添加跟踪点
bash
# cat ipsec-debug.sh
iptables -t raw -I PREROUTING -p esp -j NFLOG --nflog-group 5
iptables -t raw -I PREROUTING -p ah -j NFLOG --nflog-group 5
iptables -t raw -I PREROUTING -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
iptables -t raw -I OUTPUT -p esp -j NFLOG --nflog-group 5
iptables -t raw -I OUTPUT -p ah -j NFLOG --nflog-group 5
iptables -t raw -I OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
iptables -t mangle -I PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5
iptables -t filter -I INPUT -m addrtype --dst-type LOCAL -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t filter -I FORWARD -m addrtype ! --dst-type LOCAL -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t filter -I OUTPUT -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5
# tcpdump -s 0 -n -i nflog:5清理跟踪点
bash
iptables -t raw -D PREROUTING -p esp -j NFLOG --nflog-group 5
iptables -t raw -D PREROUTING -p ah -j NFLOG --nflog-group 5
iptables -t raw -D PREROUTING -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
iptables -t raw -D OUTPUT -p esp -j NFLOG --nflog-group 5
iptables -t raw -D OUTPUT -p ah -j NFLOG --nflog-group 5
iptables -t raw -D OUTPUT -p udp -m multiport --dports 500,4500 -j NFLOG --nflog-group 5
iptables -t mangle -D PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t mangle -D POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5
iptables -t filter -D INPUT -m addrtype --dst-type LOCAL -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t filter -D FORWARD -m addrtype ! --dst-type LOCAL -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t filter -D OUTPUT -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5原文参考: