iptables not logging a FORWARD rule

Steve Jennings
Steve Jennings used Ask the Experts™
on
I am trying to learn iptables and virtualbox.

I have 3 Centos7 VMs configured as follows with iptables configured on VM2. All interfaces are configured as "host only adapter" in virtual box as /24 networks:


VM1 - - - - - - - - -  - - VM2- - - - - - - - - - -VM3
192.168.1.1             192.168.1.2
                                  172.16.0.2             172.16.0.1
                                                                  10.0.0.1

iptables is configured on VM2 as follows:

LINE 1: -A INPUT -s 192.168.1.1 -d 192.168.1.2 -j LOG
LINE 2: -A FORWARD -s 192.168.1.1 -d 172.16.0.2 -j LOG
LINE 3: -A FORWARD -s 192.168.1.1 -d 172.16.0.1 -j LOG
LINE 4: -A FORWARD -s 192.168.1.1 -d 10.0.0.1 -j LOG

When I send data using scapy -- send(IP(src="n.n.n.n", dst="y.y.y.y")/TCP()) -- the traffic flow described on LINES 1, 2 and 4 is logged. But the flow from LINE 3 is not.

I have tried LINE 3 using INPUT and OUTPUT rules without success.

What am I missing?

Thanks.
Steve
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
nociSoftware Engineer
Distinguished Expert 2018

Commented:
INPUT & OUTPUT are not applicable on packets that are forwarded using the ROUTING engine.
There are no nat rules involved?   (In that case those are processes first (PREROUTING) or last (POSTROUTING).

INPUT only is used in INCOMING packets into the system, OUTPUT only for packets leaving the system (both not for forwarding).
FORWARDING is the passthrough chain.

Didn't you swap the addresses 172.16.0.1 & 172.16.0.2.... I would expect 172.16.0.2 in INPUT and 172.16.0.1 on FORWARD with the addresses mentioned in your schema.
Steve JenningsSr Manager Cloud Networking Ops

Author

Commented:
Thanks for the comment noci . . . no, the addresses in the primitive pic and the iptables are as shown. iptables logs 192.168.1.1 -> 172.16.0.2 as "FORWARD" even though 172.16.0.2 is an address on VM2 and it does NOT log 192.168.1.1 -> 172.16.0.2.
Steve JenningsSr Manager Cloud Networking Ops

Author

Commented:
pkts bytes target     prot opt in     out     source               destination        
    7   280 LOG        all  --  *      *       192.168.1.1         192.168.1.2        LOG flags 6 level 6 prefix "192 to 192  "

Chain FORWARD (policy ACCEPT 141 packets, 5744 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    7   280 LOG        all  --  *      *       192.168.1.1        172.16.0.2             LOG flags 6 level 6 prefix "192 to .2  "
    0     0 LOG        all  --  *      *       192.168.1.1           172.16.0.1            LOG flags 6 level 6 prefix "192 to .1  "
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Steve JenningsSr Manager Cloud Networking Ops

Author

Commented:
Sorry . . . should have set that to a fixed font
nociSoftware Engineer
Distinguished Expert 2018

Commented:
It may show FORWARD because it is First routed internally to the other interface and then enter the system..., never checked how the firewall would handle that case.
You probably mean it does not log:  192.168.1.1 -> 172.16.0.1....
What does the following show:
iptables -L -nv FORWARD
iptables -L -nv INPUT

Open in new window

Steve JenningsSr Manager Cloud Networking Ops

Author

Commented:
yes . . . sorry . . . does not log 192.168.1.1 -> 172.16.0.1
nociSoftware Engineer
Distinguished Expert 2018

Commented:
What does tcpdump show?  while running scapy?.... the iptables rules look ok to me.
Steve JenningsSr Manager Cloud Networking Ops

Author

Commented:
That's also very odd . . . tcpdump shows identical entries when taken from VM2 . . . that is the packets -- other than the dst addr -- look identical.

Also, 192.168.1.1 -> 10.0.0.1 also works / logs and the only difference is that VM2 doesn't have a 10.0.0.0/24 interface.

Thanks,
Steve
Steve JenningsSr Manager Cloud Networking Ops

Author

Commented:
For what it's worth, I added another secondary IP to VM2, 10.0.0.2, and it doesn't log either . . . the problem seems to relate only to IP subnet addresses that appear on both the iptables machine and VM3. Then I removed 10.0.0.1 from VM3 and 10.0.0.2 on VM2 still does not log.

Clearly I have some sort of non-configuration issue . . .
nociSoftware Engineer
Distinguished Expert 2018

Commented:
For forwarding to work you also need routing, otherwise the routing engine will swallow the packets...,
Is routing setup?
ip route show
or
netstat -rn

BTW, i just verified that a packet that ends up on the local system IS NOT logged on a forwarding rule.
So please check your setup carefully.

So if VM2 has 192.168.1.2 and 172.16.0.2 then those will not be handled by FORWARD.  but only on INPUT. (BOTH).
Steve JenningsSr Manager Cloud Networking Ops

Author

Commented:
All works as expected now. I changed the interface type to "internal" for the connection between VM1 and VM2 and everything works as I would expect. For whatever reason, when the interface type was set to "host only" between VM1 and VM2, VM3 was getting traffic directly from VM1, bypassing VM2 and iptables . . . even though this isn't how I understand the "host only" interface to work.

thanks for your input.

Steve
Software Engineer
Distinguished Expert 2018
Commented:
If you say Hostly only network you need to create TWO:
   - One between VM1 and VM2 and
   - Another one between VM2 - VM3.
Like you seem to show in your drawing.
Appearantly you created one hostonly network to connect all.
By introducing the internal "network" you split it into two networks causing the routing to work as expected.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial