LinuxQuestions.org
Visit Jeremy's Blog.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page iptables -t raw [conditions] -j TRACE is not logging
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-19-2008, 11:16 PM   #1
tox2ik
LQ Newbie
 
Registered: Nov 2004
Location: norway
Distribution: gentoo
Posts: 23

Rep: Reputation: 15
iptables -t raw [conditions] -j TRACE is not logging

Host description
Code:
distro: gentoo 2007.0 amd64 
kernel: linux 2.6.23-gentoo-r8
ntfltr: iptables v1.4.0
logger: syslog-ng 2.0.6
Problem description
Code:
iptables TRACE target never gives any output through ipt_LOG and syslog-ng
I have successfully configured masquerading on the gateway with stuff like browsing, counter-strike:source, azureus and samba/nfs working behind it. To account for my lack in experience with netfilter I've set up logging through both ipt_LOG and ipt_ULOG to monitor dropped and rejected traffic. This has gotten me pretty far, but now I'm stuck. That is, I need more diagnostics/debugging over the netfilter rules.

I installed the latest iptables package which supports the -j TRACE target. The kernel has support for this too. I can actually run
Code:
iptables -t raw -A PREROUTING -p tcp --dport 80 -j TRACE
iptables -t raw -A OUTPUT -p tcp --dport 80 -j TRACE
without errors about illegal/missing chains/targets/matches.
Logging through syslog-ng and ulogd works because I see stuff like
Code:
May 20 04:07:46 raptor a   ping  IN=eth0 OUT= MAC=00  SRC=10.3.0.1 DST=10.3.0.5 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=1906 SEQ=5
May 20 05:33:10 raptor a   loop  IN=lo OUT= MAC=00  SRC=10.3.0.5 DST=10.3.0.5 LEN=80 TOS=00 PREC=0xC0 TTL=64 ID=16564 PROTO=ICMP TYPE=3 CODE=3
in my ulogd [LOGEMU] file and
Code:
05 20 04:06:43 tryggve kernel TRACE target: only valid in raw table, not filter
05 20 04:08:20 tryggve kernel a  Lping IN= OUT=eth1 SRC=10.3.0.1 DST=10.3.0.5 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=1906 SEQ=1
in /var/log/messages. (Dont mind the TRACE error above, I was using -t filter.)
The expected behavior of -j TRACE is do dump iptables rules a given packet goes through to syslog. Surprisingly i get nothing even when specifying port 80 traffic to be TRACEd.


If anyone has made this work for them I am very curious as to how they did it. If you want to have a look at my kernel .config or syslog-ng.conf or anything else on my system don't hesitate to ask, but I can't imagine the problem is rooted in the configs.
 
  


Reply

Tags
debugging, diagnostics, firewall, gateway, iptables, netfilter, network, trace



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables not allowing raw sockets to send IP packets with non local IP vakulgarg Linux - Networking 0 11-09-2007 02:13 AM
iptables logging saavik Linux - Networking 5 09-13-2007 01:49 AM
iptables not logging anything~ deeptii Linux - Networking 11 05-31-2006 02:35 AM
Iptables logging Mogwa_ Linux - Security 2 08-01-2004 02:54 PM
How to trace the error of an iptables setting yat Linux - Security 2 07-18-2004 07:51 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:54 PM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration