# firewall problems [SOLVED]

## Corona688

Whenever anything goes wrong with my network setup, the first thing I try is /etc/init.d/ipdables stop and lo and behold, it's my firewall that's suddenly and inexplicably decided to block yet another service that worked fine before...

This is getting really annoying, and people won't help me fix these problems in general.  Fine.  If you won't tell me a solution, then how can I at least trace which things are being blocked by which firewall rules, where, when?  (Don't tell me tcpdump, I already tried that, it only prints things that get through then tells me how many packets got filtered WHEN I QUIT. real useful that.)

----------

## bluedevils

I'm confused.  Doesn't iptables -L list what iptables is doing?

----------

## Corona688

No.  It tells me this:

```
Chain INPUT (policy ACCEPT)

target     prot opt source               destination

ACCEPT     all  --  anywhere             anywhere

ACCEPT     all  --  anywhere             anywhere

REJECT     udp  --  anywhere             anywhere            udp dpt:bootps reject-with icmp-port-unreachable

REJECT     udp  --  anywhere             anywhere            udp dpt:domain reject-with icmp-port-unreachable

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh

DROP       tcp  --  anywhere             anywhere            tcp dpts:0:1023

DROP       udp  --  anywhere             anywhere            udp dpts:0:1023

ACCEPT     all  --  anywhere             anywhere

Chain FORWARD (policy DROP)

target     prot opt source               destination

DROP       all  --  anywhere             10.1.1.0/24

ACCEPT     all  --  10.1.1.0/24          anywhere

ACCEPT     all  --  anywhere             10.1.1.0/24

ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination
```

 It does not tell me what it is DOING.  For example, when it begins blocking samba for no readily discernible reason, I would like it to tell me the packets it drops, when it's dropping packets, and by what rule or lack-of-rules were they dropped.  Not all the time obviously, it would fill up the logs, but when I need to debug something.

----------

## bluedevils

ya adding logging in iptables was the next thing I was going to suggest

----------

## Corona688

Great.  Now how do I do that?

----------

## bluedevils

there are plenty of examples on the net

here's one at http://www.brandonhutchinson.com/iptables_fw.html

 *Quote:*   

> # Create a LOGDROP chain to log and drop packets
> 
> /sbin/iptables -N LOGDROP
> 
> /sbin/iptables -A LOGDROP -j LOG
> ...

 

----------

## Corona688

So there's no way to log iptables except to build logging into all your rules?  Seriously?  For someone who's trying to debug their existing rules this seems to totally defeat the point...  and what if something goes wrong in your logging rules?  How do you debug-log the debug-logging rules of the logged logging logger rules?  Can you tell I hate iptables yet...

----------

## bluedevils

as you inferred before, it's hard to see packet bouncing when you are behind the firewall.  I assume you are on a switched network, which means the only way I know you can readily troubleshoot is to tap into your line (place a hub between computer and switch) and run tcpdump there.

----------

## expat_iain

You can get stats for the rules with counters, enabling you to view where a packet was caught using:

```
iptables -L -nv
```

Of course, using this is addition to a log all & drop rule at the end of your chains should provide you with enough information to be able to track the source of your problem.

Regs.

Iain.

----------

## Corona688

OK.  The first step to solving this, was to admit to myself that I don't know enough about iptables  :Very Happy:   Building a firewall with that is like trying to program an OS in assembly language...

Second step, "emerge firehol".  I got that going in half an hour, samba, vnc, vpn, everything.

----------

## expat_iain

Firewalls are easy.

Programming is hard.

Assembly is simply masochism.

----------

## Corona688

 *expat_iain wrote:*   

> Firewalls are easy.
> 
> Programming is hard.
> 
> Assembly is simply masochism.

  Heh, I've done all three and assembly's easier than iptables  :Wink:   Or maybye I just suck at it.

----------

