Differences
This shows you the differences between two versions of the page.
| Next revision | Previous revision | ||
| inbox:firewall:netfilter_iptables:netfilter_management [2018/08/22 17:56] – created dturvene | docs:guide-user:firewall:netfilter_iptables:netfilter_management [2022/09/09 21:49] (current) – Use nftables tracing to debug fw4 rules (22.03 and later) zorun | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== | + | ====== |
| - | This section discusses techniques and tools to manage fw3 and netfilter rules. | + | This section discusses techniques and tools to manage fw3, fw4 and netfilter rules. |
| - | Almost all the issues with the firewall can gleaned from inspecting the | + | Almost all the issues with the firewall can be gleaned from inspecting the |
| netfilter tables and analyzing their relationships. | netfilter tables and analyzing their relationships. | ||
| - | ===== Inspecting tables using fw3 ===== | + | {{section> |
| - | The [[inbox:firewall:firewall3: | + | |
| + | ===== Inspecting tables using fw4 (22.03 and later) | ||
| + | The [[docs: | ||
| + | |||
| + | '' | ||
| + | It contains slightly higher-level code than the raw nftables state: fw4 uses variables, include files... | ||
| + | |||
| + | When debugging rules emitted by fw4, this is a good starting point. | ||
| + | |||
| + | ===== Inspecting tables using nft (22.03 and later) ===== | ||
| + | |||
| + | '' | ||
| + | |||
| + | * rules generated by fw4 | ||
| + | * rules included from external files (''/ | ||
| + | * rules added manually through the '' | ||
| + | |||
| + | ===== Use nftables tracing to debug fw4 rules (22.03 and later) ===== | ||
| + | |||
| + | Somethings, the nftables ruleset may exhibit unexpected behaviour, such as a packet being dropped while it should not. In that case, **tracing** can help: it allows to print all rules traversed by a given packet. | ||
| + | |||
| + | See https:// | ||
| + | |||
| + | You first need to add a tracing chain: | ||
| + | |||
| + | nft add chain inet fw4 trace_chain { type filter hook prerouting priority -301\; } | ||
| + | |||
| + | Then add one or more rules to match packets you are interested in, such as: | ||
| + | |||
| + | nft add rule inet fw4 trace_chain ip saddr 203.0.113.42 meta nftrace set 1 | ||
| + | nft add rule inet fw4 trace_chain udp dport 50014 meta nftrace set 1 | ||
| + | |||
| + | Finally, you can look at the result of the trace (ideally in another terminal): | ||
| + | |||
| + | nft monitor trace | ||
| + | |||
| + | Beware, each traced packet will generate a huge amount of output! | ||
| + | |||
| + | To stop the tracing, remove the chain: | ||
| + | |||
| + | nft delete chain inet fw4 trace_chain | ||
| + | ===== Inspecting tables using fw3 (21.02 and earlier) ===== | ||
| + | The [[docs: | ||
| line interface to see all the netfilter rules. | line interface to see all the netfilter rules. | ||
| Line 16: | Line 58: | ||
| dump **could** be run as a script to recreate the firewall rule set. | dump **could** be run as a script to recreate the firewall rule set. | ||
| - | ===== Inspecting tables using iptables ===== | + | ===== Inspecting tables using iptables |
| '' | '' | ||
| '' | '' | ||
| Line 68: | Line 110: | ||
| To fix this, append your LOG rule to the '' | To fix this, append your LOG rule to the '' | ||
| + | |||
| + | ===== Conntrack Diagnostics ===== | ||
| + | Many netfilter features, especially NAT, depend on the '' | ||
| + | IP connections between the WAN-side and the LAN-side. | ||
| + | invaluable when debugging traffic rules. | ||
| + | through the [[https:// | ||
| + | at ''/ | ||
| + | |||
| + | Here is a typical conntrack entry: | ||
| + | < | ||
| + | ipv4 2 tcp 6 4088 ESTABLISHED src=192.168.3.171 dst=192.168.10.175 sport=33284 dport=22 packets=24 bytes=1248 src=192.168.10.175 dst=192.168.3.171 sport=22 dport=33284 packets=24 bytes=1248 [ASSURED] mark=0 use=2 | ||
| + | </ | ||
| + | This is a ipv4 tcp session on port=22 (SSH). | ||
| + | |||
| + | :!: The nf_conntrack parameters can be tuned using parameters in the sysfs | ||
| + | filesystem under ''/ | ||
| + | |||