p5gamemath提出的问题 -computer

p5gamemath

Asked: 2022-10-01 20:47:04 +0800 CST

没有带有 iptables 预路由规则的转发数据包

我有一个 iptables 预路由规则来将端口转发到另一台主机。这是规则：ipv4 nat PREROUTING 0 -m addrtype --dst-type LOCAL -p tcp --dport 445 -j DNAT --to-destination 192.168.123.103。

带有预路由规则的主机 A 的 ip 地址是192.168.123.1。将流量转发到的主机 B 的 IP 地址是192.168.123.103和192.168.123.11。

此规则适用于连接到 A 的其他主机，但它不适用于192.168.123.1:445从 B 发出请求。在 iptables 跟踪中，似乎有预路由但没有转发。值得注意的是，192.168.123.103:445直接在 B 上访问是可行的。

我检查了 sysctl 标志net.ipv4.ip_forward并net.ipv4.conf.all.forwarding正确设置为1.

日志：

Working:
trace id 3202082b ip raw PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip raw PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 522 bytes 29484 meta nftrace set 1 (verdict continue)
trace id 3202082b ip raw PREROUTING verdict continue
trace id 3202082b ip raw PREROUTING policy accept
trace id 3202082b inet firewalld mangle_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip protocol tcp ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b inet firewalld mangle_PREROUTING rule jump mangle_PREROUTING_ZONES (verdict jump mangle_PREROUTING_ZONES)
trace id 3202082b inet firewalld mangle_PREROUTING_ZONES rule goto mangle_PRE_trusted (verdict goto mangle_PRE_trusted)
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_pre (verdict jump mangle_PREROUTING_POLICIES_pre)
trace id 3202082b inet firewalld mangle_PREROUTING_POLICIES_pre rule jump mangle_PRE_policy_allow-host-ipv6 (verdict jump mangle_PRE_policy_allow-host-ipv6)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_pre (verdict jump mangle_PRE_policy_allow-host-ipv6_pre)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_pre verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_log (verdict jump mangle_PRE_policy_allow-host-ipv6_log)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_log verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_deny (verdict jump mangle_PRE_policy_allow-host-ipv6_deny)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_deny verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_allow (verdict jump mangle_PRE_policy_allow-host-ipv6_allow)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_allow verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_post (verdict jump mangle_PRE_policy_allow-host-ipv6_post)
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6_post verdict continue
trace id 3202082b inet firewalld mangle_PRE_policy_allow-host-ipv6 verdict continue
trace id 3202082b inet firewalld mangle_PREROUTING_POLICIES_pre verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_pre (verdict jump mangle_PRE_trusted_pre)
trace id 3202082b inet firewalld mangle_PRE_trusted_pre verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_log (verdict jump mangle_PRE_trusted_log)
trace id 3202082b inet firewalld mangle_PRE_trusted_log verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_deny (verdict jump mangle_PRE_trusted_deny)
trace id 3202082b inet firewalld mangle_PRE_trusted_deny verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_allow (verdict jump mangle_PRE_trusted_allow)
trace id 3202082b inet firewalld mangle_PRE_trusted_allow verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_post (verdict jump mangle_PRE_trusted_post)
trace id 3202082b inet firewalld mangle_PRE_trusted_post verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_post (verdict jump mangle_PREROUTING_POLICIES_post)
trace id 3202082b inet firewalld mangle_PREROUTING_POLICIES_post verdict continue
trace id 3202082b inet firewalld mangle_PRE_trusted verdict continue
trace id 3202082b inet firewalld mangle_PREROUTING verdict continue
trace id 3202082b inet firewalld mangle_PREROUTING policy accept
trace id 3202082b ip nat PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip nat PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 3018 bytes 180952 dnat to 192.168.123.103 (verdict accept)
trace id 3202082b inet firewalld filter_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip protocol tcp ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b inet firewalld filter_PREROUTING verdict continue
trace id 3202082b inet firewalld filter_PREROUTING policy accept
trace id 3202082b ip mangle FORWARD packet: iif "virbr1" oif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:b1:8b:eb ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip mangle FORWARD verdict continue
trace id 3202082b ip mangle FORWARD policy accept
trace id 3202082b ip filter FORWARD packet: iif "virbr1" oif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:b1:8b:eb ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b ip filter FORWARD verdict continue
trace id 3202082b ip filter FORWARD policy accept
trace id 3202082b inet firewalld filter_FORWARD packet: iif "virbr1" oif "virbr1" ether saddr 52:54:00:17:47:13 ether daddr 52:54:00:b1:8b:eb ip saddr 192.168.123.13 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 62 ip id 787 ip protocol tcp ip length 60 tcp sport 49938 tcp dport 445 tcp flags == syn tcp window 64860
trace id 3202082b inet firewalld filter_FORWARD rule ct status dnat accept (verdict accept)

