iptables 各种target 

# iptables -j TPROXY -h

TPROXY target options:
  --on-port port                    Redirect connection to port, or the original port if 0
  --on-ip ip                        Optionally redirect to the given IP
  --tproxy-mark value[/mask]        Mark packets with the given value/mask
# iptables -m state -h

state match options:
 [!] --state [INVALID|ESTABLISHED|NEW|RELATED|UNTRACKED][,...]
                                State(s) to match
# iptables -m statistic -h

statistic match options:
 --mode mode                    Match mode (random, nth)
 random mode:
[!] --probability p              Probability
 nth mode:
[!] --every n                    Match every nth packet
 --packet p                      Initial counter value (0 <= p <= n-1, default 0)
# iptables -m string -h

string match options:
--from                       Offset to start searching from
--to                         Offset to stop searching
--algo                       Algorithm
--icase                      Ignore case (default: 0)
[!] --string string          Match a string in a packet
[!] --hex-string string      Match a hex string in a packet
# iptables -A OUTPUT -p tcp --dport 80 -m string --algo bm --string 'www.shb.cas.cn' -j LOG
# 
# iptables -L -n -v
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    2   382 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:80 
    STRING match  "www.shb.cas.cn" ALGO name bm TO 65535 LOG flags 0 level 4

tcpdump抓取nflog日志报文

配置如下NFLOG策略,匹配80端口的报文,netlink组指定为40。

# iptables -A INPUT -p tcp -m tcp --sport 80 -j NFLOG --nflog-group 40 --nflog-prefix TCPDUMP-PCAP-IN
# iptables -A OUTPUT -p tcp -m tcp --dport 80 -j NFLOG --nflog-group 40 --nflog-prefix TCPDUMP-PCAP-OUT
# 
# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
NFLOG      tcp  --  anywhere             anywhere             tcp spt:http nflog-prefix  TCPDUMP-PCAP-IN nflog-group 40      

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
NFLOG      tcp  --  anywhere             anywhere             tcp dpt:http nflog-prefix  TCPDUMP-PCAP-OUT nflog-group 40

使用tcpdump抓取40组的报文,保存到文件port80.pcap。

# tcpdump -i nflog:40 -w port-80.pcap
tcpdump: listening on nflog:40, link-type NFLOG (Linux netfilter log messages), capture size 262144 bytes
^C6 packets captured
6 packets received by filter
0 packets dropped by kernel

如下报文所示,其中Resource id字段显示的为netlink组40,其它字段可见nflog的前缀,hook点,出接口等信息,PAYLOAD字段存储的为实际的报文数据,此处为TCP-SYN报文。

Netfiler目标xt_TRACE

如下在raw表的PREROUTING点插入对目的端口22的TRACE规则。

# iptables -t raw -I PREROUTING 1 -p tcp --dport 22 -j TRACE
可以跟踪报文是否到达并记录log

posted @ 2023-03-15 01:20  codestacklinuxer  阅读(133)  评论(0编辑  收藏  举报