[svlug] Debugging (tracing?) iptables rules and chains

Dan Ritter dsr at randomstring.org
Thu May 30 05:42:41 PDT 2019

Robert Freiberger wrote: 
> Hello everyone,
> I've been puzzled at work allowing access for SSH into one of our systems.
> The system in question is running OpenVZ, so there are a few
> containers/VM's running and one of the containers I need to access SSH from
> another external machine. The issue is I'm not entirely sure how the access
> is given since there are multiple chains and rules, plus some scripts that
> apply the rules through Puppet.
> Given that I'm not certain on iptables rules, is there a recommended way of
> reverse engineering the chains? Most of what I'm reading describes viewing
> the rules and following it step by step, but how does this work with
> /etc/hosts.allow/deny or when working with a nested system like containers
> or VM's?

First, nearly nothing uses /etc/hosts.allow anymore. The
presence of any entries suggests a very, very old system.

Second: nested systems are nested. Monitor from the outside in, 
debug from the inside out.

Puppet and other configuration management systems aren't magic:
they write to the same iptables rules systems as anything else.

So: start on the inside. Use iptables-save to get a full copy of
what is currently in effect. Rules are read from top to bottom,
with each matching rule for a packet being executed until it
reaches an ACCEPT, DENY, or DROP rule; if no rules match, the
POLICY for the appropriate table (INPUT, OUTPUT, FORWARD) is
used as the final disposition.

Overall packet flow:

Netfilter (includes iptables, nftables) flow:

The hardest bits are NAT/MANGLE tables and MASQUERADE entries.
These tend to confuse matters.


More information about the svlug mailing list