Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Next revisionBoth sides next revision
inbox:firewall:netfilter_iptables:netfilter_management [2018/09/16 12:09] – ↷ Links adapted because of a move operation bobafetthotmaildocs:guide-user:firewall:netfilter_iptables:netfilter_management [2018/09/18 21:07] dturvene
Line 6: Line 6:
  
 ===== Inspecting tables using fw3 ===== ===== Inspecting tables using fw3 =====
-The [[inbox:firewall:overview|fw3 application]] is a good command+The [[docs:guide-user:firewall:overview|fw3 application]] is a good command
 line interface to see all the netfilter rules. line interface to see all the netfilter rules.
  
Line 68: Line 68:
  
 To fix this, append your LOG rule to the ''forwarding_rule'' chain. To fix this, append your LOG rule to the ''forwarding_rule'' chain.
 +
 +===== Conntrack Diagnostics =====
 +Many netfilter features, especially NAT, depend on the ''nf_conntrack'' modules to track
 +IP connections between the WAN-side and the LAN-side.  Access to the conntrack tables can be
 +invaluable when debugging traffic rules.  The kernel presents the table
 +through the [[https://en.wikipedia.org/wiki/Procfs|procfs filesystem]]
 +at ''/proc/net/nf_conntrack''.
 +
 +Here is a typical conntrack entry:
 +<file>
 +ipv4     2 tcp      6 4088 ESTABLISHED src=192.168.3.171 dst=192.168.10.175 sport=33284 dport=22 packets=24 bytes=1248 src=192.168.10.175 dst=192.168.3.171 sport=22 dport=33284 packets=24 bytes=1248 [ASSURED] mark=0 use=2
 +</file>
 +This is a ipv4 tcp session on port=22 (SSH).  It shows a connection from STA1 to STA2 and then the reverse mapping.
 +
 +:!: The nf_conntrack parameters can be tuned using parameters in the sysfs
 +filesystem under ''/proc/sys/net/netfilter'' This is almost never desirable. 
 +
  
  • Last modified: 2022/09/09 21:49
  • by zorun