我有一个 iptables 预路由规则来将端口转发到另一台主机。这是规则:ipv4 nat PREROUTING 0 -m addrtype --dst-type LOCAL -p tcp --dport 445 -j DNAT --to-destination 192.168.123.103。
带有预路由规则的主机 A 的 ip 地址是192.168.123.1。将流量转发到的主机 B 的 IP 地址是192.168.123.103和192.168.123.11。
此规则适用于连接到 A 的其他主机,但它不适用于192.168.123.1:445从 B 发出请求。在 iptables 跟踪中,似乎有预路由但没有转发。值得注意的是,192.168.123.103:445直接在 B 上访问是可行的。
我检查了 sysctl 标志net.ipv4.ip_forward并net.ipv4.conf.all.forwarding正确设置为1.
日志:
Working:
trace id 3202082b ip raw PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip raw PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 522 bytes 29484 meta nftrace set 1 (verdict continue)
trace id 3202082b ip raw PREROUTING verdict continue
trace id 3202082b ip raw PREROUTING policy accept
trace id 3202082b inet firewalld mangle_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip protocol tcp ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b inet firewalld mangle_PREROUTING rule jump mangle_PREROUTING_ZONES (verdict jump mangle_PREROUTING_ZONES)
trace id 3202082b inet firewalld mangle_PREROUTING_ZONES rule goto mangle_PRE_trusted (verdict goto mangle_PRE_trusted)
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_pre (verdict jump mangle_PREROUTING_POLICIES_pre)
trace id 3202082b inet firewalld mangle_PREROUTING_POLICIES_pre rule jump mangle_PRE_policy_allow-host-ipv6 (verdict jump mangle_PRE_policy_allow-host-ipv6)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_pre (verdict jump mangle_PRE_policy_allow-host-ipv6_pre)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_pre verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_log (verdict jump mangle_PRE_policy_allow-host-ipv6_log)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_log verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_deny (verdict jump mangle_PRE_policy_allow-host-ipv6_deny)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_deny verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_allow (verdict jump mangle_PRE_policy_allow-host-ipv6_allow)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_allow verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_post (verdict jump mangle_PRE_policy_allow-host-ipv6_post)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_post verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 verdict continue
trace id 3202082b inet firewalld mangle_PREROUTING_POLICIES_pre verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_pre (verdict jump mangle_PRE_trusted_pre)
trace id 3202082b inet firewalld mangle_PRE_trusted_pre verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_log (verdict jump mangle_PRE_trusted_log)
trace id 3202082b inet firewalld mangle_PRE_trusted_log verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_deny (verdict jump mangle_PRE_trusted_deny)
trace id 3202082b inet firewalld mangle_PRE_trusted_deny verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_allow (verdict jump mangle_PRE_trusted_allow)
trace id 3202082b inet firewalld mangle_PRE_trusted_allow verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_post (verdict jump mangle_PRE_trusted_post)
trace id 3202082b inet firewalld mangle_PRE_trusted_post verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_post (verdict jump mangle_PREROUTING_POLICIES_post)
trace id 3202082b inet firewalld mangle_PREROUTING_POLICIES_post verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted verdict continue
trace id 3202082b inet firewalld mangle_PREROUTING verdict continue
trace id 3202082b inet firewalld mangle_PREROUTING policy accept
trace id 3202082b ip nat PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip nat PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 3018 bytes 180952 dnat to 192.168.123.103 (verdict accept)
