История изменений
Исправление KivApple, (текущая версия) :
[37568.848974] mangle-prerouting IN=tun0 OUT= MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=35755 DF PROTO=ICMP TYPE=8 CODE=0 ID=6613 SEQ=1
[37568.863147] mangle-forward IN=tun0 OUT=eth0 MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=35755 DF PROTO=ICMP TYPE=8 CODE=0 ID=6613 SEQ=1
[37568.914012] mangle-prerouting IN=eth0 OUT= MAC=02:8e:06:c3:2f:12:10:fe:ed:8f:6e:12:08:00 SRC=8.8.8.8 DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=246 ID=37975 PROTO=ICMP TYPE=0 CODE=0 ID=6613 SEQ=1
Пакет не попадает ни в mangle forward, ни в mangle input, только в mangle prerouting.
Попробовал iptables -t raw -A PREROUTING -p icmp -j TRACE:
[37756.525419] TRACE: raw:PREROUTING:policy:2 IN=tun0 OUT= MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.540730] TRACE: mangle:PREROUTING:policy:1 IN=tun0 OUT= MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.556259] TRACE: nat:PREROUTING:policy:1 IN=tun0 OUT= MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.571577] TRACE: mangle:FORWARD:policy:1 IN=tun0 OUT=eth0 MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.587174] TRACE: filter:FORWARD:policy:1 IN=tun0 OUT=eth0 MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.602781] TRACE: security:FORWARD:policy:1 IN=tun0 OUT=eth0 MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.618544] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.633710] TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.685133] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=02:8e:06:c3:2f:12:10:fe:ed:8f:6e:12:08:00 SRC=8.8.8.8 DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=246 ID=23248 PROTO=ICMP TYPE=0 CODE=0 ID=6774 SEQ=1
[37756.704041] TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=02:8e:06:c3:2f:12:10:fe:ed:8f:6e:12:08:00 SRC=8.8.8.8 DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=246 ID=23248 PROTO=ICMP TYPE=0 CODE=0 ID=6774 SEQ=1
Видно, что пакет теряется после mangle prerouting. Логгирование марсианских пакетов включил, но в dmesg дополнительных строчек нету.
Исходная версия KivApple, :
[37568.848974] mangle-prerouting IN=tun0 OUT= MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=35755 DF PROTO=ICMP TYPE=8 CODE=0 ID=6613 SEQ=1
[37568.863147] mangle-forward IN=tun0 OUT=eth0 MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=35755 DF PROTO=ICMP TYPE=8 CODE=0 ID=6613 SEQ=1
[37568.914012] mangle-prerouting IN=eth0 OUT= MAC=02:8e:06:c3:2f:12:10:fe:ed:8f:6e:12:08:00 SRC=8.8.8.8 DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=246 ID=37975 PROTO=ICMP TYPE=0 CODE=0 ID=6613 SEQ=1
Пакет не попадает ни в mangle forward, ни в mangle input, только в mangle prerouting.
Попробовал iptables -t raw -A PREROUTING -p icmp -j TRACE:
[37756.525419] TRACE: raw:PREROUTING:policy:2 IN=tun0 OUT= MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.540730] TRACE: mangle:PREROUTING:policy:1 IN=tun0 OUT= MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.556259] TRACE: nat:PREROUTING:policy:1 IN=tun0 OUT= MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.571577] TRACE: mangle:FORWARD:policy:1 IN=tun0 OUT=eth0 MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.587174] TRACE: filter:FORWARD:policy:1 IN=tun0 OUT=eth0 MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.602781] TRACE: security:FORWARD:policy:1 IN=tun0 OUT=eth0 MAC= SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.618544] TRACE: mangle:POSTROUTING:policy:1 IN= OUT=eth0 SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.633710] TRACE: nat:POSTROUTING:rule:1 IN= OUT=eth0 SRC=10.8.0.2 DST=8.8.8.8 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=55897 DF PROTO=ICMP TYPE=8 CODE=0 ID=6774 SEQ=1
[37756.685133] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=02:8e:06:c3:2f:12:10:fe:ed:8f:6e:12:08:00 SRC=8.8.8.8 DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=246 ID=23248 PROTO=ICMP TYPE=0 CODE=0 ID=6774 SEQ=1
[37756.704041] TRACE: mangle:PREROUTING:policy:1 IN=eth0 OUT= MAC=02:8e:06:c3:2f:12:10:fe:ed:8f:6e:12:08:00 SRC=8.8.8.8 DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=246 ID=23248 PROTO=ICMP TYPE=0 CODE=0 ID=6774 SEQ=1
Видно, что пакет теряется после mangle prerouting.