-1

Are there any tools or API hooks for troubleshooting iptables or routing on Linux? (besides the obvious -j LOG)

In other words: what to do when tables with 200 or 300 firewalling rules after adding a new rule still doesn't allow new traffic.

Or when a router with over a dozen network interfaces replies to packets coming interface A on interface B.

Is reading and manually tracking the rules and tables the only option?

Hubert Kario
  • 6,351
  • 6
  • 33
  • 65
  • I dont think there are any general troubleshooting tools that does everything - individual issues has to be taken care of individually.. e.g. when you say you have 300 rules and adding another and "still doesnt work" indicates it didnt work beforehand. rules go from the top down, if something denies or de-chains a packet, it wont hit a rule further down. Tcpdump is often your friend, with some good filtering in place. routing is simple if static, simple protocols like ospf and rip shouldnt make it much harder - if doing policy routing, or NAT is rewriting packets then its a bit tougher – Stokkeland Jul 11 '11 at 14:12
  • what I meant, is that I have a complex iptables setup, adding a single rule for traffic X doesn't let traffic X through. In simple default deny iptables setup it does let traffic X through. I know how iptables work, through which chains and tables packets go. In complex setup a single typo can go undetected and break firewall only when another rule is added. And static routing is anything but simple if you have 3 Internet connections (with traffic balancing), 4 VPNs with different routing rules and few internal VLANs... – Hubert Kario Jul 11 '11 at 14:29
  • 2
    See if your version of iptables supports TRACE target. – Max Alginin Jul 11 '11 at 16:14
  • 1
    See http://serverfault.com/questions/122157/debugger-for-iptables – Zoredache Jul 11 '11 at 17:04
  • Yes, TRACE is what I was looking for. Now something similar for routing – Hubert Kario Jul 12 '11 at 15:38
  • @ynguldyn: please, add your comment as an answer, I'll be able to mark it as accepted answer – Hubert Kario Jul 20 '11 at 06:42

2 Answers2

0

iptables will list all your rules with packet counts. These can be valuable in determining if you are hitting particular rules.

Given you have 200 or 300 rules, it would be a good idea to look at a tool to build and configure your firewall. I like Shorewall which has some good show functionality to list important data about the running firewall. Some of the features I like include:

  • Pre-built macros for common services, ability to add your own.
  • Ease of configuring zones and hosts.
  • Ease of configuring logging for specific rules.
  • Simplicity and clarity of configuration files.
  • Available example configurations for 1, 2, and 3 interfaces.
  • Shorewall-lite to separate config on a different server.
  • Shorewall6 to handle ipv6.

I had thought there was a utility to trace the route a specific packet would take, but wasn't able to find it last time I looked. A little looking through the Shorewall show command output got me my answer.

BillThor
  • 27,354
  • 3
  • 35
  • 69
  • iptables packet counts are useless if you're hit with 1000's of packets per second... I will have to look at Shorewall but I'm afraid that the configs I'm dealing with are simply too complex to handle with automatic tools (among things, I need to use `iptables -j MARK` to route packets properly). – Hubert Kario Jul 11 '11 at 14:41
  • @Hubert Kario: I use packet counts to see if I am hitting a rule, and may add an accounting rule (IP address based) to see if the packet is even available at that point. Shorewall does support use of MARK http://www.shorewall.net/PacketMarking.html. – BillThor Jul 11 '11 at 15:11
0

Just to close the question.

The answer was provided by ynguldyn and zoredache (in this order) to the firewall part of the question.

Community
  • 1
Hubert Kario
  • 6,351
  • 6
  • 33
  • 65