Re: debug iptables rules

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, 2011-08-22 at 23:34 +0530, TEJAS wrote:
> Hi,
> 
> As per your suggestion, i set LOG options after DIVERT MARK rule and
> TPROXY rule and i can see logs of traffic.But
> 
> I configure rule of tproxy for dport 80 to redirect to port 3129 for
> tcp but when i check log messages , it is showing for UDP and for port
> 53 which is DNS one.

In your LOG rules, you don't specify *what* to log, so the rules log
*any* packet that passes the rules (thus not only http but also dns). If
you want the rules to just log the packets you want to do something
with, you have to use the exact same matches for the LOG rules as you do
for the TPROXY and MARK rules.
Also, usually LOG rules are right in front of the actual (in this case
TPROXY or MARK) target; here it may not matter much, but if you use a
final target like ACCEPT or DROP and put the LOG rule *after* those
rules, the packets won't reach the LOG rule and thus will not be logged.

So, something like:


-A PREROUTING -p tcp -m socket -j DIVERT
-A PREROUTING -p tcp -m tcp --dport 80 -j LOG --log-prefix "TPROXY PACKET"
--log-level 1
-A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129
--on-ip 0.0.0.0 --tproxy-mark 0x1/0x1

-A DIVERT -j LOG --log-prefix "SOCKET packets" --log-level 1
-A DIVERT -j MARK --set-xmark 0x1/0xffffffff
-A DIVERT -j ACCEPT


--
Rob

> and in socket log prefix i can see dport 80 log messagess.
> 
> my iptables rules:
> 
> 
> cat /etc/sysconfig/iptables
> # Generated by iptables-save v1.4.7 on Mon Aug 22 23:16:10 2011
> *mangle
> :PREROUTING ACCEPT [55:7813]
> :INPUT ACCEPT [3019:751575]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2731:1227997]
> :POSTROUTING ACCEPT [2731:1227997]
> :DIVERT - [0:0]
> -A PREROUTING -p tcp -m socket -j DIVERT
> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129
> --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
> -A PREROUTING -j LOG --log-prefix "TPROXY PACKET" --log-level 1
> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
> -A DIVERT -j LOG --log-prefix "SOCKET packets" --log-level 1
> -A DIVERT -j ACCEPT


--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux