Iptables – Debugger for Packet Analysis

debuggingipiptablespacket-analyzer

I'm looking for an easy way to follow a packet through the iptables rules. This is not so much about logging, because I don't want to log all traffic (and I only want to have LOG targets for very few rules).

Something like Wireshark for Iptables. Or maybe even something similar to a debugger for a programming language.

Thanks
Chris

Note: It doesn't have to be a fancy GUI tool. But it must do more than just showing a package counter or so.

Update: It almost looks as if we can't find anything that provides the functionality that is asked for. In that case: Let's at least find a good technique that's based on iptables logging – which can be easily turned on and off, and doesn't require to write iptables rules redundantly (having to write the same rule for -j LOG and -j ...)

Best Answer

I can't think of a direct solution, but I can think of a round about way of tracking a packet.

Log each rule with a log prefix directive (--log-prefix "Rule 34")
Generate a test packet or packet stream with scapy and set the TOS field to something unique
grep the log file output for that TOS setting and see which rules logged it.

Related Solutions

Iptables syn flood countermeasure

Found it! The problem came from both the SYN flood countermeasure, which dropped the authorized streams instead of accepting them, and from the SSH bruteforce countermeasure, which was after the SYN flood countermeasure, so it did not drop any supernumerary incoming connexion as these connections were already accepted by the SYN flood countermeasure.

Here comes the good version of this script :

#!/bin/sh
IPT=/sbin/iptables

echo "Clearing firewall rules"
$IPT -F
$IPT -Z
$IPT -t nat -F
$IPT -t nat -Z
$IPT -t mangle -F
$IPT -t mangle -Z
$IPT -X

echo "Defining logging policy for dropped packets"
$IPT -N LOGDROP 
$IPT -A LOGDROP -j LOG -m limit --limit 60/min --log-level debug --log-prefix "iptables rejected: "
$IPT -A LOGDROP -j DROP 

echo "Setting firewall policy"
$IPT -P INPUT   ACCEPT
$IPT -P OUTPUT  ACCEPT
$IPT -P FORWARD ACCEPT

echo "Allowing connections from/to lo"
$IPT -I INPUT -i lo    -j ACCEPT
$IPT -I OUTPUT -o lo   -j ACCEPT

echo "Denying web server user outgoing HTTP connections on eth0"
$IPT -A OUTPUT -p tcp --dport 80 -o eth0 -m owner --uid-owner www-data -j LOGDROP
$IPT -A OUTPUT -p udp --dport 80 -o eth0 -m owner --uid-owner www-data -j LOGDROP

echo "Denying more than 3 SSH connection attempts per minute and per IP"
$IPT -A INPUT -p tcp --dport 22 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOGDROP

echo "Setting SYN flood countermeasures"
$IPT -A INPUT -p tcp -i eth0 --syn -m limit --limit 30/s --limit-burst 200 -j ACCEPT
$IPT -A INPUT -p tcp -i eth0 --syn -j LOGDROP

echo "Denying 'w00tw00t' vulnerability scans"
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m string --algo bm --string 'w00tw00t.at.ISC.SANS.' -j LOGDROP

echo "Denying HTTP requests concerning misconfigured anoticiapb.com.br external domain"
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m string --algo bm --string "Host: anoticiapb.com.br" -j LOGDROP
$IPT -A INPUT -p tcp --dport 80 -i eth0 -m string --algo bm --string "Host: www.anoticiapb.com.br" -j LOGDROP

echo "Allowing outgoing traffic corresponding to already initiated connections"
$IPT -A OUTPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Allowing up to 10 ICMP requests per second, dropping any supernumerary ICMP request"
$IPT -A INPUT -p icmp -m limit --limit 10/second -j ACCEPT
$IPT -A INPUT -p icmp -j LOGDROP

echo "Allowing incoming HTTP(S), SMTP, NTP, PgSQL, SolR"
$IPT -A INPUT -p tcp --dport 25   -i eth0                -j ACCEPT
$IPT -A INPUT -p tcp --dport 80   -i eth0                -j ACCEPT
$IPT -A INPUT -p udp --dport 123  -i eth0                -j ACCEPT
$IPT -A INPUT -p tcp --dport 443  -i eth0                -j ACCEPT
$IPT -A INPUT -p tcp --sport 5433 -i eth0.2654 -s 172.16.0.1 -j ACCEPT
$IPT -A INPUT -p tcp --sport 8983 -i eth0.2654 -s 172.16.0.1 -j ACCEPT

echo "Allowing outgoing SSH, SMTP, whois, DNS, HTTP, SolR, PgSQL, ICMP"
$IPT -A OUTPUT -p tcp --dport 22                         -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 25   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 43   -o eth0           -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 53   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p udp --dport 53   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 80   -o eth0               -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 443  -o eth0               -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 5433 -o eth0.2654      -j ACCEPT
$IPT -A OUTPUT -p tcp --dport 8983 -o eth0.2654      -j ACCEPT
$IPT -A OUTPUT -p icmp                   -j ACCEPT

echo "Allowing outgoing FTP backup"
$IPT -A OUTPUT -p tcp --dport 20:21 -o eth0 -d 91.121.190.18 -j ACCEPT

echo "Dropping and logging everything else"
$IPT -A INPUT -j LOGDROP 
$IPT -A OUTPUT -j LOGDROP
$IPT -A FORWARD -j LOGDROP

echo "Firewall loaded."

Linux – How to Enable IPtables TRACE Target on Debian Squeeze (6)

Run:

modprobe ipt_LOG

That fixed it for me.

Best Answer

Related Solutions

Iptables syn flood countermeasure

Linux – How to Enable IPtables TRACE Target on Debian Squeeze (6)

Related Topic