Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
Next revisionBoth sides next revision
inbox:firewall:netfilter_iptables:netfilter_management [2018/08/22 17:56] – created dturvenedocs:guide-user:firewall:netfilter_iptables:netfilter_management [2018/09/18 21:07] dturvene
Line 1: Line 1:
-====== netfilter Management ======+====== Netfilter Management ======
 This section discusses techniques and tools to manage fw3 and netfilter rules. This section discusses techniques and tools to manage fw3 and netfilter rules.
  
Line 6: Line 6:
  
 ===== Inspecting tables using fw3 ===== ===== Inspecting tables using fw3 =====
-The [[inbox:firewall:firewall3:overview|fw3 application]] is a good command+The [[docs:guide-user:firewall:overview|fw3 application]] is a good command
 line interface to see all the netfilter rules. line interface to see all the netfilter rules.
  
Line 68: Line 68:
  
 To fix this, append your LOG rule to the ''forwarding_rule'' chain. To fix this, append your LOG rule to the ''forwarding_rule'' chain.
 +
 +===== Conntrack Diagnostics =====
 +Many netfilter features, especially NAT, depend on the ''nf_conntrack'' modules to track
 +IP connections between the WAN-side and the LAN-side.  Access to the conntrack tables can be
 +invaluable when debugging traffic rules.  The kernel presents the table
 +through the [[https://en.wikipedia.org/wiki/Procfs|procfs filesystem]]
 +at ''/proc/net/nf_conntrack''.
 +
 +Here is a typical conntrack entry:
 +<file>
 +ipv4     2 tcp      6 4088 ESTABLISHED src=192.168.3.171 dst=192.168.10.175 sport=33284 dport=22 packets=24 bytes=1248 src=192.168.10.175 dst=192.168.3.171 sport=22 dport=33284 packets=24 bytes=1248 [ASSURED] mark=0 use=2
 +</file>
 +This is a ipv4 tcp session on port=22 (SSH).  It shows a connection from STA1 to STA2 and then the reverse mapping.
 +
 +:!: The nf_conntrack parameters can be tuned using parameters in the sysfs
 +filesystem under ''/proc/sys/net/netfilter'' This is almost never desirable. 
 +
  
  • Last modified: 2022/09/09 21:49
  • by zorun