From: Chris Brown <chris@wavetex.com>
To: netfilter@lists.netfilter.org
Subject: Re: Bridging firewall setup
Date: Tue, 16 Dec 2003 11:52:26 -0600 [thread overview]
Message-ID: <3FDF465A.2020103@wavetex.com> (raw)
In-Reply-To: <200312161707.26462.Antony@Soft-Solutions.co.uk>
Antony Stone wrote:
>
>I don't know the answer to your question, but in situations like this I always
>think it's a good idea to turn on some LOGging so you can see where the
>packets are, and then you can try filtering them.
>
>One thing you could do straight off is just request a detailed listing of the
>chains, to see if you have any packet counts at all:
>
>iptables -L -n -v -x
>
>
>will print out the filter tables in the INPUT, FORWARD and OUTPUT chains, and
>you should see from the byte & packet counters whether packets seem to have
>been going past.
>
>You can do the same thing with the nat tables to see what happens just before
>& after the above:
>
>iptables -L -t nat -n -v -x
>
>
Thanks for the suggestions. I tried these two commands and on both it
shows 0 packets being filtered. I took the rules out of nat as they
didn't seem to be doing anything
>However, if you simply put a LOG rule into all five chains, and then send some
>packet through the bridge, see what gets logged where:
>
>iptables -I INPUT -j LOG
>iptables -I FORWARD -j LOG
>iptables -I OUTPUT -j LOG
>iptables -I PREROUTING -t nat -j LOG
>iptables -I POSTROUTING -t nat -j LOG
>
>
>
This is a production machine so leaving logging on for extended periods
isn't an option since it would quickly fill up the logs. However I
turned in on briefly and even though using tcpdump I see constant
traffic through the bridge the logs only show traffic going in and out
to the bridge's IP that I have setup for maintenence, mostly my SSH
session. Any ideas how I can get it to see the traffic going through?
Chris
--
Chris Brown
System Administrator / Web Application Developer
Wavetex Inc.
903-533-1700
http://wavetex.com/
next prev parent reply other threads:[~2003-12-16 17:52 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-12-16 16:55 Bridging firewall setup Chris Brown
2003-12-16 17:07 ` Antony Stone
2003-12-16 17:52 ` Chris Brown [this message]
2003-12-16 19:31 ` Mark Weaver
2003-12-16 17:34 ` Richard Doyle
-- strict thread matches above, loose matches on Subject: below --
2003-12-16 19:58 bmcdowell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3FDF465A.2020103@wavetex.com \
--to=chris@wavetex.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.