Not working:
trace id fea3c476 ip raw PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 ip raw PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 96 bytes 5732 meta nftrace set 1 (verdict continue)
trace id fea3c476 ip raw PREROUTING verdict continue
trace id fea3c476 ip raw PREROUTING policy accept
trace id fea3c476 inet firewalld mangle_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip protocol tcp ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 inet firewalld mangle_PREROUTING rule jump mangle_PREROUTING_ZONES (verdict jump mangle_PREROUTING_ZONES)
trace id fea3c476 inet firewalld mangle_PREROUTING_ZONES rule goto mangle_PRE_trusted (verdict goto mangle_PRE_trusted)
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_pre (verdict jump mangle_PREROUTING_POLICIES_pre)
trace id fea3c476 inet firewalld mangle_PREROUTING_POLICIES_pre rule jump mangle_PRE_policy_allow-host-ipv6 (verdict jump mangle_PRE_policy_allow-host-ipv6)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_pre (verdict jump mangle_PRE_policy_allow-host-ipv6_pre)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_pre verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_log (verdict jump mangle_PRE_policy_allow-host-ipv6_log)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_log verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_deny (verdict jump mangle_PRE_policy_allow-host-ipv6_deny)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_deny verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_allow (verdict jump mangle_PRE_policy_allow-host-ipv6_allow)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_allow verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 rule jump mangle_PRE_policy_allow-host-ipv6_post (verdict jump mangle_PRE_policy_allow-host-ipv6_post)
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6_post verdict continue
trace id fea3c476 inet firewalld mangle_PRE_policy_allow-host-ipv6 verdict continue
trace id fea3c476 inet firewalld mangle_PREROUTING_POLICIES_pre verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_pre (verdict jump mangle_PRE_trusted_pre)
trace id fea3c476 inet firewalld mangle_PRE_trusted_pre verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_log (verdict jump mangle_PRE_trusted_log)
trace id fea3c476 inet firewalld mangle_PRE_trusted_log verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_deny (verdict jump mangle_PRE_trusted_deny)
trace id fea3c476 inet firewalld mangle_PRE_trusted_deny verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_allow (verdict jump mangle_PRE_trusted_allow)
trace id fea3c476 inet firewalld mangle_PRE_trusted_allow verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PRE_trusted_post (verdict jump mangle_PRE_trusted_post)
trace id fea3c476 inet firewalld mangle_PRE_trusted_post verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted rule jump mangle_PREROUTING_POLICIES_post (verdict jump mangle_PREROUTING_POLICIES_post)
trace id fea3c476 inet firewalld mangle_PREROUTING_POLICIES_post verdict continue
trace id fea3c476 inet firewalld mangle_PRE_trusted verdict continue
trace id fea3c476 inet firewalld mangle_PREROUTING verdict continue
trace id fea3c476 inet firewalld mangle_PREROUTING policy accept
trace id fea3c476 ip nat PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.1 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 ip nat PREROUTING rule meta l4proto tcp fib daddr type local tcp dport 445 counter packets 2881 bytes 172708 dnat to 192.168.123.103 (verdict accept)
trace id fea3c476 inet firewalld filter_PREROUTING packet: iif "virbr1" ether saddr 52:54:00:b1:8b:eb ether daddr 52:54:00:54:6b:5e ip saddr 192.168.123.11 ip daddr 192.168.123.103 ip dscp cs0 ip ecn not-ect ip ttl 64 ip id 63222 ip protocol tcp ip length 60 tcp sport 32920 tcp dport 445 tcp flags == syn tcp window 64240
trace id fea3c476 inet firewalld filter_PREROUTING verdict continue
trace id fea3c476 inet firewalld filter_PREROUTING policy accept

ip地址：

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 0a:e0:af:c6:00:d0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.10/24 brd 192.168.1.255 scope global dynamic noprefixroute enp6s0
       valid_lft 39944sec preferred_lft 39944sec
3: virbr1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 52:54:00:54:6b:5e brd ff:ff:ff:ff:ff:ff
    inet 192.168.123.1/24 brd 192.168.123.255 scope global virbr1
       valid_lft forever preferred_lft forever

ip路线：

default via 192.168.1.1 dev enp6s0 proto dhcp src 192.168.1.10 metric 100
192.168.1.0/24 dev enp6s0 proto kernel scope link src 192.168.1.10 metric 100
192.168.123.0/24 dev virbr1 proto kernel scope link src 192.168.123.1