trace id 3202082b inet firewalld filter_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip protocol tcp ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b inet firewalld filter_PREROUTING verdict continue
trace id 3202082b inet firewalld filter_PREROUTING policy accept
trace id 3202082b ip mangle FORWARD packet: iif "virbr1" oif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:b1:8b:eb ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip mangle FORWARD verdict continue
trace id 3202082b ip mangle FORWARD policy accept
trace id 3202082b ip filter FORWARD packet: iif "virbr1" oif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:b1:8b:eb ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip filter FORWARD verdict continue
trace id 3202082b ip filter FORWARD policy accept
trace id 3202082b inet firewalld filter_FORWARD packet: iif "virbr1" oif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:b1:8b:eb ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip protocol tcp ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b inet firewalld filter_FORWARD rule ct status dnat accept (verdict accept)
Not working:
trace id fea3c476 ip raw PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 ip raw PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 96 bytes 5732 meta nftrace set 1 (verdict continue)
trace id fea3c476 ip raw PREROUTING verdict continue
trace id fea3c476 ip raw PREROUTING policy accept
trace id fea3c476 inet firewalld mangle_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip protocol tcp ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 inet firewalld mangle_PREROUTING rule jump mangle_PREROUTING_ZONES (verdict jump mangle_PREROUTING_ZONES)
trace id fea3c476 inet firewalld mangle_PREROUTING_ZONES rule goto mangle_PRE_trusted (verdict goto mangle_PRE_trusted)
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_pre (verdict jump mangle_PREROUTING_POLICIES_pre)
trace id fea3c476 inet firewalld mangle_PREROUTING_POLICIES_pre rule jump mangle_PRE_policy_allow-host-ipv6 (verdict jump mangle_PRE_policy_allow-host-ipv6)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_pre (verdict jump mangle_PRE_policy_allow-host-ipv6_pre)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_pre verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_log (verdict jump mangle_PRE_policy_allow-host-ipv6_log)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_log verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_deny (verdict jump mangle_PRE_policy_allow-host-ipv6_deny)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_deny verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_allow (verdict jump mangle_PRE_policy_allow-host-ipv6_allow)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_allow verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_post (verdict jump mangle_PRE_policy_allow-host-ipv6_post)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_post verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 verdict continue
trace id fea3c476 inet firewalld mangle_PREROUTING_POLICIES_pre verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_pre (verdict jump mangle_PRE_trusted_pre)
trace id fea3c476 inet firewalld mangle_PRE_trusted_pre verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_log (verdict jump mangle_PRE_trusted_log)
trace id fea3c476 inet firewalld mangle_PRE_trusted_log verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_deny (verdict jump mangle_PRE_trusted_deny)
trace id fea3c476 inet firewalld mangle_PRE_trusted_deny verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_allow (verdict jump mangle_PRE_trusted_allow)
trace id fea3c476 inet firewalld mangle_PRE_trusted_allow verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_post (verdict jump mangle_PRE_trusted_post)
