iptables not logging a FORWARD rule

I am trying to learn iptables and virtualbox.

I have 3 Centos7 VMs configured as follows with iptables configured on VM2. All interfaces are configured as "host only adapter" in virtual box as /24 networks:


VM1 - - - - - - - - -  - - VM2- - - - - - - - - - -VM3
192.168.1.1             192.168.1.2
                                  172.16.0.2             172.16.0.1
                                                                  10.0.0.1

iptables is configured on VM2 as follows:

LINE 1: -A INPUT -s 192.168.1.1 -d 192.168.1.2 -j LOG
LINE 2: -A FORWARD -s 192.168.1.1 -d 172.16.0.2 -j LOG
LINE 3: -A FORWARD -s 192.168.1.1 -d 172.16.0.1 -j LOG
LINE 4: -A FORWARD -s 192.168.1.1 -d 10.0.0.1 -j LOG

When I send data using scapy -- send(IP(src="n.n.n.n", dst="y.y.y.y")/TCP()) -- the traffic flow described on LINES 1, 2 and 4 is logged. But the flow from LINE 3 is not.

I have tried LINE 3 using INPUT and OUTPUT rules without success.

What am I missing?

Thanks.
Steve
LVL 16
Steve JenningsSr Manager Cloud Networking OpsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

nociSoftware EngineerCommented:
INPUT & OUTPUT are not applicable on packets that are forwarded using the ROUTING engine.
There are no nat rules involved?   (In that case those are processes first (PREROUTING) or last (POSTROUTING).

INPUT only is used in INCOMING packets into the system, OUTPUT only for packets leaving the system (both not for forwarding).
FORWARDING is the passthrough chain.

Didn't you swap the addresses 172.16.0.1 & 172.16.0.2.... I would expect 172.16.0.2 in INPUT and 172.16.0.1 on FORWARD with the addresses mentioned in your schema.
Steve JenningsSr Manager Cloud Networking OpsAuthor Commented:
Thanks for the comment noci . . . no, the addresses in the primitive pic and the iptables are as shown. iptables logs 192.168.1.1 -> 172.16.0.2 as "FORWARD" even though 172.16.0.2 is an address on VM2 and it does NOT log 192.168.1.1 -> 172.16.0.2.
Steve JenningsSr Manager Cloud Networking OpsAuthor Commented:
pkts bytes target     prot opt in     out     source               destination        
    7   280 LOG        all  --  *      *       192.168.1.1         192.168.1.2        LOG flags 6 level 6 prefix "192 to 192  "

Chain FORWARD (policy ACCEPT 141 packets, 5744 bytes)
 pkts bytes target     prot opt in     out     source               destination        
    7   280 LOG        all  --  *      *       192.168.1.1        172.16.0.2             LOG flags 6 level 6 prefix "192 to .2  "
    0     0 LOG        all  --  *      *       192.168.1.1           172.16.0.1            LOG flags 6 level 6 prefix "192 to .1  "
Maximize Customer Retention with Superior Service

The IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more to help build customer satisfaction and retention.

Steve JenningsSr Manager Cloud Networking OpsAuthor Commented:
Sorry . . . should have set that to a fixed font
nociSoftware EngineerCommented:
It may show FORWARD because it is First routed internally to the other interface and then enter the system..., never checked how the firewall would handle that case.
You probably mean it does not log:  192.168.1.1 -> 172.16.0.1....
What does the following show:
iptables -L -nv FORWARD
iptables -L -nv INPUT

Open in new window

Steve JenningsSr Manager Cloud Networking OpsAuthor Commented:
yes . . . sorry . . . does not log 192.168.1.1 -> 172.16.0.1
nociSoftware EngineerCommented:
What does tcpdump show?  while running scapy?.... the iptables rules look ok to me.
Steve JenningsSr Manager Cloud Networking OpsAuthor Commented:
That's also very odd . . . tcpdump shows identical entries when taken from VM2 . . . that is the packets -- other than the dst addr -- look identical.

Also, 192.168.1.1 -> 10.0.0.1 also works / logs and the only difference is that VM2 doesn't have a 10.0.0.0/24 interface.

Thanks,
Steve
Steve JenningsSr Manager Cloud Networking OpsAuthor Commented:
For what it's worth, I added another secondary IP to VM2, 10.0.0.2, and it doesn't log either . . . the problem seems to relate only to IP subnet addresses that appear on both the iptables machine and VM3. Then I removed 10.0.0.1 from VM3 and 10.0.0.2 on VM2 still does not log.

Clearly I have some sort of non-configuration issue . . .
nociSoftware EngineerCommented:
For forwarding to work you also need routing, otherwise the routing engine will swallow the packets...,
Is routing setup?
ip route show
or
netstat -rn

BTW, i just verified that a packet that ends up on the local system IS NOT logged on a forwarding rule.
So please check your setup carefully.

So if VM2 has 192.168.1.2 and 172.16.0.2 then those will not be handled by FORWARD.  but only on INPUT. (BOTH).
Steve JenningsSr Manager Cloud Networking OpsAuthor Commented:
All works as expected now. I changed the interface type to "internal" for the connection between VM1 and VM2 and everything works as I would expect. For whatever reason, when the interface type was set to "host only" between VM1 and VM2, VM3 was getting traffic directly from VM1, bypassing VM2 and iptables . . . even though this isn't how I understand the "host only" interface to work.

thanks for your input.

Steve
nociSoftware EngineerCommented:
If you say Hostly only network you need to create TWO:
   - One between VM1 and VM2 and
   - Another one between VM2 - VM3.
Like you seem to show in your drawing.
Appearantly you created one hostonly network to connect all.
By introducing the internal "network" you split it into two networks causing the routing to work as expected.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.