user Posted June 16, 2020 Posted June 16, 2020 Элементарная задача: НАТ для icmp пакетов 172.19.4.254 - принадлежит другому роутеру, и пакеты от него приходят на шлюз "как есть", через eth1 eth0.990 - смотрит в сторону провайдера. прописываем iptables [0:0] -A POSTROUTING -s 172.19.4.254/32 -o eth0.990 -p icmp -j SNAT --to-source 1.2.3.4 [0:0] -A POSTROUTING -s 172.19.4.254/32 -o eth0.990 -j MASQUERADE а вот фиг: tshark -nta -i eth0.990 host 172.19.4.254 and proto ICMP Capturing on 'eth0.990' 1 14:34:04.255576453 172.19.4.254 → 83.97.20.35 ICMP 86 Destination unreachable (Host unreachable) 2 14:34:04.263094684 172.19.4.254 → 196.52.43.128 ICMP 86 Destination unreachable (Host unreachable) 3 14:34:04.282221431 172.19.4.254 → 185.39.11.38 ICMP 86 Destination unreachable (Host unreachable) 4 14:34:04.292742038 172.19.4.254 → 51.38.103.218 ICMP 590 Destination unreachable (Fragmentation needed) 5 14:34:04.292775141 172.19.4.254 → 51.38.103.218 ICMP 590 Destination unreachable (Fragmentation needed) 6 14:34:04.293790866 172.19.4.254 → 51.38.103.218 ICMP 590 Destination unreachable (Fragmentation needed) в правила не попало: iptables-save -c [0:0] -A POSTROUTING -s 172.19.4.254/32 -o eth0.990 -p icmp -j SNAT --to-source 1.2.3.4 [12345:XXXX6] -A POSTROUTING -s 172.19.4.254/32 -o eth0.990 -j MASQUERADE - то есть ранее трафик IP 172.19.4.254/32 нигде не обрабатывается, и свистит мимо "-p icmp" iptables-save -c | grep icmp [0:0] -A POSTROUTING -s 172.19.4.254/32 -o eth0.990 -p icmp -j SNAT --to-source 1.2.3.4 [14:421] -A MYSHAPER-IN -i eth0.990 -p icmp -m mark --mark 0x0 -j MARK --set-xmark 0x3010/0xffffffff - и ICMP нигде раньше не обрабатывается. Вставить ник Quote
user Posted June 16, 2020 Author Posted June 16, 2020 (edited) iptables-save -c | grep LOG [0:0] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 1 -j LOG [0:0] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 2 -j LOG [0:0] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 3 -j LOG [0:0] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 4 -j LOG [0:0] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 5 -j LOG [0:0] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 6 -j LOG [0:0] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 7 -j LOG [6:480] -A POSTROUTING -o eth0.990 -p icmp -m icmp --icmp-type 8 -j LOG tshark -nta -i eth0.990 -c 10 host 172.19.4.254 and proto ICMP Capturing on 'eth0.990' 1 15:15:44.613903180 172.19.4.254 → 197.63.117.17 ICMP 86 Destination unreachable (Host unreachable) 2 15:15:44.658591897 172.19.4.254 → 58.228.159.253 ICMP 86 Destination unreachable (Host unreachable) 3 15:15:44.678200493 172.19.4.254 → 50.78.132.225 ICMP 86 Destination unreachable (Host unreachable) 4 15:15:44.695856784 172.19.4.254 → 46.39.51.215 ICMP 90 Destination unreachable (Host unreachable) 5 15:15:44.710039862 172.19.4.254 → 188.69.193.87 ICMP 94 Destination unreachable (Host unreachable) 6 15:15:44.717459074 172.19.4.254 → 77.121.70.11 ICMP 86 Destination unreachable (Host unreachable) 7 15:15:44.809850348 172.19.4.254 → 185.153.180.241 ICMP 86 Destination unreachable (Host unreachable) 8 15:15:44.857079080 172.19.4.254 → 103.133.106.81 ICMP 86 Destination unreachable (Host unreachable) 9 15:15:44.887351358 172.19.4.254 → 207.180.222.211 ICMP 86 Destination unreachable (Host unreachable) 10 15:15:45.061933421 172.19.4.254 → 95.29.94.14 ICMP 94 Destination unreachable (Host unreachable) Edited June 16, 2020 by user Вставить ник Quote
.png.5d2afa2996cc6a85d0f2c09b92dd0a28.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.