trace id fea3c476 inet firewalld mangle_PRE_trusted_post verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_post (verdict jump mangle_PREROUTING_POLICIES_post)
trace id fea3c476 inet firewalld mangle_PREROUTING_POLICIES_post verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted verdict continue
trace id fea3c476 inet firewalld mangle_PREROUTING verdict continue
trace id fea3c476 inet firewalld mangle_PREROUTING policy accept
trace id fea3c476 ip nat PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 ip nat PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 2881 bytes 172708 dnat to 192.168.123.103 (verdict accept)
trace id fea3c476 inet firewalld filter_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip protocol tcp ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 inet firewalld filter_PREROUTING verdict continue
trace id fea3c476 inet firewalld filter_PREROUTING policy accept
ip地址:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 0a:e0:af:c6:00:d0 brd ff:ff:ff:ff:ff:ff
inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic noprefixroute enp6s0
valid_lft 39944sec preferred_lft 39944sec
3: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:54:00:54:6b:5e brd ff:ff:ff:ff:ff:ff
inet 192.168.123.1/24 brd 192.168.123.255 scope global virbr1
valid_lft forever preferred_lft forever
ip路线:
default via 192.168.1.1 dev enp6s0 proto dhcp src 192.168.1.10 metric 100
192.168.1.0/24 dev enp6s0 proto kernel scope link src 192.168.1.10 metric 100
192.168.123.0/24 dev virbr1 proto kernel scope link src 192.168.123.1
Nft 列表规则集:
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
meta l4proto tcp counter packets 2283119 bytes 12047540484 jump f2b-sshd
}
chain f2b-sshd {
counter packets 2278196 bytes 12047096552 return
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
meta l4proto tcp fib daddr type local tcp dport 445 counter packets 3128 bytes 187556 dnat to 192.168.123.103
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
}
}
table inet firewalld {
chain mangle_PREROUTING {
type filter hook prerouting priority mangle + 10; policy accept;
jump mangle_PREROUTING_ZONES
}
chain mangle_PREROUTING_POLICIES_pre {
jump mangle_PRE_policy_allow-host-ipv6
}
chain mangle_PREROUTING_ZONES {
iifname "enp6s0" goto mangle_PRE_public
goto mangle_PRE_trusted
}
chain mangle_PREROUTING_POLICIES_post {
}
chain nat_PREROUTING {
type nat hook prerouting priority dstnat + 10; policy accept;
jump nat_PREROUTING_ZONES
}
chain nat_PREROUTING_POLICIES_pre {
jump nat_PRE_policy_allow-host-ipv6
}
chain nat_PREROUTING_ZONES {
iifname "enp6s0" goto nat_PRE_public
goto nat_PRE_trusted
}
chain nat_PREROUTING_POLICIES_post {
}
chain nat_POSTROUTING {
type nat hook postrouting priority srcnat + 10; policy accept;
jump nat_POSTROUTING_ZONES
}
chain nat_POSTROUTING_POLICIES_pre {
}
chain nat_POSTROUTING_ZONES {
oifname "enp6s0" goto nat_POST_public
goto nat_POST_trusted
}
chain nat_POSTROUTING_POLICIES_post {
}
chain filter_PREROUTING {
type filter hook prerouting priority filter + 10; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
meta nfproto ipv6 fib saddr . mark . iif oif missing drop
}
chain filter_INPUT {
type filter hook input priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
jump filter_INPUT_ZONES
ct state { invalid } drop
reject with icmpx type admin-prohibited
}
chain filter_FORWARD {
type filter hook forward priority filter + 10; policy accept;
ct state { established, related } accept
ct status dnat accept
iifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
jump filter_FORWARD_ZONES
ct state { invalid } drop
reject with icmpx type admin-prohibited
}
chain filter_OUTPUT {
type filter hook output priority filter + 10; policy accept;
ct state { established, related } accept
oifname "lo" accept
ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
jump filter_OUTPUT_POLICIES_pre
