LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (https://www.linuxquestions.org/questions/linux-software-2/)
-   -   Need help installing Trace to debug Iptables (https://www.linuxquestions.org/questions/linux-software-2/need-help-installing-trace-to-debug-iptables-4175678955/)

aboka 07-18-2020 05:25 AM
Need help installing Trace to debug Iptables
 
hi, found an article online that use Trace to debug iptables. I try installing but it will give the error below. Wondering if anyone get this too and how do we solve them? Am using root on Ubuntu 20.04 LTS

Code:
echo ipt_LOG >/proc/sys/net/netfilter/nf_log/2
-bash: echo: write error: No such file or directory
article - https://www.opsist.com/blog/2015/08/...-is-doing.html

thank you,

berndbausch 07-18-2020 11:10 PM
I guess that the number is your interface number. On my system, /proc/sys/net/netfilter/nf_log contains files 0, 1, 2, ..., though these numbers have nothing to do with the indices displayed by the ip link command.

Thus, my next guess is that you have two interfaces, loopback and your main interface, and therefore /proc/sys/net/netfilter/nf_log only contains files 0 and 1.

TLDR: Try /proc/sys/net/netfilter/nf_log/1 instead.

berndbausch 07-18-2020 11:23 PM
Quote:
Originally Posted by berndbausch (Post 6146918)
I guess that the number is your interface number.
Totally wrong.
The numbers are protocol numbers.
Try modprobing something else, such as nf_log_ipv4.

What do you get from
Code:
ls /proc/sys/net/netfilter/nf_log
cat /proc/net/netfilter/nf_log
?

aboka 07-19-2020 12:02 AM
Quote:
Originally Posted by berndbausch (Post 6146919)
Totally wrong.
The numbers are protocol numbers.
Try modprobing something else, such as nf_log_ipv4.

What do you get from
Code:
ls /proc/sys/net/netfilter/nf_log
cat /proc/net/netfilter/nf_log
?
hi, im testing this on a Pi running Ubuntu 20.04 64bit. its default user is Ubuntu and I change to root(sudo su) since it say permission denied for user Ubuntu.

When i try run this-
Code:
modprobe nf_log_ipv4
echo nf_log_ipv4 >/proc/sys/net/netfilter/nf_log_ipv4/2
bash: /proc/sys/net/netfilter/nf_log_ipv4/2: No such file or directory
Code:
ls /proc/sys/net/netfilter/nf_log
0  1  10  11  12  2  3  4  5  6  7  8  9
Code:
cat /proc/net/netfilter/nf_log
 0 NONE ()
 1 NONE ()
 2 nf_log_ipv4 (nf_log_ipv4)
 3 NONE ()
 4 NONE ()
 5 NONE ()
 6 NONE ()
 7 NONE ()
 8 NONE ()
 9 NONE ()
10 NONE ()
11 NONE ()
12 NONE ()
Thank you,

aboka 07-19-2020 12:27 AM
I change the second line to

Code:
echo nf_log_ipv4 >/proc/sys/net/netfilter/nf_log/2
and it didn't show any error now.

but how do i try them? i follow the guide on the page to Trace a port(OpenVPN) -

Code:
iptables -t raw -I PREROUTING -p udp --dport 1194 -j TRACE
then i run this
Code:
dmesg | grep 'TRACE: raw:PREROUTING:policy' | head -1
[ 2068.518401] TRACE: raw:PREROUTING:policy:2 IN=wlan0 OUT= MAC=b8:27:eb:9a:d9:a                                                                                        5:00:72:63:52:da:20:08:00 SRC=183.171.88.171 DST=192.168.1.13 LEN=104 TOS=0x00 P                                                                                        REC=0x00 TTL=51 ID=40359 DF PROTO=UDP SPT=49017 DPT=1194 LEN=84
but it returns nothing when run this line
Code:
dmesg | grep ID=40359
am i doing something wrong? please suggest some way to test, or further reading on this as like to learn howto debug iptables. as this is a very important thing to learn in linux. recently spend so many hours tinker here and there just bcoz of one iptables rule. would be great if we can look into what happens in the back like where is the blockage and figure out how to let them pass thru or something like that :)

thank you.

berndbausch 07-19-2020 12:31 AM
Sorry, iptables tracing is something I want to try but I have no experience so far. I was just curious about your original question (and totally missed the incorrect directory that you used).

aboka 07-19-2020 12:36 AM
Quote:
Originally Posted by berndbausch (Post 6146924)
Sorry, iptables tracing is something I want to try but I have no experience so far. I was just curious about your original question (and totally missed the incorrect directory that you used).
No worry pal, you have help so much. at least i could run them now. thanks alot :)

and do you know if we need to cleanup(the modprobe, echo nf thingy) after using? if yes, how?

p/s - u hv any suggest reading for this topic?

berndbausch 07-19-2020 02:49 AM
Quote:
Originally Posted by aboka (Post 6146925)
and do you know if we need to cleanup(the modprobe, echo nf thingy) after using? if yes, how?
It's the opposite. Once you reboot, the tracing is gone. If you need it to be permanent, you have to add the kernel module to a file like /etc/modules (the precise method depends on your distro).
Quote:
p/s - u hv any suggest reading for this topic?
This seems to be sparsely documented. I would start at netfilter.org and perhaps use their mailing list, both to see if there are discussions around that subject and to ask questions.

aboka 07-21-2020 09:05 AM
@berndbausch thanks a lot. hope someone will chip in with more info in future rgd this topic. cheers


All times are GMT -5. The time now is 03:52 AM.