iptables debugging

Sometimes packets leave their line or get lost passing an iptables firewall. Even if you know what you do, there might be a typo or a single mistake in you iptables rules, driving you crazy. As I had to learn in the past years, there are several ways to see what’s going on.

Logging blocked packages

Just add the following to your iptables script to log blocked packages:

        # Logging
        $IPTABLES -A INPUT -m limit --limit 50/minute -j LOG --log-level 7 --log-prefix "Dropped in: "
        $IPTABLES -A OUTPUT -m limit --limit 50/minute -j LOG --log-level 7 --log-prefix "Dropped out: "
        $IPTABLES -A FORWARD -m limit --limit 50/minute -j LOG --log-level 7 --log-prefix "Dropped fw: "

To see those log messages in a separate firewall log, you have to add this to your /etc/(r)syslog.conf:

# firewall logging
kern.=debug     /var/log/firewall

 

Tracing packets

Tracing allows you to see the complete path of a packet going through iptables (see for detail: packet flow diagram) It’s always a good idea to define trace rules as concrete as possible, not to get a overloaded log file. Add this to your iptables script to trace packets going to 10.0.0.1 on tcp port 25:

        # Tracing
        $IPTABLES -t raw -A PREROUTING --destination 10.0.0.1 -p tcp --dport 25 -j TRACE

You see those trace messages in /var/log/syslog. You will see something like “TRACE: filter:INPUT:rule:8”, which means, that the packet went through the input chain matching rule number 8. Use the following to see the rules and their line numbers:

iptables -L --line-numbers

After using trace, you have to manually delete the rules manually to prevent your log blowing up:

iptables -vnL -t raw --line-numbers // shows all rules in raw table
iptables -t raw -D PREROUTING 1 // delete first rule

View the iptables config

iptables -S
iptables --list

See packets and bytes matching iptables rules

You can see the number of packets and bytes for every rule defined by:

iptables -L -v

2 Responses to “iptables debugging

  • Gro├čartig!

    Clear and simple description of an complex theme. You saved my day.

  • I have a problem that iptables prevent 1812 radius connection but your commands not works I found a better one that works in tail -f /var/log/messages :

    its

    iptables -t raw -A OUTPUT -s 127.0.0.1 -j TRACE
    iptables -t raw -A PREROUTING -s 127.0.0.1 -j TRACE

    however the output also is

    TRACE: raw:OUTPUT:policy:2 IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 … PROTO=TCP SPT=39428 DPT=808 …
    TRACE: filter:OUTPUT:policy:1 IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 … PROTO=TCP SPT=39428 DPT=808 …

    TRACE: raw:PREROUTING:policy:2 IN=lo OUT= MAC=… SRC=MYSERVERIP DST=127.0.0.1 … PROTO=TCP SPT=39428 DPT=808 …
    TRACE: filter:INPUT:rule:11 IN=lo OUT= MAC=… SRC=MYSERVERIP DST=127.0.0.1 …PROTO=TCP SPT=39428 DPT=808 …

    it also doesnt help me alot if you can contact me i can provide more logs

Leave a Reply

Your email address will not be published. Required fields are marked *