jump filter_OUTPUT_POLICIES_post
}
chain filter_INPUT_POLICIES_pre {
jump filter_IN_policy_allow-host-ipv6
}
chain filter_INPUT_ZONES {
iifname "enp6s0" goto filter_IN_public
goto filter_IN_trusted
}
chain filter_INPUT_POLICIES_post {
}
chain filter_FORWARD_POLICIES_pre {
}
chain filter_FORWARD_ZONES {
iifname "enp6s0" goto filter_FWD_public
goto filter_FWD_trusted
}
chain filter_FORWARD_POLICIES_post {
}
chain filter_OUTPUT_POLICIES_pre {
}
chain filter_OUTPUT_POLICIES_post {
}
chain filter_IN_trusted {
jump filter_INPUT_POLICIES_pre
jump filter_IN_trusted_pre
jump filter_IN_trusted_log
jump filter_IN_trusted_deny
jump filter_IN_trusted_allow
jump filter_IN_trusted_post
jump filter_INPUT_POLICIES_post
accept
}
chain filter_IN_trusted_pre {
}
chain filter_IN_trusted_log {
}
chain filter_IN_trusted_deny {
}
chain filter_IN_trusted_allow {
}
chain filter_IN_trusted_post {
}
chain nat_POST_trusted {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_trusted_pre
jump nat_POST_trusted_log
jump nat_POST_trusted_deny
jump nat_POST_trusted_allow
jump nat_POST_trusted_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_trusted_pre {
}
chain nat_POST_trusted_log {
}
chain nat_POST_trusted_deny {
}
chain nat_POST_trusted_allow {
}
chain nat_POST_trusted_post {
}
chain filter_FWD_trusted {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_trusted_pre
jump filter_FWD_trusted_log
jump filter_FWD_trusted_deny
jump filter_FWD_trusted_allow
jump filter_FWD_trusted_post
jump filter_FORWARD_POLICIES_post
accept
}
chain filter_FWD_trusted_pre {
}
chain filter_FWD_trusted_log {
}
chain filter_FWD_trusted_deny {
}
chain filter_FWD_trusted_allow {
}
chain filter_FWD_trusted_post {
}
chain nat_PRE_trusted {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_trusted_pre
jump nat_PRE_trusted_log
jump nat_PRE_trusted_deny
jump nat_PRE_trusted_allow
jump nat_PRE_trusted_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_trusted_pre {
}
chain nat_PRE_trusted_log {
}
chain nat_PRE_trusted_deny {
}
chain nat_PRE_trusted_allow {
}
chain nat_PRE_trusted_post {
}
chain mangle_PRE_trusted {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_trusted_pre
jump mangle_PRE_trusted_log
jump mangle_PRE_trusted_deny
jump mangle_PRE_trusted_allow
jump mangle_PRE_trusted_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_trusted_pre {
}
chain mangle_PRE_trusted_log {
}
chain mangle_PRE_trusted_deny {
}
chain mangle_PRE_trusted_allow {
}
chain mangle_PRE_trusted_post {
}
chain filter_IN_policy_allow-host-ipv6 {
jump filter_IN_policy_allow-host-ipv6_pre
jump filter_IN_policy_allow-host-ipv6_log
jump filter_IN_policy_allow-host-ipv6_deny
jump filter_IN_policy_allow-host-ipv6_allow
jump filter_IN_policy_allow-host-ipv6_post
}
chain filter_IN_policy_allow-host-ipv6_pre {
}
chain filter_IN_policy_allow-host-ipv6_log {
}
chain filter_IN_policy_allow-host-ipv6_deny {
}
chain filter_IN_policy_allow-host-ipv6_allow {
icmpv6 type nd-neighbor-advert accept
icmpv6 type nd-neighbor-solicit accept
icmpv6 type nd-router-advert accept
icmpv6 type nd-redirect accept
}
chain filter_IN_policy_allow-host-ipv6_post {
}
chain nat_PRE_policy_allow-host-ipv6 {
jump nat_PRE_policy_allow-host-ipv6_pre
jump nat_PRE_policy_allow-host-ipv6_log
jump nat_PRE_policy_allow-host-ipv6_deny
jump nat_PRE_policy_allow-host-ipv6_allow
jump nat_PRE_policy_allow-host-ipv6_post
}
chain nat_PRE_policy_allow-host-ipv6_pre {
}
chain nat_PRE_policy_allow-host-ipv6_log {
}
chain nat_PRE_policy_allow-host-ipv6_deny {
}
chain nat_PRE_policy_allow-host-ipv6_allow {
}
chain nat_PRE_policy_allow-host-ipv6_post {
}
chain mangle_PRE_policy_allow-host-ipv6 {
jump mangle_PRE_policy_allow-host-ipv6_pre
jump mangle_PRE_policy_allow-host-ipv6_log
jump mangle_PRE_policy_allow-host-ipv6_deny
jump mangle_PRE_policy_allow-host-ipv6_allow
