Re: the impossible "iptables -C" option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sunday 25 July 2004 6:50 pm, Les Mikesell wrote:

> On Sat, 2004-07-24 at 15:13, Antony Stone wrote:
> > On Saturday 24 July 2004 7:46 pm, Les Mikesell wrote:
> > > I have a situation where I can see strange results with tcpdump and
> > > would like to know what combination of rules is causing it.
> >
> > I suggest you take some of the features you can see from the tcpdump
> > output and create some logging rules to find out how far through your
> > ruleset the packets are getting.
>
> The problem is that in this case the rules are built by a perl
> script that writes a shell script that lives in /etc/rc.d/init.d
> and both contain variables and conditionals interpreted at
> runtime.  The point of using this particular system is that
> you normally don't have to understand how it all works because
> the configuration is all scripted.  So it isn't 'my' rules
> I want to see - I just want to know which of the existing
> rules I have to work around.

Well, you can find out what the ruleset really is once it's all been scripted, 
run and installed, by asking netfilter for a listing:

iptables -L -nvx; iptables -L -t nat -nvx

Then you can can add LOGging rules at whatever points you like in the ruleset 
by using "-I CHAIN #" where # is the position you want the rule to occupy.

You could even take this to an extreme and insert a LOGging rule between every 
two other rules with a little script of your own:

for((a=2;a<100;a+=2))
do
  iptables -I FORWARD $a -j LOG --log-prefix="rule $a "
done

(assuming you have 50 rules at present, so the last new LOG rule needs to go 
in position 100)

This will create some verbose output, but you'll certainly find out what's 
happening to your packets...

Regards,

Antony.

-- 
I don't know, maybe if we all waited then cosmic rays would write all our 
software for us. Of course it might take a while.

 - Ron Minnich, Los Alamos National Laboratory

                                                     Please reply to the list;
                                                           please don't CC me.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux