51

I have a system that came with a firewall already in place. The firewall consists of over 1000 iptables rules. One of these rule is dropping packets I don't want dropped. (I know this because I did iptables-save followed by iptables -F and the application started working.) There are way too many rules to sort through manually. Can I do something to show me which rule is dropping the packets?

Improve this question
3
  • 1
    fedorahosted.org/dropwatch might also be helpful in the future. Commented Jul 25, 2013 at 18:41
  • To see the counters update in real time use<br/> <code> watch iptables -L -v -n </code> Commented Jul 13, 2014 at 13:35
  • You can also use the iptables -nvL -t filter command to display only the rules in the filter table, which is where most packet-filtering rules are located. Commented Dec 26, 2022 at 20:30

5 Answers 5

Reset to default
28

You could add a TRACE rule early in the chain to log every rule that the packet traverses.

I would consider using iptables -L -v -n | less to let you search the rules. I would look port; address; and interface rules that apply. Given that you have so many rules you are likely running a mostly closed firewall, and are missing a permit rule for the traffic.

How is the firewall built? It may be easier to look at the builder rules than the built rules.

Improve this answer
2
  • I figured out after asking this question that the rules are from APF, and I was able to fix that. I love the TRACE target, though. That would have been very effective. Commented Mar 26, 2011 at 19:21
  • 4
    An example of using TRACE target is here: serverfault.com/questions/122157/debugger-for-iptables/…. Commented Jun 12, 2015 at 16:59
23

Since iptables -L -v -n has counters you could do the following.

iptables -L -v -n > Sample1 #Cause the packet that you suspect is being dropped by iptables iptables -L -v -n > Sample2 diff Sample1 Sample2

This way you will see only the rules that incremented.

Improve this answer
16

Run iptables -L -v -n to see the packet and byte counters for every table and for every rule.

Improve this answer
2
  • 1
    This is good, I'm hoping for something better since there are 1000 rules and 1000s of dropped packets. Commented Mar 26, 2011 at 17:49
  • Use sort to sort rules by packet counter. Commented Mar 26, 2011 at 17:53
13

In my company we use watch -n 2 -d iptables -nvL, it shows changes between requests

Improve this answer
8 
watch -n1 -d "iptables -tfilter -vnxL | grep -vE 'pkts|Chain' | sort -nk1hr | column -t"

Keep in mind, this will only show stuff for the table filter.

If you want all tables, try this:

watch -n1 -d "(iptables -tfilter -vnxL;iptables -tnat -vnxL;iptables -tmangle -vnxL;iptables -traw -vnxL;iptables -tsecurity -vnxL) | grep -vE 'pkts|Chain' | sort -nk1,1hr | column -t"
Improve this answer
2
  • 1
    The most complete solution IMHO. | tac can be dropped in favour of add -r to the sort command. Commented Jul 26, 2021 at 4:52
  • 1
    @ZaarHai thanks for the flowers, edited considering your input and also fixed the sorting which lacked -h. Commented Jul 31, 2021 at 17:32

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.