Nft 列表规则集：

table ip filter {
    chain INPUT {
        type filter hook input priority filter; policy accept;
        meta l4proto tcp counter packets 2283119 bytes 12047540484 jump f2b-sshd
    }

    chain f2b-sshd {
        counter packets 2278196 bytes 12047096552 return
    }

    chain FORWARD {
        type filter hook forward priority filter; policy accept;
    }
}
table ip nat {
    chain PREROUTING {
        type nat hook prerouting priority dstnat; policy accept;
        meta l4proto tcp fib daddr type local tcp dport 445 counter packets 3128 bytes 187556 dnat to 192.168.123.103
    }

    chain POSTROUTING {
        type nat hook postrouting priority srcnat; policy accept;
    }
}
table inet firewalld {
    chain mangle_PREROUTING {
        type filter hook prerouting priority mangle + 10; policy accept;
        jump mangle_PREROUTING_ZONES
    }

    chain mangle_PREROUTING_POLICIES_pre {
        jump mangle_PRE_policy_allow-host-ipv6
    }

    chain mangle_PREROUTING_ZONES {
        iifname "enp6s0" goto mangle_PRE_public
        goto mangle_PRE_trusted
    }

    chain mangle_PREROUTING_POLICIES_post {
    }

    chain nat_PREROUTING {
        type nat hook prerouting priority dstnat + 10; policy accept;
        jump nat_PREROUTING_ZONES
    }

    chain nat_PREROUTING_POLICIES_pre {
        jump nat_PRE_policy_allow-host-ipv6
    }

    chain nat_PREROUTING_ZONES {
        iifname "enp6s0" goto nat_PRE_public
        goto nat_PRE_trusted
    }

    chain nat_PREROUTING_POLICIES_post {
    }

    chain nat_POSTROUTING {
        type nat hook postrouting priority srcnat + 10; policy accept;
        jump nat_POSTROUTING_ZONES
    }

    chain nat_POSTROUTING_POLICIES_pre {
    }

    chain nat_POSTROUTING_ZONES {
        oifname "enp6s0" goto nat_POST_public
        goto nat_POST_trusted
    }

    chain nat_POSTROUTING_POLICIES_post {
    }

    chain filter_PREROUTING {
        type filter hook prerouting priority filter + 10; policy accept;
        icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
        meta nfproto ipv6 fib saddr . mark . iif oif missing drop
    }

    chain filter_INPUT {
        type filter hook input priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        jump filter_INPUT_ZONES
        ct state { invalid } drop
        reject with icmpx type admin-prohibited
    }

    chain filter_FORWARD {
        type filter hook forward priority filter + 10; policy accept;
        ct state { established, related } accept
        ct status dnat accept
        iifname "lo" accept
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
        jump filter_FORWARD_ZONES
        ct state { invalid } drop
        reject with icmpx type admin-prohibited
    }

    chain filter_OUTPUT {
        type filter hook output priority filter + 10; policy accept;
        ct state { established, related } accept
        oifname "lo" accept
        ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 type addr-unreachable
        jump filter_OUTPUT_POLICIES_pre
        jump filter_OUTPUT_POLICIES_post
    }

    chain filter_INPUT_POLICIES_pre {
        jump filter_IN_policy_allow-host-ipv6
    }

    chain filter_INPUT_ZONES {
        iifname "enp6s0" goto filter_IN_public
        goto filter_IN_trusted
    }

    chain filter_INPUT_POLICIES_post {
    }

    chain filter_FORWARD_POLICIES_pre {
    }

    chain filter_FORWARD_ZONES {
        iifname "enp6s0" goto filter_FWD_public
        goto filter_FWD_trusted
    }

    chain filter_FORWARD_POLICIES_post {
    }

    chain filter_OUTPUT_POLICIES_pre {
    }

    chain filter_OUTPUT_POLICIES_post {
    }

    chain filter_IN_trusted {
        jump filter_INPUT_POLICIES_pre
        jump filter_IN_trusted_pre
        jump filter_IN_trusted_log
        jump filter_IN_trusted_deny
        jump filter_IN_trusted_allow
        jump filter_IN_trusted_post
        jump filter_INPUT_POLICIES_post
        accept
    }

