> 文档中心 > tcpdump与iptables关系

tcpdump与iptables关系

文档中心

iptables与tcpdump

PREROUTING

# 设置所有流量DROPiptables -t raw -A PREROUTING -j DROP# 设置截取流量[root@localhost ~]# tcpdump  -i ens33 -nvvtcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes07:30:30.928282 IP (tos 0x0, ttl 128, id 7588, offset 0, flags [none], proto ICMP (1), length 60)    192.168.0.1 > 192.168.0.10: ICMP echo request, id 1, seq 239, length 4007:30:35.598637 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.10 (00:0c:29:c5:cf:55) tell 192.168.0.1, length 4607:30:35.598650 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.0.10 is-at 00:0c:29:c5:cf:55, length 2807:30:35.614367 IP (tos 0x0, ttl 128, id 7589, offset 0, flags [none], proto ICMP (1), length 60)    192.168.0.1 > 192.168.0.10: ICMP echo request, id 1, seq 240, length 4007:30:40.614645 IP (tos 0x0, ttl 128, id 7590, offset 0, flags [none], proto ICMP (1), length 60)    192.168.0.1 > 192.168.0.10: ICMP echo request, id 1, seq 241, length 4007:30:45.611265 IP (tos 0x0, ttl 128, id 7591, offset 0, flags [none], proto ICMP (1), length 60)    192.168.0.1 > 192.168.0.10: ICMP echo request, id 1, seq 242, length 40# ping[C:\~]$ ping 192.168.0.10正在 Ping 192.168.0.10 具有 32 字节的数据:请求超时。请求超时。请求超时。请求超时。192.168.0.10 的 Ping 统计信息:    数据包: 已发送 = 4，已接收 = 0，丢失 = 4 (100% 丢失)，

注：tcpdump抓取的流量优先于raw表的PREROUTING规则(那肯定也就由于其他表的PREROUTING)

INPUT

# 设置所有流量DROPiptables -A INPUT -j DROP# 设置截取流量[root@localhost ~]# tcpdump -i ens33 -nvv tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes07:20:35.414347 IP (tos 0x0, ttl 128, id 7576, offset 0, flags [none], proto ICMP (1), length 60)    192.168.0.1 > 192.168.0.10: ICMP echo request, id 1, seq 227, length 4007:20:39.598197 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.103 tell 192.168.0.1, length 4607:20:40.113281 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.10 (00:0c:29:c5:cf:55) tell 192.168.0.1, length 4607:20:40.113299 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.0.10 is-at 00:0c:29:c5:cf:55, length 2807:20:40.113324 IP (tos 0x0, ttl 128, id 7577, offset 0, flags [none], proto ICMP (1), length 60)    192.168.0.1 > 192.168.0.10: ICMP echo request, id 1, seq 228, length 4007:20:45.109188 IP (tos 0x0, ttl 128, id 7578, offset 0, flags [none], proto ICMP (1), length 60)    192.168.0.1 > 192.168.0.10: ICMP echo request, id 1, seq 229, length 4007:20:48.446869 IP (tos 0x0, ttl 1, id 57748, offset 0, flags [none], proto UDP (17), length 88)# ping[C:\~]$ ping 192.168.0.10正在 Ping 192.168.0.10 具有 32 字节的数据:请求超时。请求超时。请求超时。请求超时。192.168.0.10 的 Ping 统计信息:    数据包: 已发送 = 4，已接收 = 0，丢失 = 4 (100% 丢失)

注：由此可见，tcpdump抓取的流量是在经历INPUT之前的

OUTPUT

# 设置所有流量DROPiptables -t raw -A OUTPUT -j DROP# ping外网[root@localhost ~]# ping 114.114.114.114PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.ping: sendmsg: 不允许的操作ping: sendmsg: 不允许的操作ping: sendmsg: 不允许的操作# 抓取流量[root@localhost ~]# tcpdump -i ens33 -nvv -p icmptcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes^C0 packets captured0 packets received by filter0 packets dropped by kernel

注：由此可见tcpdump是没法抓到OUTPUT之前的流量

# 设置所有流量DROPiptables -t raw -A OUTPUT -j LOG --log-prefix "OUTPUT" --log-level debugiptables -t raw -A OUTPUT -j DROP# ping 外网[root@localhost ~]# ping -c 2 114.114.114.114PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.ping: sendmsg: 不允许的操作ping: sendmsg: 不允许的操作--- 114.114.114.114 ping statistics ---2 packets transmitted, 0 received, 100% packet loss, time 1000ms# iptables log,这些流量就是被DROP掉的[root@localhost ~]# dmesg [ 2165.533923] OUTPUTIN= OUT=ens33 SRC=192.168.0.10 DST=114.114.114.114 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=36671 DF PROTO=ICMP TYPE=8 CODE=0 ID=5847 SEQ=1 [ 2166.534590] OUTPUTIN= OUT=ens33 SRC=192.168.0.10 DST=114.114.114.114 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=37172 DF PROTO=ICMP TYPE=8 CODE=0 ID=5847 SEQ=2

POSTROUTING

# 设置所有流量DROPiptables -t mangle -A POSTROUTING -j DROP# ping 外网[root@localhost ~]# ping -c 5 114.114.114.114PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.ping: sendmsg: 不允许的操作ping: sendmsg: 不允许的操作ping: sendmsg: 不允许的操作ping: sendmsg: 不允许的操作ping: sendmsg: 不允许的操作--- 114.114.114.114 ping statistics ---5 packets transmitted, 0 received, 100% packet loss, time 3999ms[root@localhost ~]# tcpdump -i ens33 -p icmptcpdump: verbose output suppressed, use -v or -vv for full protocol decodelistening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes^C0 packets captured0 packets received by filter0 packets dropped by kernel

注：通过OUTPUT和POSTROUTING可见，tcpdump抓取流量点如下图
在这里插入图片描述