Maxim Veksler wrote:
Add LOG rules for dropped traffic.
I would appreciate an example for this tip.
At the end of any of the {INPUT,OUTPUT,FORWARD} chains where policy is
DROP, add the rule
-j LOG --log-prefix "(default): "
-j DROP
(that last one is optional, it duplicates the policy. But it is
considered good style, plus you have counters on this rule, another
debugging aid).
Another good way to debug such things is to add specific log rules at
the top of all chains:
-A INPUT -s aaa.bbb.216.35 -j LOG --log-prefix "debug INPUT: "
-A INPUT -d aaa.bbb.216.35 -j LOG --log-prefix "debug INPUT: "
Get out wireshark (formerly ethereal)
Got it, tcpdump -w /tmp/iptables_lock.cap, it seems that iptables hook
drops the packet before libpcap has a chance on seeing it.
No, tcpdump/wireshark/ethereal sees the packets before netfilter on
input and after netfilter on output. I think you did something else
wrong here.
I personally never run a gui on my firewalls, but do have the X
libraries installed. That way I can ssh -X into the box and run
wireshark on it.
to see what goes on at the line. Read up on how to construct good
rulesets
Would very much appreciate good links here.
I don't know any, but the documentation section of www.netfilter.org is
a good start. I still want to write a document/site on writing good
iptables rules, but don't have the time. Maybe I should make the time.
Anyway Rusty Russels unreliable packet filtering guide is a good read
for the basics, especially on the -m state.
>> and maybe even on IP (no sorry, I don't have any links).
rfc791, that's for IP. Please correct me if I'm wrong but you meant
read on TCP because IP is stateless and has no verification what so
ever buildin, the only tracking IP does is for fragmentation and
reconstruction of packets. I don't think this was the case here and
further more I don't see how --state ESTABLISHED,RELATED could have
any effect on it. Again, please correct me if I'm wrong.
No, you're quite right.
HTH,
M4
