访问本地端口为什么要经过netfilter postrouting? [关闭]

问题描述 投票:0回答:0

环境:

[root@VM-32-4-centos ~]# uname -r
3.10.0-514.26.2.el7.x86_64

我在以下链中设置了日志打印:

[root@VM-32-4-centos ~]# iptables -A INPUT -p tcp --dport 8000 -j LOG --log-prefix "INPUT DPORT 8000 LOGS: "
[root@VM-32-4-centos ~]# iptables -A INPUT -p tcp --sport 8000 -j LOG --log-prefix "INPUT SPORT 8000 LOGS: "
[root@VM-32-4-centos ~]# iptables -A OUTPUT -p tcp --dport 8000 -j LOG --log-prefix "OUTPUT DPORT 8000 LOGS: "
[root@VM-32-4-centos ~]# iptables -A OUTPUT -p tcp --sport 8000 -j LOG --log-prefix "OUTPUT SPORT 8000 LOGS: "
[root@VM-32-4-centos ~]# iptables -t nat -A POSTROUTING -p tcp --sport 8000 -j LOG --log-prefix "POSTROUTING SPORT 8000 LOGS: "
[root@VM-32-4-centos ~]# iptables -t nat -A POSTROUTING -p tcp --dport 8000 -j LOG --log-prefix "POSTROUTING DPORT 8000 LOGS: "

然后我执行telnet命令:

telnet 127.0.0.1 8000

tail -f /var/log/message,显示如下:

May  2 23:54:47 VM-32-4-centos kernel: OUTPUT DPORT 8000 LOGS: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=6163 DF PROTO=TCP SPT=51096 DPT=8000 WINDOW=43690 RES=0x00 SYN URGP=0 
May  2 23:54:47 VM-32-4-centos kernel: POSTROUTING DPORT 8000 LOGS: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=6163 DF PROTO=TCP SPT=51096 DPT=8000 WINDOW=43690 RES=0x00 SYN URGP=0 
May  2 23:54:47 VM-32-4-centos kernel: INPUT DPORT 8000 LOGS: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x10 PREC=0x00 TTL=64 ID=6163 DF PROTO=TCP SPT=51096 DPT=8000 WINDOW=43690 RES=0x00 SYN URGP=0 
May  2 23:54:47 VM-32-4-centos kernel: OUTPUT SPORT 8000 LOGS: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8000 DPT=51096 WINDOW=43690 RES=0x00 ACK SYN URGP=0 
May  2 23:54:47 VM-32-4-centos kernel: INPUT SPORT 8000 LOGS: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8000 DPT=51096 WINDOW=43690 RES=0x00 ACK SYN URGP=0 
May  2 23:54:47 VM-32-4-centos kernel: OUTPUT DPORT 8000 LOGS: IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=6164 DF PROTO=TCP SPT=51096 DPT=8000 WINDOW=342 RES=0x00 ACK URGP=0 
May  2 23:54:47 VM-32-4-centos kernel: INPUT DPORT 8000 LOGS: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1 DST=127.0.0.1 LEN=52 TOS=0x10 PREC=0x00 TTL=64 ID=6164 DF PROTO=TCP SPT=51096 DPT=8000 WINDOW=342 RES=0x00 ACK URGP=0

请问,本地访问时,为什么SYN包要经过POSTROUTING?

ACK+SYN包没有经过POSTROUTING?

请问为什么会这样,有相关资料吗

谢谢。

linux linux-kernel iptables netfilter
最新问题
© www.soinside.com 2019 - 2024. All rights reserved.