網路拓撲
[Host1 - DNS Server] em1: 192.168.246.101 / 255.255.255.0
[Host2 - DNS Client] em1: 192.168.246.102 / 255.255.255.0
在Host1加入一條nat規則,此規則只是要驗證
相同的connection只會中NAT table的rule一次,其餘就不會進去
Host1# iptables -t nat -A PREROUTING -i em1 -p udp -s 192.168.246.102 --j DNAT --to 192.168.246.101:53
把DNS回應封包Drop掉,Host1就會用相同的socket pair重送(dig預設重送三次)
Host1# iptables -A OUTPUT -p udp --sport 53 -j DROP
可加Log透過dmesg來追蹤封包
Host1# iptables -t mangle -A PREROUTING -i em1 -p udp --dport 53 -j LOG --log-level 4 --log-prefix MANGLE_TEST:
Host1# iptables -t nat -I PREROUTING -i em1 -p udp --dport 53 -j LOG --log-level 4 --log-prefix NAT_TEST:
Host1# iptables -A INPUT -i em1 -p udp --dport 53 -j LOG --log-level 4 --log-prefix INPUT_TEST:
從Host2利用dig產生DNS查詢封包到Host1
Host2# dig www.google.com @192.168.246.101
可觀察在NAT table的rule與conntrack,預設client會重送三次封包,match只會中一次
Host1# iptables -t nat -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 8 packets, 566 bytes)
pkts bytes target prot opt in out source destination
1 71 LOG udp -- em1 * 0.0.0.0/0 0.0.0.0/0 udp dpt:53 LOG flags 0 level 4 prefix "NAT_TEST:"
1 71 DNAT udp -- em1 * 192.168.246.102 0.0.0.0/0 to:192.168.246.101:53
Host1# conntrack -L | grep 192.168.246.102
udp 17 177 src=192.168.246.102 dst=192.168.246.101 sport=51161 dport=53 src=192.168.246.101 dst=192.168.246.102 sport=53 dport=51161 [ASSURED] mark=0 use=1
注意事項: 要conntrack有這筆connection才會之後bypass NAT rule
參考連結:
packet 沒有跑到 iptables 的 nat table 花了我一天半
