Re: debug iptables rules

Re: debug iptables rules

[TEJAS]

Hi All,

I am new with iptables.I write certain iptables rule for my internal
network , i write rules for SNAT for internet sharing and some others
for configuring some restrictions.It is working fine.But i want to
debug these rules in live motion.I want to see what happening with
packets while they traverse from iptables rules.

 Is there any method or any tool or anything to see what happening in
snat rule and what happening in others iptables rules.

Thanks,
Tej

Re: debug iptables rules

[Rob Sterenborg (Lists)]

On Mon, 2011-08-22 at 20:40 +0530, TEJAS wrote:
> Hi All,
> 
> I am new with iptables.I write certain iptables rule for my internal
> network , i write rules for SNAT for internet sharing and some others
> for configuring some restrictions.It is working fine.But i want to
> debug these rules in live motion.I want to see what happening with
> packets while they traverse from iptables rules.
> 
>  Is there any method or any tool or anything to see what happening in
> snat rule and what happening in others iptables rules.

You can use the LOG target to log messages to syslog
(probably /var/log/messages).

Basic example, really, when accepting SSH packets (beware of wrapping):

$ipt -A INPUT -p tcp --dport 22 -j LOG --log-level info --log-prefix
"INPUT: SSH: "
$ipt -A INPUT -p tcp --dport 22 -j ACCEPT

[...more rules...and then at the end of your ruleset...]

$ipt -A INPUT -j LOG --log-level info --log-prefix "INPUT: DROPPED: "
$ipt -A INPUT -j DROP   (or use the chain policy to do this)


--
Rob

Re: debug iptables rules

[TEJAS]

Hi,

My current iptables rules are:

cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Mon Aug 22 21:17:33 2011
*nat
:PREROUTING ACCEPT [493:28472]
:POSTROUTING ACCEPT [344:23920]
:OUTPUT ACCEPT [344:23920]
COMMIT
# Completed on Mon Aug 22 21:17:33 2011
# Generated by iptables-save v1.4.7 on Mon Aug 22 21:17:33 2011
*filter
:INPUT ACCEPT [12511:3538351]
:FORWARD ACCEPT [16:832]
:OUTPUT ACCEPT [11397:5249840]
COMMIT
# Completed on Mon Aug 22 21:17:33 2011
# Generated by iptables-save v1.4.7 on Mon Aug 22 21:17:33 2011
*mangle
:PREROUTING ACCEPT [92:12257]
:INPUT ACCEPT [3202:794108]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2909:931650]
:POSTROUTING ACCEPT [2909:931650]
:DIVERT - [0:0]
-A PREROUTING -d 10.10.10.30/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129
--on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A PREROUTING -j LOG
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
COMMIT

Is it correct use of log options?I want to log everything for my logs
. i want to see what happening with socket match and what happening
with tproxy match options

Please guide me for that.my use of log rule is valid or?

Thanks,
Tej

Re: debug iptables rules

[Rob Sterenborg (Lists)]

On Mon, 2011-08-22 at 21:23 +0530, TEJAS wrote:
> Hi,
> 
> My current iptables rules are:
> 
> cat /etc/sysconfig/iptables
> # Generated by iptables-save v1.4.7 on Mon Aug 22 21:17:33 2011
> *nat
> :PREROUTING ACCEPT [493:28472]
> :POSTROUTING ACCEPT [344:23920]
> :OUTPUT ACCEPT [344:23920]
> COMMIT
> # Completed on Mon Aug 22 21:17:33 2011
> # Generated by iptables-save v1.4.7 on Mon Aug 22 21:17:33 2011
> *filter
> :INPUT ACCEPT [12511:3538351]
> :FORWARD ACCEPT [16:832]
> :OUTPUT ACCEPT [11397:5249840]
> COMMIT
> # Completed on Mon Aug 22 21:17:33 2011
> # Generated by iptables-save v1.4.7 on Mon Aug 22 21:17:33 2011
> *mangle
> :PREROUTING ACCEPT [92:12257]
> :INPUT ACCEPT [3202:794108]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2909:931650]
> :POSTROUTING ACCEPT [2909:931650]
> :DIVERT - [0:0]
> -A PREROUTING -d 10.10.10.30/32 -p tcp -m tcp --dport 80 -j ACCEPT
> -A PREROUTING -p tcp -m socket -j DIVERT
> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129
> --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
> -A PREROUTING -j LOG
> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> -A DIVERT -j ACCEPT
> COMMIT
> 
> Is it correct use of log options?

Well, you're not using any log *options*, you're just logging.
See the LOG section of 'man iptables' for log options.

> I want to log everything for my logs. i want to see what happening
> with socket match and what happening with tproxy match options

I suppose you need a second LOG rule right after the DIVERT -j MARK
rule, because after that rule the packet is ACCEPT-ed and nothing is
logged.

It may help if you use a separate --log-prefix for each LOG rule to see
in the logfile which LOG rule did the logging.

Having never looked at it so I may be wrong, but I doubt you'll see the
mark in your log.


--
Rob

Re: debug iptables rules

[TEJAS]

Hi,

As per your suggestion, i set LOG options after DIVERT MARK rule and
TPROXY rule and i can see logs of traffic.But

I configure rule of tproxy for dport 80 to redirect to port 3129 for
tcp but when i check log messages , it is showing for UDP and for port
53 which is DNS one.

and in socket log prefix i can see dport 80 log messagess.

my iptables rules:


cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Mon Aug 22 23:16:10 2011
*mangle
:PREROUTING ACCEPT [55:7813]
:INPUT ACCEPT [3019:751575]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2731:1227997]
:POSTROUTING ACCEPT [2731:1227997]
:DIVERT - [0:0]
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129
--on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A PREROUTING -j LOG --log-prefix "TPROXY PACKET" --log-level 1
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j LOG --log-prefix "SOCKET packets" --log-level 1
-A DIVERT -j ACCEPT


Thanks,
Tej

Re: debug iptables rules

[fuzzy_4711]

-------- Original - Text --------

> But i want to
> debug these rules in live motion.I want to see what happening with
> packets while they traverse from iptables rules.
> 
>  Is there any method or any tool or anything to see what happening in
> snat rule and what happening in others iptables rules.
> 

Hi Tejas.

This may be exactly what you are looking for (tutorial included):
http://backreference.org/2010/06/11/iptables-debugging/

Take it easy.
-fuz

Re: debug iptables rules

[Erik Schorr]

I'm surprised nobody has mentioned the TRACE option.
It's used in the 'raw' table, applied to the PREROUTING chain, I
believe.  Every packet that matches/is marked by the TRACE option gets
logged as it traverses every subsequent rule that it matches.  I believe
it also shows when enters and exits a chain, regardless of matching
rules within it.

It's perfect for tracing initial connection packets (e.g. SYN-only)
through all your filters and nat chains.  It can generate LOTS of
logging traffic if you're not careful.

Re: debug iptables rules

[Rob Sterenborg (Lists)]

On Mon, 2011-08-22 at 23:34 +0530, TEJAS wrote:
> Hi,
> 
> As per your suggestion, i set LOG options after DIVERT MARK rule and
> TPROXY rule and i can see logs of traffic.But
> 
> I configure rule of tproxy for dport 80 to redirect to port 3129 for
> tcp but when i check log messages , it is showing for UDP and for port
> 53 which is DNS one.

In your LOG rules, you don't specify *what* to log, so the rules log
*any* packet that passes the rules (thus not only http but also dns). If
you want the rules to just log the packets you want to do something
with, you have to use the exact same matches for the LOG rules as you do
for the TPROXY and MARK rules.
Also, usually LOG rules are right in front of the actual (in this case
TPROXY or MARK) target; here it may not matter much, but if you use a
final target like ACCEPT or DROP and put the LOG rule *after* those
rules, the packets won't reach the LOG rule and thus will not be logged.

So, something like:


-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j LOG --log-prefix "TPROXY PACKET"
--log-level 1
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129
--on-ip 0.0.0.0 --tproxy-mark 0x1/0x1

-A DIVERT -j LOG --log-prefix "SOCKET packets" --log-level 1
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT


--
Rob

> and in socket log prefix i can see dport 80 log messagess.
> 
> my iptables rules:
> 
> 
> cat /etc/sysconfig/iptables
> # Generated by iptables-save v1.4.7 on Mon Aug 22 23:16:10 2011
> *mangle
> :PREROUTING ACCEPT [55:7813]
> :INPUT ACCEPT [3019:751575]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2731:1227997]
> :POSTROUTING ACCEPT [2731:1227997]
> :DIVERT - [0:0]
> -A PREROUTING -p tcp -m socket -j DIVERT
> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129
> --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
> -A PREROUTING -j LOG --log-prefix "TPROXY PACKET" --log-level 1
> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> -A DIVERT -j LOG --log-prefix "SOCKET packets" --log-level 1
> -A DIVERT -j ACCEPT

Re: debug iptables rules

[Jan Engelhardt]

On Tuesday 2011-08-23 10:18, Erik Schorr wrote:

>I'm surprised nobody has mentioned the TRACE option.

It has been mentioned in one of the pages of the URLs of the messages 
posted earlier.

Re: debug iptables rules

[TEJAS]

Hi,

I set log rule for port 80 traffic logging and it is working fine.And
i want to log tproxy rule which is redirect traffic from port 80 to
port 3129 (squid tproxy) .So for that what will be LOG rule for this.?


cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Aug 23 00:00:02 2011

*mangle
:PREROUTING ACCEPT [2:294]
:INPUT ACCEPT [49:3610]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [43:3368]
:POSTROUTING ACCEPT [43:3368]
:DIVERT - [0:0]
-A PREROUTING -d 10.10.10.30/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j LOG --log-prefix "port 80"
--log-level 1
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129
--on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT
COMMIT


Actually i want to see packet redirect from port 80 to port 3129.

What is the use of socket match?I try to find from google and also
read some document , but i am not having any good understanding for
it.So kindly guide me that what is the use of socket match and how's
TPROXY match works?

Thanks,
Tej

Re: debug iptables rules

[Rob Sterenborg (Lists)]

On Tue, 2011-08-23 at 20:05 +0530, TEJAS wrote:
> Hi,
> 
> I set log rule for port 80 traffic logging and it is working fine. And
> i want to log tproxy rule which is redirect traffic from port 80 to
> port 3129 (squid tproxy). So for that what will be LOG rule for this?

[snip]

> Actually i want to see packet redirect from port 80 to port 3129.
> 
> What is the use of socket match?I try to find from google and also
> read some document , but i am not having any good understanding for
> it.So kindly guide me that what is the use of socket match and how's
> TPROXY match works?

Sorry, can't help you there so maybe someone else can jump in: I've
never used the socket match or TPROXY target. (According to what I just
read the socket match replaced the tproxy match. I suppose you took your
experiment from https://lwn.net/Articles/252545/ because it looks the
same.)


--
Rob

Re: debug iptables rules

[Amos Jeffries]

On 24/08/11 06:44, Rob Sterenborg (Lists) wrote:
> On Tue, 2011-08-23 at 20:05 +0530, TEJAS wrote:
>> Hi,
>>
>> I set log rule for port 80 traffic logging and it is working fine. And
>> i want to log tproxy rule which is redirect traffic from port 80 to
>> port 3129 (squid tproxy). So for that what will be LOG rule for this?
>
> [snip]
>
>> Actually i want to see packet redirect from port 80 to port 3129.
>>
>> What is the use of socket match?I try to find from google and also
>> read some document , but i am not having any good understanding for
>> it.So kindly guide me that what is the use of socket match and how's
>> TPROXY match works?
>
> Sorry, can't help you there so maybe someone else can jump in: I've
> never used the socket match or TPROXY target. (According to what I just
> read the socket match replaced the tproxy match. I suppose you took your
> experiment from https://lwn.net/Articles/252545/ because it looks the
> same.)

A squid wiki cut-n-paste job.

   TPROXY rule is capturing packets to port 80 into squid port 3129.
   DIVERT is preventing packets leaving the squid from being captured.

Log marked packets after TPROXY rule to see the packets entering squid.
Log marked packets after the DIVERT sub-chain MARK rule to see packets 
exiting squid.

AYJ