这是一个创建于 1022 天前的主题,其中的信息可能已经有所发展或是发生改变。
这是目前设定的规则
table inet filter { chain input { type filter hook input priority filter; policy drop; ct state established,related counter accept ct state invalid counter packets drop ip protocol icmp accept icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-request, mld-listener-query, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert } accept iifname "lo" counter packets 0 bytes 0 accept tcp dport xxx counter accept meta nftrace set 1 } chain ips { type filter hook input priority filter - 2; policy accept; ip saddr 1.1.1.1 counter accept } } 这是 tracing 调试日志( drop 日志)
trace id ab8ac050 inet filter ips packet: iif "eth0" ether saddr 00:2a:6a:a4:0c:c1 ether daddr 00:16:3e:73:d4:5a ip saddr 1.1.1.1 ip daddr 2.2.2.2 ip dscp 0x01 ip ecn not-ect ip ttl 113 ip id 4681 ip protocol tcp ip length 52 tcp sport 10551 tcp dport 23237 tcp flags == syn tcp window 64240 trace id ab8ac050 inet filter ips rule meta nftrace set 1 (verdict continue) trace id ab8ac050 inet filter ips verdict continue trace id ab8ac050 inet filter ips policy accept trace id ab8ac050 inet filter input packet: iif "eth0" ether saddr 00:2a:6a:a4:0c:c1 ether daddr 00:16:3e:73:d4:5a ip saddr 1.1.1.1 ip daddr 2.2.2.2 ip dscp 0x01 ip ecn not-ect ip ttl 113 ip id 4681 ip protocol tcp ip length 52 tcp sport 10551 tcp dport 23237 tcp flags == syn tcp window 64240 trace id ab8ac050 inet filter input rule meta nftrace set 1 (verdict continue) trace id ab8ac050 inet filter input verdict continue trace id ab8ac050 inet filter input policy drop 这是 tracing 调试日志( accept 日志)
trace id b1cb1361 inet filter ips packet: iif "eth0" ether saddr 00:2a:6a:a4:0c:c1 ether daddr 00:16:3e:73:d4:5a ip saddr 3.3.3.3 ip daddr 2.2.2.2 ip dscp 0x01 ip ecn not-ect ip ttl 113 ip id 19123 ip protocol tcp ip length 64 tcp sport 6678 tcp dport 23237 tcp flags == 0x18 tcp window 1026 trace id b1cb1361 inet filter ips rule meta nftrace set 1 (verdict continue) trace id b1cb1361 inet filter ips verdict continue trace id b1cb1361 inet filter ips policy accept trace id b1cb1361 inet filter input packet: iif "eth0" ether saddr 00:2a:6a:a4:0c:c1 ether daddr 00:16:3e:73:d4:5a ip saddr 3.3.3.3 ip daddr 2.2.2.2 ip dscp 0x01 ip ecn not-ect ip ttl 113 ip id 19123 ip protocol tcp ip length 64 tcp sport 6678 tcp dport 23237 tcp flags == 0x18 tcp window 1026 trace id b1cb1361 inet filter input rule ct state established,related counter packets 1262 bytes 160127 accept (verdict accept) 描述:3.3.3.3 已经通过 ssh 登录到 2.2.2.2 服务器,accept 日志最后检查 tcp 状态通过了防火墙 我的问题是:ips chain 里面的 IP 无法通过防火墙,请大佬指点!
第 1 条附言 2022-12-23 09:52:44 +08:00
已解决,使用 ip protocol tcp jump <chain name>
目前尚无回复
Select Language