3

Having an odd problem here with regards to pound reverse proxy no longer directing traffic properly on a CentOS based distro (ClearOS 6.2.x).

I believe that it's an iptables issue or something else in that I see nothing to even indicate inbound traffic in my /var/log/messages or /var/log/system.

How can I increase iptables logging verbosity and verify what is going on with it (in terms of certainty as to where the logging data is being kept)?

ylluminate
  • 1,001
  • 2
  • 15
  • 29

2 Answers2

5

Below are the general steps I've taken in the past to turn on iptables logging.

Modify Logging
- sudo vi /etc/syslog.conf
- kern.warning /var/log/iptables.log
 - sudo /sbin/service syslog restart
 - sudo vi /etc/logrotate.d/syslog
- If this file is already there, add /var/log/iptables.log to the first line
- If the file is not there, add it:

/var/log/messages /var/log/secure /var/log/maillog /var/log/spooler /var/log/boot.log /var/log/cron /var/log/iptables.log {
    sharedscripts
    postrotate
        /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true
    endscript
}

Implement firewall rules
• sudo vi /etc/sysconfig/iptables.script
• sudo chmod 700 /etc/sysconfig/iptables.script
• sudo /etc/sysconfig/iptables.script

Within my iptables script, I have all of my generic allow rules at the top and then towards the bottom I have some specific logging rules. Below are a few examples.

# Log dropped traffic
/sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Dropped Traffic: "
# Log outbound traffic for anything not equal private ip ranges (this is defined in some previous rules)
/sbin/iptables -A OUTPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Outbound Traffic: "
# Log traffic that doesn't hit a rule above (stuff that may be blocked in the future)
/sbin/iptables -A INPUT -j LOG -m limit --limit 10/m --log-level 4 --log-prefix "Potentially Dropped Traffic: "

There are obviously a ton of things you can do with this. Here is a good link for some generic information.

Eric
  • 1,373
  • 3
  • 17
  • 33
  • Thanks that was quite helpful, however I'm not seeing quite enough verbosity I fear. For example, when I compare all inbound packets from `tcpdump` I am seeing the packets with the src ip in question hitting the network, yet there is nothing in the iptables log that matches these. Can I get any more verbose than `iptables -A INPUT -j LOG --log-level 4`? – ylluminate May 04 '12 at 19:46
  • The main thing you need to make sure is that with your log statements you are logging all traffic. On some of my examples above, I have ACCEPT rules above it and then I'm only logging dropped traffic below. So what I would recommend for your troubleshooting is to set up a "-j LOG" option for all traffic and then compare it. – Eric May 07 '12 at 13:05
  • I ended up adding a trace like so: `iptables -t raw -A PREROUTING -p tcp --destination 192.168.0.0/24 --dport 80 -j TRACE` and `iptables -t raw -A OUTPUT -p tcp --destination 192.168.0.0/24 --dport 80 -j TRACE`. Would you suggest anything that would be more verbose. I'm still really not seeing the root problem I'm hunting for in terms of why packets would not be getting to `pound` in my particular case. – ylluminate May 07 '12 at 18:31
  • While the iptables logs are going to help you on some drop traffic, it sounds like your searching for more of a configuration issue. I would recommend ensuring ip forwarding is enabled, take away any drop rules on iptables, allow everything to be prerouted, forwarded, or whatever else you need, and then just tcpdump both interfaces. This is what is truly going to give you the information you need. Once you get that working, then you can start gradually turning rules back on. – Eric May 07 '12 at 21:45
  • I think the real problem I'm having here is figuring out how to customize the iptables rules entirely on this CentOS distro. I cannot seem to find where everything that's already set up is being stored and thus fully modify. Yes, I'd very much like to essentially allow all to pass through to see if that even initially solves my problem of traffic arriving at pound, however I'm not seeing where to do this precisely in this situation. – ylluminate May 07 '12 at 23:59
  • If you "vi /etc/sysconfig/iptables" you will be able to directly modify and see all of your iptable rules. Once you modify the file and save it you can then "/sbin/service iptables restart". Most people prefer you to do this in a script but if it's just you modifying the rules you can do it the direct way. So if you want you can basically go in there and modify all rules to ACCEPT and add as many prerouting, forwarding, etc rules as you want. Basically "INPUT, OUTPUT, FORWARD, PREROUTING, POSTROUTING -j ACCEPT". – Eric May 08 '12 at 13:15
2

You can use the '-j LOG' target to log the matched packet to your system log. You can also prefix it with any arbitrary string.

To help in debugging the problem, you can use anetwork sniffer like wireshark or tcpdump. Also, iptables counters can a good source of information on a less busy servers by monitoring the changes of a certain rule.

You can view the exact counters with iptables -L -nvx.

Ladadadada
  • 25,847
  • 7
  • 57
  • 90
Khaled
  • 35,688
  • 8
  • 69
  • 98
  • Thanks for the note! Yes, already familiar with using packet sniffers and my traffic is being seen on the inbound with `tcpdump`, `wireshark`, etc... However the problem is that something is stopping these packets. Presently I have enabled `iptables -A INPUT -j LOG --log-level 4` as per the detailed instructions that @Eric gave above, however I'm simply not seeing this traffic in `iptables`. Do you know if that's as verbose as you can get? Otherwise, I'm going to have to hunt elsewhere for something that could be blocking traffic I suppose. – ylluminate May 04 '12 at 19:49