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 # Ping works $ exec-netb ping -c 1 10.112.0.8 PING 10.112.0.8 (10.112.0.8) 56(84) bytes of data. 64 bytes from 10.112.0.8: icmp_seq=1 ttl=63 time=0.067 ms --- 10.112.0.8 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.067/0.067/0.067/0.000 ms # Install iptables rule to mark traffic for route table 1 $ sudo iptables -t mangle -I PREROUTING -s 10.112.0.0/24 -d 10.112.0.0/24 -j MARK --set-mark 1 $ sudo iptables -nv -t mangle -L PREROUTING Chain PREROUTING (policy ACCEPT 78 packets, 29684 bytes) pkts bytes target prot opt in out source destination 2 168 MARK all -- * * 10.112.0.0/24 10.112.0.0/24 MARK set 0x1 4 336 MARK all -- firewall-tun * 0.0.0.0/0 0.0.0.0/0 MARK and 0x0 17 1278 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 4 # And ping doesn't work any more $ exec-netb ping -c 1 10.112.0.8 PING 10.112.0.8 (10.112.0.8) 56(84) bytes of data. --- 10.112.0.8 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms