{"id":612,"date":"2013-04-23T10:53:42","date_gmt":"2013-04-23T09:53:42","guid":{"rendered":"http:\/\/www.jbahillo.com\/?p=612"},"modified":"2013-07-03T06:59:10","modified_gmt":"2013-07-03T05:59:10","slug":"debugging-iptables","status":"publish","type":"post","link":"https:\/\/www.jbahillo.com\/?p=612","title":{"rendered":"Debugging iptables"},"content":{"rendered":"

Today I had to debug iptables while reviewing a customer issue, which basically had problems with a VPN that allowed traffic from the client to the server, but not to any other machine in the server network.
\nA quick look at tcpdump and kern.log showed that the issue was in iptables configuration, but…which rule was the culprit?<\/p>\n

I have normally debugged iptables by looking at the whle set of rules, and when this is not possible due to a large amount of rules and chains, then isolating traffic and looking at the packet \/bytes counters (iptables -L chain -n -v)<\/p>\n

But at this point I could not isolate traffic, and decided to look for information, as there had to be anotehr way of finding which rule was causing this. Finally I found this article <\/a><\/p>\n

In my cause, I just had to(I had not to load modules as it was done per default):<\/p>\n

    \n
  1. Add a rule for send traffic to raw table and TRACE target<\/li>\n
  2. Generate some traffic for seeing the rules navigation<\/li>\n
  3. tail -f kern.log (I grepped the MAC for seeing only affected ones)<\/li>\n<\/ol>\n

    Then I could see something like this:<\/p>\n

    Apr 22 12:58:06 foobar kernel: [967185.974770] TRACE: filter:fdns:return:5 IN=tap0 \nOUT=eth0 MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=192.168.161.2\n DST=192.168.2.250 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14245 SEQ=2066 MARK=0x1\nApr 22 12:58:06 foobar kernel: [967185.974783] TRACE: filter:FORWARD:rule:9 IN=tap0\n OUT=eth0 MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=192.168.161.2\n DST=192.168.2.250 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14245 SEQ=2066 MARK=0x1\nApr 22 12:58:06 foobar kernel: [967185.974796] TRACE: filter:fobjects:return:1 IN=tap0 \nOUT=eth0 MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=192.168.161.2\n DST=192.168.2.250 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14245 SEQ=2066 MARK=0x1\nApr 22 12:58:06 foobar kernel: [967185.974809] TRACE: filter:FORWARD:rule:10 IN=tap0 \nOUT=eth0 MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=192.168.161.2\n DST=192.168.2.250 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14245 SEQ=2066 MARK=0x1\nApr 22 12:58:06 foobar kernel: [967185.974823] TRACE: filter:fglobal:rule:2 IN=tap0\n OUT=eth0 MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=192.168.161.2\n DST=192.168.2.250 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14245 SEQ=2066 MARK=0x1\nApr 22 12:58:06 foobar kernel: [967185.974836] TRACE: filter:drop:rule:1 IN=tap0\n OUT=eth0 MAC=00:11:22:33:44:55:66:77:88:99:AA:BB:CC:DD SRC=192.168.161.2\n DST=192.168.2.250 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=14245 SEQ=2066 MARK=0x1<\/pre>\n
    So I could see straight forward which rule (the second in fglobal here) I had to look at in order to see why traffic was being blocked<\/p>\n","protected":false},"excerpt":{"rendered":"
    Today I had to debug iptables while reviewing a customer issue, which basically had problems with a VPN that allowed traffic from the client to the server, but not to any other machine in the server network. A quick look…<\/p>\n
    Read more →<\/a><\/p>\n","protected":false},"author":21,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"ep_exclude_from_search":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[10,1],"tags":[115,112,113,111,114],"class_list":["post-612","post","type-post","status-publish","format-standard","hentry","category-gnulinux","category-seguridad","tag-chain","tag-debug","tag-firewall","tag-iptables","tag-rule"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_shortlink":"https:\/\/wp.me\/p74T96-9S","jetpack-related-posts":[],"jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/www.jbahillo.com\/index.php?rest_route=\/wp\/v2\/posts\/612","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.jbahillo.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.jbahillo.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.jbahillo.com\/index.php?rest_route=\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jbahillo.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=612"}],"version-history":[{"count":11,"href":"https:\/\/www.jbahillo.com\/index.php?rest_route=\/wp\/v2\/posts\/612\/revisions"}],"predecessor-version":[{"id":673,"href":"https:\/\/www.jbahillo.com\/index.php?rest_route=\/wp\/v2\/posts\/612\/revisions\/673"}],"wp:attachment":[{"href":"https:\/\/www.jbahillo.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=612"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.jbahillo.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=612"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.jbahillo.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=612"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}