I'm currently despairing trying to do something seemingly simple, and finally broke down to ask:

I'm experimenting with ulog, and wanted to look at the output it produces for the different chains (using LOGEMU output plugin). INPUT and OUTPUT chain where easy enough, but I just can't seem to get any packets logged from the FORWARD chain.

"iptables --list FORWARD":
Chain FORWARD (policy DROP)
target prot opt source destination
ULOG 0 -- anywhere anywhere limit: avg 3/min burst 3 ULOG copy_range 0 nlgroup 1 prefix `IPT FORWARD packet died: ' queue_threshold 1

Just for comparison - INPUT chain logs with:
ULOG 0 -- anywhere anywhere limit: avg 3/min burst 3 ULOG copy_range 0 nlgroup 1 prefix `IPT INPUT packet died: ' queue_threshold 1
->I'm pretty sure the log command itself works, which means that I never get packets into the forward chain in the first place...

The machine runs in VMware (using NAT). I am testing with a second machine within the same local network (192.168.88.x)

On the second machine:
INPUT chain tested using "ping <machine1IP>" -> gets logged.

I tried to test the FORWARD chain by doing the following on the second machine:
route del default
route add default gw <machine1IP>
ping 72.14.221.104 #(google)


So can anyone tell me why machine1 doesn't get these packets into it's FORWARD chain?
(I'm running Debian Etch)
[Edited: ping has to leave the local network]

Edit2:
Just to make really sure it's not a logging problem, and to simplify the question somewhat, I changed the iptable rules to read:

"iptables --list FORWARD":
Chain FORWARD (policy DROP)
target prot opt source destination
LOG 0 -- anywhere anywhere LOG level warning prefix `IPT FORWARD packet died: '

in "iptables --list INPUT":
LOG 0 -- anywhere anywhere LOG level warning prefix `IPT INPUT packet died: '

Results of the tests described above are still the same.

do you have forwarding turned on? cat /proc/sys/net/ipv4/ip_forward if its a 0 forwarding is off

echo 1 > /proc/sys/net/ipv4/ip_forward

typically you can turn it on permanently in /etc/sysctl.conf

Thank you very much, estabroo! Your suggestion solved my problem

For future googlers:
The log format of ulog with output plugin LOGEMU is as follows (examples):

Sep 17 09:05:34 debianWorkstationMGerdesVM IPT FORWARD packet died: IN=eth0 OUT=eth0 MAC=00:0c:29:f2:f0:bc:00:0c:29:60:81:b3:08:00 SRC=192.168.88.132 DST=212.227.15.167 LEN=60 TOS=00 PREC=0x00 TTL=63 ID=34669 CE DF PROTO=TCP SPT=3425 DPT=25 SEQ=467144633 ACK=0 WINDOW=5840 SYN URGP=0

Sep 17 09:05:35 debianWorkstationMGerdesVM IPT INPUT packet died: IN=eth0 OUT= MAC=00:0c:29:f2:f0:bc:00:0c:29:60:81:b3:08:00 SRC=192.168.88.132 DST=192.168.88.131 LEN=84 TOS=00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=12302 SEQ=1

Sep 17 09:09:52 debianWorkstationMGerdesVM IPT OUTPUT packet died: IN= OUT=eth0 MAC= SRC=192.168.88.131 DST=192.168.88.132 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=31252 DF PROTO=TCP SPT=2208 DPT=100 SEQ=949374304 ACK=0 WINDOW=5840 SYN URGP=0

The MAC adresses, where given, are 14 tupels long. the first 6 are the destination, the second 6 the source, and the last two always 08:00 (at least I never saw anything else.).