User Tools

Site Tools


docs:guide-user:firewall:netfilter_iptables:netfilter_management

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
docs:guide-user:firewall:netfilter_iptables:netfilter_management [2018/09/16 12:49]
bobafetthotmail ↷ Page moved from inbox:firewall:netfilter_iptables:netfilter_management to docs:guide-user:firewall:netfilter_iptables:netfilter_management
docs:guide-user:firewall:netfilter_iptables:netfilter_management [2018/09/18 21:07] (current)
dturvene
Line 6: Line 6:
  
 ===== Inspecting tables using fw3 ===== ===== Inspecting tables using fw3 =====
-The [[inbox:​firewall:​overview|fw3 application]] is a good command+The [[docs:​guide-user:​firewall:​overview|fw3 application]] is a good command
 line interface to see all the netfilter rules. line interface to see all the netfilter rules.
  
Line 68: Line 68:
  
 To fix this, append your LOG rule to the ''​forwarding_rule''​ chain. To fix this, append your LOG rule to the ''​forwarding_rule''​ chain.
 +
 +===== Conntrack Diagnostics =====
 +Many netfilter features, especially NAT, depend on the ''​nf_conntrack''​ modules to track
 +IP connections between the WAN-side and the LAN-side. ​ Access to the conntrack tables can be
 +invaluable when debugging traffic rules. ​ The kernel presents the table
 +through the [[https://​en.wikipedia.org/​wiki/​Procfs|procfs filesystem]]
 +at ''/​proc/​net/​nf_conntrack''​.
 +
 +Here is a typical conntrack entry:
 +<​file>​
 +ipv4     2 tcp      6 4088 ESTABLISHED src=192.168.3.171 dst=192.168.10.175 sport=33284 dport=22 packets=24 bytes=1248 src=192.168.10.175 dst=192.168.3.171 sport=22 dport=33284 packets=24 bytes=1248 [ASSURED] mark=0 use=2
 +</​file>​
 +This is a ipv4 tcp session on port=22 (SSH). ​ It shows a connection from STA1 to STA2 and then the reverse mapping.
 +
 +:!: The nf_conntrack parameters can be tuned using parameters in the sysfs
 +filesystem under ''/​proc/​sys/​net/​netfilter''​. ​ This is almost never desirable. ​
 +
  
docs/guide-user/firewall/netfilter_iptables/netfilter_management.1537102148.txt.gz · Last modified: 2018/09/16 12:49 by bobafetthotmail