12

I am trying to use the TRACE target of IPtables but I can't seem to get any trace information logged. I want to use what is described here: Debugger for Iptables.

From the iptables man for TRACE:

   This target marks packes so that the kernel will log every  rule  which
   match  the  packets  as  those traverse the tables, chains, rules. (The
   ipt_LOG or ip6t_LOG module is required for the  logging.)  The  packets
   are   logged   with   the   string   prefix:  "TRACE:  tablename:chain-
   name:type:rulenum " where type can be "rule" for plain  rule,  "return"
   for  implicit  rule at the end of a user defined chain and "policy" for
   the policy of the built in chains.
   It can only be used in the raw table.

I use the following rule: iptables -A PREROUTING -t raw -p tcp -j TRACE but nothing is appended either in /var/log/syslog or /var/log/kern.log!

Is there another step missing? Am I looking in the wrong place?

edit

Even though I can't find log entries, the TRACE target seems to be set up correctly since the packet counters get incremented:

# iptables -L -v -t raw
Chain PREROUTING (policy ACCEPT 193 packets, 63701 bytes)
 pkts bytes target     prot opt in     out     source               destination
  193 63701 TRACE      tcp  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 178 packets, 65277 bytes)
 pkts bytes target     prot opt in     out     source               destination

edit 2

The rule iptables -A PREROUTING -t raw -p tcp -j LOG does print packet information to /var/log/syslog... Why doesn't TRACE work?

Community
  • 1
bernie
  • 375
  • 1
  • 3
  • 12
  • 1
    just stumpled upon a python program (which is also called iptables-trace :). When started it adds a TRACE rule with specified conditions into running iptables, parses and display formatted output for resulting TRACE output until the program is stopped (which removes the TRACE rule from iptables). Will try this soon... – chris May 31 '16 at 19:31

4 Answers4

17

Seems like (i.e. works for me) with new kernel this is needed (for IPv4):

modprobe nf_log_ipv4
sysctl net.netfilter.nf_log.2=nf_log_ipv4

credits:

akostadinov
  • 1,118
  • 1
  • 9
  • 18
  • This was the one that worked for me on Ubuntu 16.04 (kernel 4.4.0-21-generic) – Ash Berlin-Taylor Mar 17 '17 at 08:53
  • Unfortunately the `modinfo nf_log_ipv4` description just says: "Netfilter IPv4 packet logging". Some description could improve the answer: What does the sysctl do exactly? – U. Windl Mar 19 '20 at 10:43
  • `sysctl: setting key "net.netfilter.nf_log.2": No such file or directory` is what I get – red888 Sep 02 '22 at 14:05
8

Run:

modprobe ipt_LOG

That fixed it for me.

bain
  • 173
  • 1
  • 5
Gido Bruno
  • 96
  • 2
8

I found that I needed to perform both of the previous answers, in this order:

sudo modprobe ipt_LOG
sudo sysctl net.netfilter.nf_log.2=ipt_LOG

Here are a couple of things that I discovered along the way.

You can get a list of valid loggers (along with the currently selected logger) with the following:

cat /proc/net/netfilter/nf_log

The numbers here represent the protocol family numbers, as defined in /usr/include/bits/socket.h. 2 is AF_INET (that's IPv4), and 10 is AF_INET6 (IPv6).

mavit
  • 193
  • 1
  • 3
2

This worked for me sudo sysctl net.netfilter.nf_log.2=ipt_LOG

Nikolay Bryskin
  • 21
  • 1