Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision Next revisionBoth sides next revision | ||
| inbox:firewall:netfilter_iptables:netfilter_management [2018/08/22 17:56] – created dturvene | docs:guide-user:firewall:netfilter_iptables:netfilter_management [2022/09/04 14:52] – Add fw4 doc zorun | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== |
| - | This section discusses techniques and tools to manage fw3 and netfilter rules. | + | This section discusses techniques and tools to manage fw3, fw4 and netfilter rules. |
| - | Almost all the issues with the firewall can gleaned from inspecting the | + | Almost all the issues with the firewall can be gleaned from inspecting the |
| netfilter tables and analyzing their relationships. | netfilter tables and analyzing their relationships. | ||
| - | ===== Inspecting tables using fw3 ===== | + | {{section> |
| - | The [[inbox:firewall:firewall3: | + | |
| + | ===== Inspecting tables using fw4 (22.03 and later) | ||
| + | The [[docs: | ||
| + | |||
| + | '' | ||
| + | It contains slightly higher-level code than the raw nftables state: fw4 uses variables, include files... | ||
| + | |||
| + | When debugging rules emitted by fw4, this is a good starting point. | ||
| + | |||
| + | ===== Inspecting tables using nft (22.03 and later) ===== | ||
| + | |||
| + | '' | ||
| + | |||
| + | * rules generated by fw4 | ||
| + | * rules included from external files (''/ | ||
| + | * rules added manually through the '' | ||
| + | |||
| + | ===== Inspecting tables using fw3 (21.02 and earlier) ===== | ||
| + | The [[docs: | ||
| line interface to see all the netfilter rules. | line interface to see all the netfilter rules. | ||
| Line 16: | Line 34: | ||
| dump **could** be run as a script to recreate the firewall rule set. | dump **could** be run as a script to recreate the firewall rule set. | ||
| - | ===== Inspecting tables using iptables ===== | + | ===== Inspecting tables using iptables |
| '' | '' | ||
| '' | '' | ||
| Line 68: | Line 86: | ||
| To fix this, append your LOG rule to the '' | To fix this, append your LOG rule to the '' | ||
| + | |||
| + | ===== Conntrack Diagnostics ===== | ||
| + | Many netfilter features, especially NAT, depend on the '' | ||
| + | IP connections between the WAN-side and the LAN-side. | ||
| + | invaluable when debugging traffic rules. | ||
| + | through the [[https:// | ||
| + | at ''/ | ||
| + | |||
| + | Here is a typical conntrack entry: | ||
| + | < | ||
| + | ipv4 2 tcp 6 4088 ESTABLISHED src=192.168.3.171 dst=192.168.10.175 sport=33284 dport=22 packets=24 bytes=1248 src=192.168.10.175 dst=192.168.3.171 sport=22 dport=33284 packets=24 bytes=1248 [ASSURED] mark=0 use=2 | ||
| + | </ | ||
| + | This is a ipv4 tcp session on port=22 (SSH). | ||
| + | |||
| + | :!: The nf_conntrack parameters can be tuned using parameters in the sysfs | ||
| + | filesystem under ''/ | ||
| + | |||