Is there a way to find which iptables rule was responsible for dropping a packet?

Question

I have a system that came with a firewall already in place. The firewall consists of over 1000 iptables rules. One of these rule is dropping packets I don't want dropped. (I know this because I did iptables-save followed by iptables -F and the application started working.) There are way too many rules to sort through manually. Can I do something to show me which rule is dropping the packets?

https://fedorahosted.org/dropwatch/ might also be helpful in the future. — Shawn J. Goff, Jul 25 '13 at 18:41
To see the counters update in real time use
watch iptables -L -v -n — Chris Gibb, Jul 13 '14 at 13:35
You can also use the `iptables -nvL -t filter` command to display only the rules in the filter table, which is where most packet-filtering rules are located. — Shayan, Dec 26 '22 at 20:30

score 26 · Accepted Answer · answered Mar 26 '11 at 18:16

26

You could add a TRACE rule early in the chain to log every rule that the packet traverses.

I would consider using iptables -L -v -n | less to let you search the rules. I would look port; address; and interface rules that apply. Given that you have so many rules you are likely running a mostly closed firewall, and are missing a permit rule for the traffic.

How is the firewall built? It may be easier to look at the builder rules than the built rules.

answered Mar 26 '11 at 18:16

BillThor

8,887
22
27

I figured out after asking this question that the rules are from APF, and I was able to fix that. I love the TRACE target, though. That would have been very effective. – Shawn J. Goff Mar 26 '11 at 19:21
4

An example of using TRACE target is here: http://serverfault.com/questions/122157/debugger-for-iptables/126079#126079. – slm Jun 12 '15 at 16:59

score 23 · Answer 2 · answered Mar 26 '11 at 20:14

Since iptables -L -v -n has counters you could do the following.

iptables -L -v -n > Sample1
#Cause the packet that you suspect is being dropped by iptables
iptables -L -v -n > Sample2
diff Sample1 Sample2

This way you will see only the rules that incremented.

score 15 · Answer 3 · answered Mar 26 '11 at 17:29

15

Run iptables -L -v -n to see the packet and byte counters for every table and for every rule.

answered Mar 26 '11 at 17:29

ninjalj

1,427
12
10

1

This is good, I'm hoping for something better since there are 1000 rules and 1000s of dropped packets. – Shawn J. Goff Mar 26 '11 at 17:49
Use `sort` to sort rules by packet counter. – ninjalj Mar 26 '11 at 17:53

score 11 · Answer 4 · answered Aug 26 '15 at 20:13

11

In my company we use watch -n 2 -d iptables -nvL, it shows changes between requests

answered Aug 26 '15 at 20:13

Marcelo Salazar

111
1
2

sjas · Answer 5 · 2021-07-31T17:31:36.057

8

watch -n1 -d "iptables -tfilter -vnxL | grep -vE 'pkts|Chain' | sort -nk1hr | column -t"

Keep in mind, this will only show stuff for the table filter.

If you want all tables, try this:

watch -n1 -d "(iptables -tfilter -vnxL;iptables -tnat -vnxL;iptables -tmangle -vnxL;iptables -traw -vnxL;iptables -tsecurity -vnxL) | grep -vE 'pkts|Chain' | sort -nk1,1hr | column -t"

edited Jul 31 '21 at 17:31

answered Sep 08 '16 at 13:46

sjas

545
7
8

1

The most complete solution IMHO. `| tac` can be dropped in favour of add `-r` to the `sort` command. – Zaar Hai Jul 26 '21 at 04:52
1

@ZaarHai thanks for the flowers, edited considering your input and also fixed the sorting which lacked `-h`. – sjas Jul 31 '21 at 17:32

Is there a way to find which iptables rule was responsible for dropping a packet?

5 Answers5