我想将接口上的所有传入流量重新路由ens4f0到 IP 地址 192.168.50.10,但 Wireshark 显示传入数据包的目标 IP 地址未更改。这是预期的行为吗?我以为 PREROUTING 先于其他任何东西进入?
我的iptables命令是:
# iptables -t nat -A PREROUTING -i ens4f0 -j DNAT --to 192.168.50.10
# iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 24618 packets, 1923K bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT all -- ens4f0 any anywhere anywhere to:192.168.50.8
0 0 DNAT all -- ens4f0 any anywhere anywhere to:192.168.50.10
0 0 DNAT all -- ens4f0 any anywhere anywhere to:192.168.50.10
我知道传入的数据包来自 192.168.50.8,所以我也尝试过:
# iptables -t nat -A PREROUTING -i ens4f0 -j DNAT -s 192.168.50.8/32 --to 192.168.50.10
# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- anywhere anywhere to:192.168.50.8
DNAT all -- anywhere anywhere to:192.168.50.10
DNAT all -- anywhere anywhere to:192.168.50.10
DNAT all -- 192.168.50.8 anywhere to:192.168.50.10
Wireshark在防火墙处理之前捕获传入的数据包(以及在防火墙处理之后的出站数据包),因此您无法在此数据包捕获中看到防火墙对入站数据包所做的更改。尝试在出接口上捕获以查看修改后的数据包。