    chain filter_IN_trusted_pre {
    }

    chain filter_IN_trusted_log {
    }

    chain filter_IN_trusted_deny {
    }

    chain filter_IN_trusted_allow {
    }

    chain filter_IN_trusted_post {
    }

    chain nat_POST_trusted {
        jump nat_POSTROUTING_POLICIES_pre
        jump nat_POST_trusted_pre
        jump nat_POST_trusted_log
        jump nat_POST_trusted_deny
        jump nat_POST_trusted_allow
        jump nat_POST_trusted_post
        jump nat_POSTROUTING_POLICIES_post
    }

    chain nat_POST_trusted_pre {
    }

    chain nat_POST_trusted_log {
    }

    chain nat_POST_trusted_deny {
    }

    chain nat_POST_trusted_allow {
    }

    chain nat_POST_trusted_post {
    }

    chain filter_FWD_trusted {
        jump filter_FORWARD_POLICIES_pre
        jump filter_FWD_trusted_pre
        jump filter_FWD_trusted_log
        jump filter_FWD_trusted_deny
        jump filter_FWD_trusted_allow
        jump filter_FWD_trusted_post
        jump filter_FORWARD_POLICIES_post
        accept
    }

    chain filter_FWD_trusted_pre {
    }

    chain filter_FWD_trusted_log {
    }

    chain filter_FWD_trusted_deny {
    }

    chain filter_FWD_trusted_allow {
    }

    chain filter_FWD_trusted_post {
    }

    chain nat_PRE_trusted {
        jump nat_PREROUTING_POLICIES_pre
        jump nat_PRE_trusted_pre
        jump nat_PRE_trusted_log
        jump nat_PRE_trusted_deny
        jump nat_PRE_trusted_allow
        jump nat_PRE_trusted_post
        jump nat_PREROUTING_POLICIES_post
    }

    chain nat_PRE_trusted_pre {
    }

    chain nat_PRE_trusted_log {
    }

    chain nat_PRE_trusted_deny {
    }

    chain nat_PRE_trusted_allow {
    }

    chain nat_PRE_trusted_post {
    }

    chain mangle_PRE_trusted {
        jump mangle_PREROUTING_POLICIES_pre
        jump mangle_PRE_trusted_pre
        jump mangle_PRE_trusted_log
        jump mangle_PRE_trusted_deny
        jump mangle_PRE_trusted_allow
        jump mangle_PRE_trusted_post
        jump mangle_PREROUTING_POLICIES_post
    }

    chain mangle_PRE_trusted_pre {
    }

    chain mangle_PRE_trusted_log {
    }

    chain mangle_PRE_trusted_deny {
    }

    chain mangle_PRE_trusted_allow {
    }

    chain mangle_PRE_trusted_post {
    }

    chain filter_IN_policy_allow-host-ipv6 {
        jump filter_IN_policy_allow-host-ipv6_pre
        jump filter_IN_policy_allow-host-ipv6_log
        jump filter_IN_policy_allow-host-ipv6_deny
        jump filter_IN_policy_allow-host-ipv6_allow
        jump filter_IN_policy_allow-host-ipv6_post
    }

    chain filter_IN_policy_allow-host-ipv6_pre {
    }

    chain filter_IN_policy_allow-host-ipv6_log {
    }

    chain filter_IN_policy_allow-host-ipv6_deny {
    }

    chain filter_IN_policy_allow-host-ipv6_allow {
        icmpv6 type nd-neighbor-advert accept
        icmpv6 type nd-neighbor-solicit accept
        icmpv6 type nd-router-advert accept
        icmpv6 type nd-redirect accept
    }

    chain filter_IN_policy_allow-host-ipv6_post {
    }

    chain nat_PRE_policy_allow-host-ipv6 {
        jump nat_PRE_policy_allow-host-ipv6_pre
        jump nat_PRE_policy_allow-host-ipv6_log
        jump nat_PRE_policy_allow-host-ipv6_deny
        jump nat_PRE_policy_allow-host-ipv6_allow
        jump nat_PRE_policy_allow-host-ipv6_post
    }

    chain nat_PRE_policy_allow-host-ipv6_pre {
    }

    chain nat_PRE_policy_allow-host-ipv6_log {
    }

    chain nat_PRE_policy_allow-host-ipv6_deny {
    }

    chain nat_PRE_policy_allow-host-ipv6_allow {
    }

    chain nat_PRE_policy_allow-host-ipv6_post {
    }

    chain mangle_PRE_policy_allow-host-ipv6 {
        jump mangle_PRE_policy_allow-host-ipv6_pre
        jump mangle_PRE_policy_allow-host-ipv6_log
        jump mangle_PRE_policy_allow-host-ipv6_deny
        jump mangle_PRE_policy_allow-host-ipv6_allow
        jump mangle_PRE_policy_allow-host-ipv6_post
    }

