Sometimes packets leave their line or get lost passing an iptables firewall. Even if you know what you do, there might be a typo or a single mistake in you iptables rules, driving you crazy. As I had to learn in the past years, there are several ways to see what’s going on.
Logging blocked packages
Just add the following to your iptables script to log blocked packages:
$IPTABLES -A INPUT -m limit --limit 50/minute -j LOG --log-level 7 --log-prefix "Dropped in: "
$IPTABLES -A OUTPUT -m limit --limit 50/minute -j LOG --log-level 7 --log-prefix "Dropped out: "
$IPTABLES -A FORWARD -m limit --limit 50/minute -j LOG --log-level 7 --log-prefix "Dropped fw: "
To see those log messages in a separate firewall log, you have to add this to your /etc/(r)syslog.conf:
# firewall logging
Tracing allows you to see the complete path of a packet going through iptables (see for detail: packet flow diagram) It’s always a good idea to define trace rules as concrete as possible, not to get a overloaded log file. Add this to your iptables script to trace packets going to 10.0.0.1 on tcp port 25:
$IPTABLES -t raw -A PREROUTING --destination 10.0.0.1 -p tcp --dport 25 -j TRACE
You see those trace messages in /var/log/syslog. You will see something like “TRACE: filter:INPUT:rule:8”, which means, that the packet went through the input chain matching rule number 8. Use the following to see the rules and their line numbers:
iptables -L --line-numbers
After using trace, you have to manually delete the rules manually to prevent your log blowing up:
iptables -vnL -t raw --line-numbers // shows all rules in raw table
iptables -t raw -D PREROUTING 1 // delete first rule
View the iptables config
See packets and bytes matching iptables rules
You can see the number of packets and bytes for every rule defined by:
iptables -L -v