[svlug] Debugging (tracing?) iptables rules and chains

Kevin Smathers kevin at ank.com
Thu May 30 06:00:45 PDT 2019


Personally I prefer to use one tool to manage my firewall rules.   I
usually don't care a lot which tool that is, but if it isn't working for me
I usually just rip out the entire iptables mess and write my own vastly
simplified rule set.   Like ACLs, iptable rules can get so complex that you
can't understand what they are doing at a glance.   IMO in order to be
considered trustworthy security tools should either have obvious effects or
should be hacked away at until they have obvious effects.

On Thu, May 30, 2019 at 5:42 AM Dan Ritter <dsr at randomstring.org> wrote:

> Robert Freiberger wrote:
> > Hello everyone,
> >
> > I've been puzzled at work allowing access for SSH into one of our
> systems.
> > The system in question is running OpenVZ, so there are a few
> > containers/VM's running and one of the containers I need to access SSH
> from
> > another external machine. The issue is I'm not entirely sure how the
> access
> > is given since there are multiple chains and rules, plus some scripts
> that
> > apply the rules through Puppet.
> >
> > Given that I'm not certain on iptables rules, is there a recommended way
> of
> > reverse engineering the chains? Most of what I'm reading describes
> viewing
> > the rules and following it step by step, but how does this work with
> > /etc/hosts.allow/deny or when working with a nested system like
> containers
> > or VM's?
>
> First, nearly nothing uses /etc/hosts.allow anymore. The
> presence of any entries suggests a very, very old system.
>
> Second: nested systems are nested. Monitor from the outside in,
> debug from the inside out.
>
> Puppet and other configuration management systems aren't magic:
> they write to the same iptables rules systems as anything else.
>
> So: start on the inside. Use iptables-save to get a full copy of
> what is currently in effect. Rules are read from top to bottom,
> with each matching rule for a packet being executed until it
> reaches an ACCEPT, DENY, or DROP rule; if no rules match, the
> POLICY for the appropriate table (INPUT, OUTPUT, FORWARD) is
> used as the final disposition.
>
> Overall packet flow:
>
> https://upload.wikimedia.org/wikipedia/commons/3/37/Netfilter-packet-flow.svg
>
> Netfilter (includes iptables, nftables) flow:
> http://linux-ip.net/pages/diagrams.html
>
> The hardest bits are NAT/MANGLE tables and MASQUERADE entries.
> These tend to confuse matters.
>
> -dsr-
>
> _______________________________________________
> svlug mailing list
> svlug at lists.svlug.org
> http://lists.svlug.org/lists/listinfo/svlug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.svlug.org/archives/svlug/attachments/20190530/42b45392/attachment.htm


More information about the svlug mailing list