[svlug] Debugging (tracing?) iptables rules and chains

Rob Landley rob at landley.net
Thu May 30 16:49:06 PDT 2019

On 5/29/19 10:31 PM, Robert Freiberger wrote:
> Hello everyone, 
> I've been puzzled at work allowing access for SSH into one of our systems. The
> system in question is running OpenVZ, so there are a few containers/VM's running
> and one of the containers I need to access SSH from another external machine.
> The issue is I'm not entirely sure how the access is given since there are
> multiple chains and rules, plus some scripts that apply the rules through Puppet. 
> Given that I'm not certain on iptables rules, is there a recommended way of
> reverse engineering the chains? Most of what I'm reading describes viewing the
> rules and following it step by step, but how does this work with
> /etc/hosts.allow/deny or when working with a nested system like containers or VM's?

I just do iptables-save (it dumps to stdout) to view the rules. The network
namespace includes routing and iptables rules. The variants I've used generally
have a tun/tap interface in the container so packets exiting a container are
treated like a "hop", so inside/outside logic's straightforward to work out.
(Long ago I moved existing interfaces inside the container but didn't try
iptables rules both inside and outside when I did it?)


More information about the svlug mailing list