iptables가 동일한 규칙을 적용하지 않는 이유는 무엇입니까?

2024-6-10 • tag-icon

어떤 이유로 내 네트워크에 "대상에 연결할 수 없음, 경로 없음" 오류가 발생했습니다. 이 오류는 주기적으로 발생했으며 나중에 이것이 내 프로그램의 버그라는 것을 알게 되었습니다.

그런데 이 기간 동안 저는 이상한 문제를 발견했습니다. 네트워크가 정상일 때 ping을 시작하면 네트워크에 라우팅 문제가 있어도 ping이 계속 작동할 수 있다는 것입니다. iptables 추적을 사용하여 다음과 같은 iptables 규칙이 적용된 ping 프로세스가 실행되고 있음을 발견했습니다.

raw:PREROUTING:policy:2
nat:PREROUTING:policy:1
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
nat:POSTROUTING:rule:1
nat:FABEDGE-NAT-OUTGOING:rule:2
nat:POSTROUTING:policy:2
raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1

보시다시피 첫 번째 ICMP6 패킷이 처리되면 다음 규칙이 적용됩니다.

raw:PREROUTING:policy:2
nat:PREROUTING:policy:1
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1
nat:POSTROUTING:rule:1
nat:FABEDGE-NAT-OUTGOING:rule:2
nat:POSTROUTING:policy:2

다음 ICMP6 패킷은 다른 규칙을 사용하여 처리됩니다.

raw:PREROUTING:policy:2
filter:FORWARD:rule:1
filter:FABEDGE-FORWARD:rule:1

모든 nat 테이블 규칙을 건너뛰는 것 같습니다. 왜 이런 일이 발생하는지 모르겠습니다. 모든 ICMP6 패킷이 동일한 규칙을 거쳐야 하지 않습니까?

이 패킷은 Strongswan 프로세스에 의해 생성된 VPN 터널을 통과할 것이라는 점을 언급해야 합니다. 이것이 iptables에 영향을 미치지 않을 것이라고 생각합니다.

내 iptables 규칙은 다음과 같습니다.

ip6tables -t raw -S
-P PREROUTING ACCEPT
-P OUTPUT ACCEPT
-A PREROUTING -s fd96:ee88:2:2::/64 -j TRACE

[root@edge1 ~]# ip6tables  -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N FABEDGE-FORWARD
-A FORWARD -j FABEDGE-FORWARD
-A FABEDGE-FORWARD -s fd96:ee88:2:2::/64 -j ACCEPT
-A FABEDGE-FORWARD -d fd96:ee88:2:2::/64 -j ACCEPT

ip6tables -t nat -S
-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P OUTPUT ACCEPT
-P POSTROUTING ACCEPT
-N FABEDGE-NAT-OUTGOING
-A POSTROUTING -j FABEDGE-NAT-OUTGOING
-A FABEDGE-NAT-OUTGOING -m set --match-set FABEDGE-LOOP-BACK6 dst,dst,src -j MASQUERADE
-A FABEDGE-NAT-OUTGOING -s fd96:ee88:2:2::/64 -m set --match-set FABEDGE-PEER-CIDR6 dst -j RETURN
-A FABEDGE-NAT-OUTGOING -s fd96:ee88:2:2::/64 -d fd96:ee88:2:2::/64 -j RETURN
-A FABEDGE-NAT-OUTGOING -s fd96:ee88:2:2::/64 -j MASQUERADE

더 자세한 iptables 추적:

[505397.327144] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327183] TRACE: nat:PREROUTING:policy:1 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327207] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327215] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327223] TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 PHYSIN=veth74551420 SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327241] TRACE: nat:FABEDGE-NAT-OUTGOING:rule:2 IN= OUT=eth0 PHYSIN=veth74551420 SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505397.327246] TRACE: nat:POSTROUTING:policy:2 IN= OUT=eth0 PHYSIN=veth74551420 SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=1
[505398.328257] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=2
[505398.328290] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=2
[505398.328299] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=2
[505399.329386] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=3
[505399.329431] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=3
[505399.329440] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=3
[505400.329280] TRACE: raw:PREROUTING:policy:2 IN=br-fabedge OUT= PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=64 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=4
[505400.329315] TRACE: filter:FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=4
[505400.329324] TRACE: filter:FABEDGE-FORWARD:rule:1 IN=br-fabedge OUT=eth0 PHYSIN=veth74551420 MAC=ce:3f:04:b1:31:31:ee:13:75:3e:4c:14:86:dd SRC=fd96:ee88:0002:0002:0000:0000:0000:000e DST=fd96:ee88:0000:0001:0000:0000:0000:0025 LEN=104 TC=0 HOPLIMIT=63 FLOWLBL=0 PROTO=ICMPv6 TYPE=128 CODE=0 ID=3889 SEQ=4

답변1

이 질문에 따르면 nat 규칙은 초기 패킷에만 적용되는 것 같습니다.https://serverfault.com/questions/741104/iptables-redirect-works-only-for-first-packet

이건 또 다른 거야설명하다:

NAT 체인 유형을 사용하면 NAT를 수행할 수 있습니다. 이 체인 유형에는 특별한 의미가 있습니다.

흐름의 첫 번째 패킷은 흐름에 대한 NAT 바인딩을 설정하는 일치 규칙을 찾는 데 사용됩니다. 이에 따라 첫 번째 패킷도 작동됩니다.

흐름의 후속 패킷은 규칙 조회를 거치지 않습니다. NAT 엔진은 첫 번째 패킷에서 이미 설정된 NAT 바인딩 정보를 사용하여 패킷 작업을 수행합니다.

답변1

관련 정보