iptables 调试网络不通问题
2023-02-26 本文已影响0人
偷油考拉
一、开启iptables日志
https://tecadmin.net/enable-logging-in-iptables-on-linux/
内核日志在centos7上默认关闭了,执行如下开启:
# 也许还要执行 modprobe ipt_LOG
modprobe nf_log_ipv4
sysctl net.netfilter.nf_log.2=nf_log_ipv4
执行 sysctl -a | grep nf_log 或者 cat /proc/net/netfilter/nf_log 进行检查。
编辑 /etc/rsyslog.conf,然后重启rsyslog服务。如下。
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
kern.* /var/log/iptables.log
一、插入raw表追踪
执行如下
iptables -t raw -A PREROUTING -p tcp -m tcp --dport 3306 -j TRACE
iptables -t raw -A OUTPUT -p tcp -m tcp --dport 3306 -j TRACE
[root@VM-9-14-centos docker]# iptables -L -t raw -v
Chain PREROUTING (policy ACCEPT 2557 packets, 153K bytes)
pkts bytes target prot opt in out source destination
11 572 TRACE tcp -- any any anywhere anywhere tcp dpt:mysql
Chain OUTPUT (policy ACCEPT 3161 packets, 192K bytes)
pkts bytes target prot opt in out source destination
11 572 TRACE tcp -- any any anywhere anywhere tcp dpt:mysql
二、查看
tail -f /var/log/iptables.log
三、关闭追踪
[root@VM-9-14-centos ~]# iptables -L -t raw -v --line-number
Chain PREROUTING (policy ACCEPT 4906 packets, 1460K bytes)
num pkts bytes target prot opt in out source destination
1 984 126K TRACE tcp -- any any anywhere anywhere tcp dpt:mysql
Chain OUTPUT (policy ACCEPT 2760 packets, 1873K bytes)
num pkts bytes target prot opt in out source destination
1 0 0 TRACE tcp -- any any anywhere anywhere tcp dpt:mysql
执行如下
iptables -t raw -D PREROUTING 1
iptables -t raw -D OUTPUT 1
[root@VM-9-14-centos ~]# iptables -t raw -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
