iptables debugging
29. March 2013

Sometimes packets leave their line or get lost passing an iptables firewall. Even if you know what you do, there might be a typo or a single mistake in you iptables rules, driving you crazy. As I had to learn in the past years, there are several ways to see what’s going on.

Logging blocked packages

Just add the following to your iptables script to log blocked packages:

        # Logging
        $IPTABLES -A INPUT -m limit --limit 50/minute -j LOG --log-level 7 --log-prefix "Dropped in: "
        $IPTABLES -A OUTPUT -m limit --limit 50/minute -j LOG --log-level 7 --log-prefix "Dropped out: "
        $IPTABLES -A FORWARD -m limit --limit 50/minute -j LOG --log-level 7 --log-prefix "Dropped fw: "

To see those log messages in a separate firewall log, you have to add this to your /etc/(r)syslog.conf:

# firewall logging
kern.=debug     /var/log/firewall


Tracing packets

Tracing allows you to see the complete path of a packet going through iptables (see for detail: packet flow diagram) It’s always a good idea to define trace rules as concrete as possible, not to get a overloaded log file. Add this to your iptables script to trace packets going to on tcp port 25:

        # Tracing
        $IPTABLES -t raw -A PREROUTING --destination -p tcp --dport 25 -j TRACE

You see those trace messages in /var/log/syslog. You will see something like “TRACE: filter:INPUT:rule:8”, which means, that the packet went through the input chain matching rule number 8. Use the following to see the rules and their line numbers:

iptables -L --line-numbers

After using trace, you have to manually delete the rules manually to prevent your log blowing up:

iptables -vnL -t raw --line-numbers // shows all rules in raw table
iptables -t raw -D PREROUTING 1 // delete first rule

View the iptables config

iptables -S
iptables --list

See packets and bytes matching iptables rules

You can see the number of packets and bytes for every rule defined by:

iptables -L -v

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

1 comment

  1. Gro├čartig!

    Clear and simple description of an complex theme. You saved my day.