Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!
iptables not logging a FORWARD rule
I am trying to learn iptables and virtualbox.
I have 3 Centos7 VMs configured as follows with iptables configured on VM2. All interfaces are configured as "host only adapter" in virtual box as /24 networks:
VM1 - - - - - - - - - - - VM2- - - - - - - - - - -VM3
192.168.1.1 192.168.1.2
172.16.0.2 172.16.0.1
10.0.0.1
iptables is configured on VM2 as follows:
LINE 1: -A INPUT -s 192.168.1.1 -d 192.168.1.2 -j LOG
LINE 2: -A FORWARD -s 192.168.1.1 -d 172.16.0.2 -j LOG
LINE 3: -A FORWARD -s 192.168.1.1 -d 172.16.0.1 -j LOG
LINE 4: -A FORWARD -s 192.168.1.1 -d 10.0.0.1 -j LOG
When I send data using scapy -- send(IP(src="n.n.n.n", dst="y.y.y.y")/TCP()) -- the traffic flow described on LINES 1, 2 and 4 is logged. But the flow from LINE 3 is not.
I have tried LINE 3 using INPUT and OUTPUT rules without success.
What am I missing?
Thanks.
Steve
I have 3 Centos7 VMs configured as follows with iptables configured on VM2. All interfaces are configured as "host only adapter" in virtual box as /24 networks:
VM1 - - - - - - - - - - - VM2- - - - - - - - - - -VM3
192.168.1.1 192.168.1.2
172.16.0.2 172.16.0.1
10.0.0.1
iptables is configured on VM2 as follows:
LINE 1: -A INPUT -s 192.168.1.1 -d 192.168.1.2 -j LOG
LINE 2: -A FORWARD -s 192.168.1.1 -d 172.16.0.2 -j LOG
LINE 3: -A FORWARD -s 192.168.1.1 -d 172.16.0.1 -j LOG
LINE 4: -A FORWARD -s 192.168.1.1 -d 10.0.0.1 -j LOG
When I send data using scapy -- send(IP(src="n.n.n.n", dst="y.y.y.y")/TCP()) -- the traffic flow described on LINES 1, 2 and 4 is logged. But the flow from LINE 3 is not.
I have tried LINE 3 using INPUT and OUTPUT rules without success.
What am I missing?
Thanks.
Steve
Do more with
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
INPUT & OUTPUT are not applicable on packets that are forwarded using the ROUTING engine.
There are no nat rules involved? (In that case those are processes first (PREROUTING) or last (POSTROUTING).
INPUT only is used in INCOMING packets into the system, OUTPUT only for packets leaving the system (both not for forwarding).
FORWARDING is the passthrough chain.
Didn't you swap the addresses 172.16.0.1 & 172.16.0.2.... I would expect 172.16.0.2 in INPUT and 172.16.0.1 on FORWARD with the addresses mentioned in your schema.
There are no nat rules involved? (In that case those are processes first (PREROUTING) or last (POSTROUTING).
INPUT only is used in INCOMING packets into the system, OUTPUT only for packets leaving the system (both not for forwarding).
FORWARDING is the passthrough chain.
Didn't you swap the addresses 172.16.0.1 & 172.16.0.2.... I would expect 172.16.0.2 in INPUT and 172.16.0.1 on FORWARD with the addresses mentioned in your schema.
Thanks for the comment noci . . . no, the addresses in the primitive pic and the iptables are as shown. iptables logs 192.168.1.1 -> 172.16.0.2 as "FORWARD" even though 172.16.0.2 is an address on VM2 and it does NOT log 192.168.1.1 -> 172.16.0.2.
pkts bytes target prot opt in out source destination
7 280 LOG all -- * * 192.168.1.1 192.168.1.2 LOG flags 6 level 6 prefix "192 to 192 "
Chain FORWARD (policy ACCEPT 141 packets, 5744 bytes)
pkts bytes target prot opt in out source destination
7 280 LOG all -- * * 192.168.1.1 172.16.0.2 LOG flags 6 level 6 prefix "192 to .2 "
0 0 LOG all -- * * 192.168.1.1 172.16.0.1 LOG flags 6 level 6 prefix "192 to .1 "
7 280 LOG all -- * * 192.168.1.1 192.168.1.2 LOG flags 6 level 6 prefix "192 to 192 "
Chain FORWARD (policy ACCEPT 141 packets, 5744 bytes)
pkts bytes target prot opt in out source destination
7 280 LOG all -- * * 192.168.1.1 172.16.0.2 LOG flags 6 level 6 prefix "192 to .2 "
0 0 LOG all -- * * 192.168.1.1 172.16.0.1 LOG flags 6 level 6 prefix "192 to .1 "
It may show FORWARD because it is First routed internally to the other interface and then enter the system..., never checked how the firewall would handle that case.
You probably mean it does not log: 192.168.1.1 -> 172.16.0.1....
What does the following show:
You probably mean it does not log: 192.168.1.1 -> 172.16.0.1....
What does the following show:
iptables -L -nv FORWARD
iptables -L -nv INPUT
That's also very odd . . . tcpdump shows identical entries when taken from VM2 . . . that is the packets -- other than the dst addr -- look identical.
Also, 192.168.1.1 -> 10.0.0.1 also works / logs and the only difference is that VM2 doesn't have a 10.0.0.0/24 interface.
Thanks,
Steve
Also, 192.168.1.1 -> 10.0.0.1 also works / logs and the only difference is that VM2 doesn't have a 10.0.0.0/24 interface.
Thanks,
Steve
For what it's worth, I added another secondary IP to VM2, 10.0.0.2, and it doesn't log either . . . the problem seems to relate only to IP subnet addresses that appear on both the iptables machine and VM3. Then I removed 10.0.0.1 from VM3 and 10.0.0.2 on VM2 still does not log.
Clearly I have some sort of non-configuration issue . . .
Clearly I have some sort of non-configuration issue . . .
For forwarding to work you also need routing, otherwise the routing engine will swallow the packets...,
Is routing setup?
ip route show
or
netstat -rn
BTW, i just verified that a packet that ends up on the local system IS NOT logged on a forwarding rule.
So please check your setup carefully.
So if VM2 has 192.168.1.2 and 172.16.0.2 then those will not be handled by FORWARD. but only on INPUT. (BOTH).
Is routing setup?
ip route show
or
netstat -rn
BTW, i just verified that a packet that ends up on the local system IS NOT logged on a forwarding rule.
So please check your setup carefully.
So if VM2 has 192.168.1.2 and 172.16.0.2 then those will not be handled by FORWARD. but only on INPUT. (BOTH).
All works as expected now. I changed the interface type to "internal" for the connection between VM1 and VM2 and everything works as I would expect. For whatever reason, when the interface type was set to "host only" between VM1 and VM2, VM3 was getting traffic directly from VM1, bypassing VM2 and iptables . . . even though this isn't how I understand the "host only" interface to work.
thanks for your input.
Steve
thanks for your input.
Steve
If you say Hostly only network you need to create TWO:
- One between VM1 and VM2 and
- Another one between VM2 - VM3.
Like you seem to show in your drawing.
Appearantly you created one hostonly network to connect all.
By introducing the internal "network" you split it into two networks causing the routing to work as expected.
- One between VM1 and VM2 and
- Another one between VM2 - VM3.
Like you seem to show in your drawing.
Appearantly you created one hostonly network to connect all.
By introducing the internal "network" you split it into two networks causing the routing to work as expected.
Premium Content
You need an Expert Office subscription to comment.Start Free Trial