[svlug] Debugging (tracing?) iptables rules and chains
dsr at randomstring.org
Thu May 30 05:42:41 PDT 2019
Robert Freiberger wrote:
> Hello everyone,
> I've been puzzled at work allowing access for SSH into one of our systems.
> The system in question is running OpenVZ, so there are a few
> containers/VM's running and one of the containers I need to access SSH from
> another external machine. The issue is I'm not entirely sure how the access
> is given since there are multiple chains and rules, plus some scripts that
> apply the rules through Puppet.
> Given that I'm not certain on iptables rules, is there a recommended way of
> reverse engineering the chains? Most of what I'm reading describes viewing
> the rules and following it step by step, but how does this work with
> /etc/hosts.allow/deny or when working with a nested system like containers
> or VM's?
First, nearly nothing uses /etc/hosts.allow anymore. The
presence of any entries suggests a very, very old system.
Second: nested systems are nested. Monitor from the outside in,
debug from the inside out.
Puppet and other configuration management systems aren't magic:
they write to the same iptables rules systems as anything else.
So: start on the inside. Use iptables-save to get a full copy of
what is currently in effect. Rules are read from top to bottom,
with each matching rule for a packet being executed until it
reaches an ACCEPT, DENY, or DROP rule; if no rules match, the
POLICY for the appropriate table (INPUT, OUTPUT, FORWARD) is
used as the final disposition.
Overall packet flow:
Netfilter (includes iptables, nftables) flow:
The hardest bits are NAT/MANGLE tables and MASQUERADE entries.
These tend to confuse matters.
More information about the svlug