Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is there a way to see/log why packets are dropped in the "routing decision" after the iptables NAT-PREROUTING chain?
I am pinging a host on network B and can see the ICMP packet entering this GW using tcpdump and can follow it up to NAT-PREROUTING. After that, in INPUT or FOWRWARD chains, the packet is gone. I do have a default route.
The strange thing is that I can ping a host on network C and every thing is peachy.
You have a DROP statement in you firewall somewhere and that is why it gets dropped.
You can log all dropped packets by simply placing a log rule before any DROP or REJECT rules.
Best to label the packet as to why it is being dropped. Is it just ping that is being dropped?
I'm going to assume that because you talk about network C and network B and the rules you posted that you have more then one interface connected to two or more networks.
First off your rules. What's up with the -g you have in them Lines 52,54 and 152-181? I'm going to assume that your logs show these as errors.
Second. You need to give me some sort of direction your packet travels in order for me to follow your firewall rules to attempt to figure this out.
But I think I know where the problem is already. Your FORWARD rules.
Code:
#FORWARD Chain
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -j LOGGING
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
There is nothing allowing anything to pass. Sure you have an ESTABLISHED,RELATED rule but there is no NEW rule to add anything to the connection tracking db.
The last line doesn't allow anything to be forwarded.
You talk about this input rule but if you are coming in one interface and leaving on another the INPUT rules never see the packet.
This diagram should help with understanding Packet Flow;
If I am not understanding you correctly, please give more detail as to what interface the packet is coming in on and what interface the packet is leaving on. IP Addresses would also help a lot.
lazydog: The rules I posted are for the OP to show as an example of using logging in iptables. I think you're confusing me with the original poster. My firewall rules work just fine for my own uses.
Side note for lazydog: If you're curious about my firewall the man iptables page lists what the rules do. e.g. see -g or --goto in that page.
Thanks for all the replies and evolving discussion.
You are correct, I have two interfaces with packets being forwarded between them. The one connected to the internet also apply IPsec to the packet, but this irrelevant at this time since the packet never gets forwarded for encapsulation.
I did insert and append a unique logging rule to every chain (even at linklayer) and the logs show the packet last exited the NAT-PREROUTING chain and never at another chain after that. That is why I am asking for a way to see why the routing table might discard the packet. Again, the strange thing is that packets to network C gets forwarded.
Network B is 192.168.2.0/24 and network C is 192.168.3.0/24. I am pinging from 192.168.1.10.
I used iptables-save to get the chains and rules. I've changed some static IPs for privacy reasons. These rules was created for an older version of iptables, but still works.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.