    chain mangle_PRE_policy_allow-host-ipv6_pre {
    }

    chain mangle_PRE_policy_allow-host-ipv6_log {
    }

    chain mangle_PRE_policy_allow-host-ipv6_deny {
    }

    chain mangle_PRE_policy_allow-host-ipv6_allow {
    }

    chain mangle_PRE_policy_allow-host-ipv6_post {
    }

    chain filter_IN_public {
        jump filter_INPUT_POLICIES_pre
        jump filter_IN_public_pre
        jump filter_IN_public_log
        jump filter_IN_public_deny
        jump filter_IN_public_allow
        jump filter_IN_public_post
        jump filter_INPUT_POLICIES_post
        meta l4proto { icmp, ipv6-icmp } accept
        reject with icmpx type admin-prohibited
    }

    chain filter_IN_public_pre {
    }

    chain filter_IN_public_log {
    }

    chain filter_IN_public_deny {
    }

    chain filter_IN_public_allow {
        tcp dport 22 ct state { new, untracked } accept
        ip6 daddr fe80::/64 udp dport 546 ct state { new, untracked } accept
    }

    chain filter_IN_public_post {
    }

    chain nat_POST_public {
        jump nat_POSTROUTING_POLICIES_pre
        jump nat_POST_public_pre
        jump nat_POST_public_log
        jump nat_POST_public_deny
        jump nat_POST_public_allow
        jump nat_POST_public_post
        jump nat_POSTROUTING_POLICIES_post
    }

    chain nat_POST_public_pre {
    }

    chain nat_POST_public_log {
    }

    chain nat_POST_public_deny {
    }

    chain nat_POST_public_allow {
        meta nfproto ipv4 oifname != "lo" masquerade
    }

    chain nat_POST_public_post {
    }

    chain filter_FWD_public {
        jump filter_FORWARD_POLICIES_pre
        jump filter_FWD_public_pre
        jump filter_FWD_public_log
        jump filter_FWD_public_deny
        jump filter_FWD_public_allow
        jump filter_FWD_public_post
        jump filter_FORWARD_POLICIES_post
        reject with icmpx type admin-prohibited
    }

    chain filter_FWD_public_pre {
    }

    chain filter_FWD_public_log {
    }

    chain filter_FWD_public_deny {
    }

    chain filter_FWD_public_allow {
        oifname "enp6s0" accept
    }

    chain filter_FWD_public_post {
    }

    chain nat_PRE_public {
        jump nat_PREROUTING_POLICIES_pre
        jump nat_PRE_public_pre
        jump nat_PRE_public_log
        jump nat_PRE_public_deny
        jump nat_PRE_public_allow
        jump nat_PRE_public_post
        jump nat_PREROUTING_POLICIES_post
    }

    chain nat_PRE_public_pre {
    }

    chain nat_PRE_public_log {
    }

    chain nat_PRE_public_deny {
    }

    chain nat_PRE_public_allow {
    }

    chain nat_PRE_public_post {
    }

    chain mangle_PRE_public {
        jump mangle_PREROUTING_POLICIES_pre
        jump mangle_PRE_public_pre
        jump mangle_PRE_public_log
        jump mangle_PRE_public_deny
        jump mangle_PRE_public_allow
        jump mangle_PRE_public_post
        jump mangle_PREROUTING_POLICIES_post
    }

    chain mangle_PRE_public_pre {
    }

    chain mangle_PRE_public_log {
    }

    chain mangle_PRE_public_deny {
    }

    chain mangle_PRE_public_allow {
    }

    chain mangle_PRE_public_post {
    }
}
table ip raw {
    chain PREROUTING {
        type filter hook prerouting priority raw; policy accept;
        meta l4proto tcp fib daddr type local tcp dport 445 counter packets 974 bytes 53844 meta nftrace set 1
    }

    chain OUTPUT {
        type filter hook output priority raw; policy accept;
    }
}
table ip mangle {
    chain FORWARD {
        type filter hook forward priority mangle; policy accept;
    }
}

没有带有 iptables 预路由规则的转发数据包

如何减少“vmmem”进程的消耗？

从 Microsoft Stream 下载视频

Google Chrome DevTools 无法解析 SourceMap：chrome-extension

Windows 照片查看器因为内存不足而无法运行？

支持结束后如何激活 WindowsXP？

远程桌面间歇性冻结

子网掩码 /32 是什么意思？

鼠标指针在 Windows 中按下的箭头键上移动？

VirtualBox 无法以 VERR_NEM_VM_CREATE_FAILED 启动

应用程序不会出现在 MacBook 的摄像头和麦克风隐私设置中

p5gamemath's questions