tcpdump与iptables关系-CFANZ编程社区

iptables与tcpdump

PREROUTING

# 设置所有流量DROP
iptables -t raw -A PREROUTING -j DROP

# 设置截取流量
[root@localhost ~]# tcpdump  -i ens33 -nvv
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes
07:30:30.928282 IP (tos 0x0, ttl 128, id 7588, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.0.1 > 192.168.0.10: ICMP echo request, id 1, seq 239, length 40
07:30:35.598637 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.10 (00:0c:29:c5:cf:55) tell 192.168.0.1, length 46
07:30:35.598650 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.0.10 is-at 00:0c:29:c5:cf:55, length 28
07:30:35.614367 IP (tos 0x0, ttl 128, id 7589, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.0.1 > 192.168.0.10: ICMP echo request, id 1, seq 240, length 40
07:30:40.614645 IP (tos 0x0, ttl 128, id 7590, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.0.1 > 192.168.0.10: ICMP echo request, id 1, seq 241, length 40
07:30:45.611265 IP (tos 0x0, ttl 128, id 7591, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.0.1 > 192.168.0.10: ICMP echo request, id 1, seq 242, length 40

# ping
[C:\~]$ ping 192.168.0.10
正在 Ping 192.168.0.10 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。
192.168.0.10 的 Ping 统计信息:
    数据包: 已发送 = 4，已接收 = 0，丢失 = 4 (100% 丢失)，

注：tcpdump抓取的流量优先于raw表的PREROUTING规则(那肯定也就由于其他表的PREROUTING)

INPUT

# 设置所有流量DROP
iptables -A INPUT -j DROP

# 设置截取流量
[root@localhost ~]# tcpdump -i ens33 -nvv 
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes
07:20:35.414347 IP (tos 0x0, ttl 128, id 7576, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.0.1 > 192.168.0.10: ICMP echo request, id 1, seq 227, length 40
07:20:39.598197 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.103 tell 192.168.0.1, length 46
07:20:40.113281 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 192.168.0.10 (00:0c:29:c5:cf:55) tell 192.168.0.1, length 46
07:20:40.113299 ARP, Ethernet (len 6), IPv4 (len 4), Reply 192.168.0.10 is-at 00:0c:29:c5:cf:55, length 28
07:20:40.113324 IP (tos 0x0, ttl 128, id 7577, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.0.1 > 192.168.0.10: ICMP echo request, id 1, seq 228, length 40
07:20:45.109188 IP (tos 0x0, ttl 128, id 7578, offset 0, flags [none], proto ICMP (1), length 60)
    192.168.0.1 > 192.168.0.10: ICMP echo request, id 1, seq 229, length 40
07:20:48.446869 IP (tos 0x0, ttl 1, id 57748, offset 0, flags [none], proto UDP (17), length 88)

# ping
[C:\~]$ ping 192.168.0.10
正在 Ping 192.168.0.10 具有 32 字节的数据:
请求超时。
请求超时。
请求超时。
请求超时。
192.168.0.10 的 Ping 统计信息:
    数据包: 已发送 = 4，已接收 = 0，丢失 = 4 (100% 丢失)

注：由此可见，tcpdump抓取的流量是在经历INPUT之前的

OUTPUT

# 设置所有流量DROP
iptables -t raw -A OUTPUT -j DROP

# ping外网
[root@localhost ~]# ping 114.114.114.114
PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.
ping: sendmsg: 不允许的操作
ping: sendmsg: 不允许的操作
ping: sendmsg: 不允许的操作


# 抓取流量
[root@localhost ~]# tcpdump -i ens33 -nvv -p icmp
tcpdump: listening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

注：由此可见tcpdump是没法抓到OUTPUT之前的流量

# 设置所有流量DROP
iptables -t raw -A OUTPUT -j LOG --log-prefix "OUTPUT" --log-level debug
iptables -t raw -A OUTPUT -j DROP

# ping 外网
[root@localhost ~]# ping -c 2 114.114.114.114
PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.
ping: sendmsg: 不允许的操作
ping: sendmsg: 不允许的操作

--- 114.114.114.114 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms


# iptables log,这些流量就是被DROP掉的
[root@localhost ~]# dmesg 
[ 2165.533923] OUTPUTIN= OUT=ens33 SRC=192.168.0.10 DST=114.114.114.114 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=36671 DF PROTO=ICMP TYPE=8 CODE=0 ID=5847 SEQ=1 
[ 2166.534590] OUTPUTIN= OUT=ens33 SRC=192.168.0.10 DST=114.114.114.114 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=37172 DF PROTO=ICMP TYPE=8 CODE=0 ID=5847 SEQ=2

POSTROUTING

# 设置所有流量DROP
iptables -t mangle -A POSTROUTING -j DROP

# ping 外网
[root@localhost ~]# ping -c 5 114.114.114.114
PING 114.114.114.114 (114.114.114.114) 56(84) bytes of data.
ping: sendmsg: 不允许的操作
ping: sendmsg: 不允许的操作
ping: sendmsg: 不允许的操作
ping: sendmsg: 不允许的操作
ping: sendmsg: 不允许的操作
--- 114.114.114.114 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms


[root@localhost ~]# tcpdump -i ens33 -p icmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens33, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel

注：通过OUTPUT和POSTROUTING可见，tcpdump抓取流量点如下图
在这里插入图片描述