jump mangle_PRE_policy_allow-host-ipv6_post
}
chain mangle_PRE_policy_allow-host-ipv6_pre {
}
chain mangle_PRE_policy_allow-host-ipv6_log {
}
chain mangle_PRE_policy_allow-host-ipv6_deny {
}
chain mangle_PRE_policy_allow-host-ipv6_allow {
}
chain mangle_PRE_policy_allow-host-ipv6_post {
}
chain filter_IN_public {
jump filter_INPUT_POLICIES_pre
jump filter_IN_public_pre
jump filter_IN_public_log
jump filter_IN_public_deny
jump filter_IN_public_allow
jump filter_IN_public_post
jump filter_INPUT_POLICIES_post
meta l4proto { icmp, ipv6-icmp } accept
reject with icmpx type admin-prohibited
}
chain filter_IN_public_pre {
}
chain filter_IN_public_log {
}
chain filter_IN_public_deny {
}
chain filter_IN_public_allow {
tcp dport 22 ct state { new, untracked } accept
ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
}
chain filter_IN_public_post {
}
chain nat_POST_public {
jump nat_POSTROUTING_POLICIES_pre
jump nat_POST_public_pre
jump nat_POST_public_log
jump nat_POST_public_deny
jump nat_POST_public_allow
jump nat_POST_public_post
jump nat_POSTROUTING_POLICIES_post
}
chain nat_POST_public_pre {
}
chain nat_POST_public_log {
}
chain nat_POST_public_deny {
}
chain nat_POST_public_allow {
meta nfproto ipv4 oifname != "lo" masquerade
}
chain nat_POST_public_post {
}
chain filter_FWD_public {
jump filter_FORWARD_POLICIES_pre
jump filter_FWD_public_pre
jump filter_FWD_public_log
jump filter_FWD_public_deny
jump filter_FWD_public_allow
jump filter_FWD_public_post
jump filter_FORWARD_POLICIES_post
reject with icmpx type admin-prohibited
}
chain filter_FWD_public_pre {
}
chain filter_FWD_public_log {
}
chain filter_FWD_public_deny {
}
chain filter_FWD_public_allow {
oifname "enp6s0" accept
}
chain filter_FWD_public_post {
}
chain nat_PRE_public {
jump nat_PREROUTING_POLICIES_pre
jump nat_PRE_public_pre
jump nat_PRE_public_log
jump nat_PRE_public_deny
jump nat_PRE_public_allow
jump nat_PRE_public_post
jump nat_PREROUTING_POLICIES_post
}
chain nat_PRE_public_pre {
}
chain nat_PRE_public_log {
}
chain nat_PRE_public_deny {
}
chain nat_PRE_public_allow {
}
chain nat_PRE_public_post {
}
chain mangle_PRE_public {
jump mangle_PREROUTING_POLICIES_pre
jump mangle_PRE_public_pre
jump mangle_PRE_public_log
jump mangle_PRE_public_deny
jump mangle_PRE_public_allow
jump mangle_PRE_public_post
jump mangle_PREROUTING_POLICIES_post
}
chain mangle_PRE_public_pre {
}
chain mangle_PRE_public_log {
}
chain mangle_PRE_public_deny {
}
chain mangle_PRE_public_allow {
}
chain mangle_PRE_public_post {
}
}
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
meta l4proto tcp fib daddr type local tcp dport 445 counter packets 974 bytes 53844 meta nftrace set 1
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
}
table ip mangle {
chain FORWARD {
type filter hook forward priority mangle; policy accept;
}
}
During conversation https://chat.stackexchange.com/rooms/139576/discussion-on-answer-by-gapsf-no-forward-packet-with-iptables-prerouting-rule:
host A has one interface with two IPs from the same subnet
and asker wants packets from A's 123.11 arrived to B virbr1 23.1 forwards back via virbr1 to A's 123.103. For some reason packets from 123.11 disappier after prerouting and according to trace log dont go nor to forward chain nor to input chain.
So something happens in routing decision.
First answer
At this moment you have nat rules configured both with iptables and nftables. You should not use iptables and nftables at the same time because it ends up with unpredictible results. Use one tool. If you use firewalld and its backend is nftables stick with nftables and flush all iptables rules
https://unix.stackexchange.com/a/596497/153329
It turns out what worked for me was to disable bridged packets from traversing iptables rules. This can be done by setting sysctl flags.