Virtual packet tracer for iptables

Virtual packet tracer for iptables

[Stefan Keller]

Hi

I'm quite sure that I'm not the first guy asking for such a
functionality but I could not find anything in the Internet
nor in the netfilter mailing list.

Is there any tool or iptables extension to query the iptables
rule base? What I mean is something that needs input parameters
such as

- source IP address
- destination IP address
- source Port
- destination Port
- incoming interface
- outgoing interface
- ToS
- FWMARK
- ...

and the output is the matching rules of all tables (mangle, raw,
nat and filter table).
I know that the output only shows half of the truth for traffic that
needs a helper such as FTP and SIP but it would be perfect for
off-line analysis and for debugging purposes of our large environment.

Thank you for sharing your experiences!

Best regards
Stefan Keller

Re: Virtual packet tracer for iptables

[Jean-Philippe Menil]

Le 08/06/2012 13:32, Stefan Keller a écrit :
> Hi
>
> I'm quite sure that I'm not the first guy asking for such a
> functionality but I could not find anything in the Internet
> nor in the netfilter mailing list.
>
> Is there any tool or iptables extension to query the iptables
> rule base? What I mean is something that needs input parameters
> such as
>
> - source IP address
> - destination IP address
> - source Port
> - destination Port
> - incoming interface
> - outgoing interface
> - ToS
> - FWMARK
> - ...
>
> and the output is the matching rules of all tables (mangle, raw,
> nat and filter table).
> I know that the output only shows half of the truth for traffic that
> needs a helper such as FTP and SIP but it would be perfect for
> off-line analysis and for debugging purposes of our large environment.
>
> Thank you for sharing your experiences!
>
> Best regards
> Stefan Keller
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
Hi,

not sure to understand what you mean.
But you have the TRACE target who can help you.
"This target marks packets so that the kernel will log every rule which 
match the packets as those traverse the tables, chains, rules."

Hope this help.

-- 
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@univ-nantes.fr
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09

Re: Virtual packet tracer for iptables

[Stefan Keller]

> not sure to understand what you mean.
> But you have the TRACE target who can help you.
> "This target marks packets so that the kernel will log every rule which
> match the packets as those traverse the tables, chains, rules."
> 
> Hope this help.
> 

Hi Jean-Philippe

Thanks for your reply!
We did some tests with the TRACE target. But if you use
this target, then you need real traffic that matches the
rule base - meaning an off-line analysis is not possible.
Further, we realized that it is quite hard to simulate
a packet that would match the FORWARD chain (we did not
make it that it was accepted by the system).

As a side note:
We run systems with up to 50,000 concurrent sessions
and an iptables rule base with few thousands of lines.
If we activate the TRACE target, we will get a huge
number of log entries!

I look for a tool that could provide the matching rules
without real traffic - just with the information how the
packet would look like (a virtual packet).
For this purpose, one could use the output of iptables-save
or there might be an interface I'm not aware of provided
by netfilter.
This tool would not show me what rules currently match.
It is more a hypothetical question: What rule(s) would match
if I had a packet like this?

Hope this helps to clarify my request.

Best regards
Stefan Keller


-- 
stefan keller
product manager

open systems ag
raeffelstrasse 29
ch-8045 zurich
t: +41 44 455 74 00
f: +44 44 455 74 01
stefan.keller@open.ch

http://www.open.ch

Re: Virtual packet tracer for iptables

[Jean-Philippe Menil]

Le 08/06/2012 14:33, Stefan Keller a écrit :
>> not sure to understand what you mean.
>> But you have the TRACE target who can help you.
>> "This target marks packets so that the kernel will log every rule which
>> match the packets as those traverse the tables, chains, rules."
>>
>> Hope this help.
>>
> Hi Jean-Philippe
>
> Thanks for your reply!
> We did some tests with the TRACE target. But if you use
> this target, then you need real traffic that matches the
> rule base - meaning an off-line analysis is not possible.
> Further, we realized that it is quite hard to simulate
> a packet that would match the FORWARD chain (we did not
> make it that it was accepted by the system).
>
> As a side note:
> We run systems with up to 50,000 concurrent sessions
> and an iptables rule base with few thousands of lines.
> If we activate the TRACE target, we will get a huge
> number of log entries!
>
> I look for a tool that could provide the matching rules
> without real traffic - just with the information how the
> packet would look like (a virtual packet).
> For this purpose, one could use the output of iptables-save
> or there might be an interface I'm not aware of provided
> by netfilter.
> This tool would not show me what rules currently match.
> It is more a hypothetical question: What rule(s) would match
> if I had a packet like this?
>
> Hope this helps to clarify my request.
>
> Best regards
> Stefan Keller
>
>
Hi,

i understand better what you mean by "virtual".
I'm not aware of such tool or target for iptables.

But you do not have to enable TRACE for all your sessions, only
the informations you are looking for.

Regards.

-- 
Jean-Philippe Menil - Pôle réseau Service IRTS
DSI Université de Nantes
jean-philippe.menil@univ-nantes.fr
Tel : 02.53.48.49.27 - Fax : 02.53.48.49.09

Re: Virtual packet tracer for iptables

[Stefan Keller]

> But you do not have to enable TRACE for all your sessions, only
> the informations you are looking for.

Hi,

Yes, that's true, TRACE does not have to be enabled for all sessions.
But with TRACE I rely on real traffic and there is some interaction
necessary to create such traffic (if multiple parties are involved).

The idea I have is a bit the same as with routing. If I want to know
where a packet is routed to, then I use 'ip route get <dst_ip>' and
can even add other information such as incoming interface, source IP
address, FWMARK, etc. to consider my routing policy.
I don't wait or look for traffic that matches my requirements and
check with tcpdump where it is routed to - I ask the system for the
action based on my input.

It would be great to have a similar mechanism with iptables.

Best regards
Stefan Keller

-- 
stefan keller
product manager

open systems ag
raeffelstrasse 29
ch-8045 zurich
t: +41 44 455 74 00
f: +44 44 455 74 01
stefan.keller@open.ch

http://www.open.ch