Home / ubuntu / Questions / 1066381
In Process
Jaime Roman
Asked: 2018-08-18 12:18:14 +0800 CST

how to know which iptable is matching?

  • 772

I am new to working with iptables, I have created several rules and I need to know which of them is blocking my traffic, in other words, I need to know which of them is matching

iptables redirect

1 Answers

  1. Insert logging rules for each situation, using a unique comment for each log entry. Sometimes this causes a lot of logging, in that case just enable it for a test while you are debugging.

    Example from my rule set:

    # The location of the iptables program
#
IPTABLES=/sbin/iptables

#Setting the EXTERNAL and INTERNAL interfaces and addresses for the network
#
EXTIF="enp4s0"
INTIF="enp2s0"
EXTIP="XXX.XXX.YYY.YYYY"
INTNET="192.168.111.0/24"
INTIP="192.168.111.1/32"
UNIVERSE="0.0.0.0/0"
... [snip] ...

$IPTABLES -A INPUT -i $INTIF -p tcp -m state --state INVALID -j LOG --log-prefix "IINVALID:" --log-level info
#$IPTABLES -A INPUT -i $INTIF -p tcp -m state --state INVALID -j DROP

# A NEW TCP connection requires SYN bit set and FIN,RST,ACK reset.
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW TCP no SYN:" --log-level info
#$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT

    You can also look at the packets counters to observe how many times each path has been taken since the last counters reset. Example:

    $ sudo iptables -v -x -n -L
[sudo] password for doug:
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination
...[snip]...
    1700    68318 DROP       all  --  enp4s0 *       205.206.120.226/31   0.0.0.0/0
       0        0 DROP       all  --  enp4s0 *       212.32.255.151       0.0.0.0/0
      17      696 DROP       all  --  enp4s0 *       218.0.0.0/12         0.0.0.0/0
       4      164 DROP       all  --  enp4s0 *       218.56.0.0/13        0.0.0.0/0
      21      916 DROP       all  --  enp4s0 *       218.64.0.0/11        0.0.0.0/0
     193     9376 DROP       all  --  enp4s0 *       220.160.0.0/11       0.0.0.0/0
      18      886 DROP       all  --  enp4s0 *       221.224.0.0/12       0.0.0.0/0
      17      760 DROP       all  --  enp4s0 *       222.64.0.0/11        0.0.0.0/0
      36     1448 DROP       all  --  enp4s0 *       222.160.0.0/11       0.0.0.0/0
    1135    52212 DROP       all  --  enp4s0 *       0.0.0.0/0            0.0.0.0/0            u32 "0x6&0xff=0x1&&0x0>>0x16&0x3c@0x0>>0x18=0x8&&0x0&0xff00=0x0"
      39     1560 DROP       all  --  enp4s0 *       0.0.0.0/0            0.0.0.0/0            u32 "0x6&0xff=0x1&&0x0>>0x16&0x3c@0x0>>0x18=0xd"
    • 0