iptables routing decision

ljbrits · 07-19-2016, 08:16 AM

Hi,

Is there a way to see/log why packets are dropped in the "routing decision" after the iptables NAT-PREROUTING chain?

I am pinging a host on network B and can see the ICMP packet entering this GW using tcpdump and can follow it up to NAT-PREROUTING. After that, in INPUT or FOWRWARD chains, the packet is gone. I do have a default route.

The strange thing is that I can ping a host on network C and every thing is peachy.

Any ideas?

Regards,
LJB

lazydog · 07-19-2016, 01:44 PM

You have a DROP statement in you firewall somewhere and that is why it gets dropped.
You can log all dropped packets by simply placing a log rule before any DROP or REJECT rules.
Best to label the packet as to why it is being dropped. Is it just ping that is being dropped?

sag47 · 07-19-2016, 07:38 PM

Here's an example of a logging rule before rejecting like lazydog mentions.

https://github.com/samrocketman/home....rules#L28-L29

https://github.com/samrocketman/home....rules#L37-L38

https://github.com/samrocketman/home....rules#L42-L43

https://github.com/samrocketman/home...bles.rules#L46

Rejections show up in dmesg or you can log them to a file.

pingu_penguin · 07-20-2016, 03:45 AM

Hi,

Since you mentioned NAT-PREROUTING , I assume you are using port fowarding.

However a point to be noted is that if you are trying to ping a host behind the NAT , it wont work , since ping uses icmp

and icmp is not a routable protocol.

sag47 · 07-20-2016, 05:37 AM

ICMP definitely traverses NAT.

Source: https://tools.ietf.org/html/rfc792

Edit: pingu I read that as "a host behind the NAT can't ping external hosts". I misunderstood your point.

pingu_penguin · 07-20-2016, 05:43 AM

Oh my bad, I thought NAT just re-writes source/dest headers IP's and forwards them acc.

Thanks for the link.

lazydog · 07-20-2016, 04:24 PM

I'm going to assume that because you talk about network C and network B and the rules you posted that you have more then one interface connected to two or more networks.

First off your rules. What's up with the -g you have in them Lines 52,54 and 152-181? I'm going to assume that your logs show these as errors.

Second. You need to give me some sort of direction your packet travels in order for me to follow your firewall rules to attempt to figure this out.
But I think I know where the problem is already. Your FORWARD rules.

Code:

#FORWARD Chain
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A FORWARD -j LOGGING
-A FORWARD -j REJECT --reject-with icmp-host-prohibited

There is nothing allowing anything to pass. Sure you have an ESTABLISHED,RELATED rule but there is no NEW rule to add anything to the connection tracking db.
The last line doesn't allow anything to be forwarded.

You talk about this input rule but if you are coming in one interface and leaving on another the INPUT rules never see the packet.

This diagram should help with understanding Packet Flow;

If I am not understanding you correctly, please give more detail as to what interface the packet is coming in on and what interface the packet is leaving on. IP Addresses would also help a lot.

sag47 · 07-21-2016, 01:09 AM

lazydog: The rules I posted are for the OP to show as an example of using logging in iptables. I think you're confusing me with the original poster. My firewall rules work just fine for my own uses.

Side note for lazydog: If you're curious about my firewall the man iptables page lists what the rules do. e.g. see -g or --goto in that page.

lazydog · 07-21-2016, 08:16 PM

sag47: Yep, you are right I did confuse the two of you. And an old dog can learn something new.

ljbrits · 07-22-2016, 03:35 AM

Thanks for all the replies and evolving discussion.

You are correct, I have two interfaces with packets being forwarded between them. The one connected to the internet also apply IPsec to the packet, but this irrelevant at this time since the packet never gets forwarded for encapsulation.

I did insert and append a unique logging rule to every chain (even at linklayer) and the logs show the packet last exited the NAT-PREROUTING chain and never at another chain after that. That is why I am asking for a way to see why the routing table might discard the packet. Again, the strange thing is that packets to network C gets forwarded.

Network B is 192.168.2.0/24 and network C is 192.168.3.0/24. I am pinging from 192.168.1.10.

Thanks for your time
Regards,
LJB

lazydog · 07-22-2016, 12:16 PM

Would it be possible for you to share your rules?

ljbrits · 07-25-2016, 05:57 AM

Hi lazydog,

I can but it is large and quite involved. Is this allowed by this forum?

Thanks
LJB

lazydog · 07-26-2016, 10:04 AM

If nothing else you can use Pastebin to post your rules

sag47 · 07-26-2016, 10:01 PM

I recommend wrapping your rules [code][/code] tags so that it's readable if you post it to the forum.

ljbrits · 07-27-2016, 04:36 AM

The rules are at http://pastebin.com/Q3kVYvhq

I used iptables-save to get the chains and rules. I've changed some static IPs for privacy reasons. These rules was created for an older version of iptables, but still works.

Thanks for your help