14

I am trying to use the TRACE target of IPtables but I can't seem to get any trace information logged. I want to use what is described here: Debugger for Iptables.

From the iptables man for TRACE:

   This target marks packes so that the kernel will log every  rule  which
   match  the  packets  as  those traverse the tables, chains, rules. (The
   ipt_LOG or ip6t_LOG module is required for the  logging.)  The  packets
   are   logged   with   the   string   prefix:  "TRACE:  tablename:chain-
   name:type:rulenum " where type can be "rule" for plain  rule,  "return"
   for  implicit  rule at the end of a user defined chain and "policy" for
   the policy of the built in chains.
   It can only be used in the raw table.

I use the following rule: iptables -A PREROUTING -t raw -p tcp -j TRACE but nothing is appended either in /var/log/syslog or /var/log/kern.log!

Is there another step missing? Am I looking in the wrong place?

edit

Even though I can't find log entries, the TRACE target seems to be set up correctly since the packet counters get incremented:

# iptables -L -v -t raw
Chain PREROUTING (policy ACCEPT 193 packets, 63701 bytes)
 pkts bytes target     prot opt in     out     source               destination
  193 63701 TRACE      tcp  --  any    any     anywhere             anywhere

Chain OUTPUT (policy ACCEPT 178 packets, 65277 bytes)
 pkts bytes target     prot opt in     out     source               destination

edit 2

The rule iptables -A PREROUTING -t raw -p tcp -j LOG does print packet information to /var/log/syslog... Why doesn't TRACE work?

Community
  • 1
bernie
  • 415

5 Answers5

18

Seems like (i.e. works for me) with new kernel this is needed (for IPv4):

modprobe nf_log_ipv4
sysctl net.netfilter.nf_log.2=nf_log_ipv4

credits:

akostadinov
  • 1,247
9

The question specifically ask for debian squeeze so this answer is not strictly relevant, but since this is the top result for "iptables TRACE", I want to clarify a little.

Those answers are all correct, but for modern systems, most likely you're actually using iptables-nft, check iptables -V, simply speaking your userspace program acts very much like real iptables but under the hood it's nftables in the kernel, in that case ipt_LOG and stuff mentioned in other answers(and two tutorials about this subject I found) won't work, instead you may check trace logs using a userspace program xtables-monitor --trace, source: https://ipset.netfilter.org/iptables-extensions.man.html#lbDX

Further reading from redhat about iptables-nft: https://developers.redhat.com/blog/2020/08/18/iptables-the-two-variants-and-their-relationship-with-nftables

JimmyZ
  • 91
9

Run:

modprobe ipt_LOG

That fixed it for me.

bain
  • 173
Gido Bruno
  • 106
8

I found that I needed to perform both of the previous answers, in this order:

sudo modprobe ipt_LOG
sudo sysctl net.netfilter.nf_log.2=ipt_LOG

Here are a couple of things that I discovered along the way.

You can get a list of valid loggers (along with the currently selected logger) with the following:

cat /proc/net/netfilter/nf_log

The numbers here represent the protocol family numbers, as defined in /usr/include/bits/socket.h. 2 is AF_INET (that's IPv4), and 10 is AF_INET6 (IPv6).

mavit
  • 193
2

This worked for me sudo sysctl net.netfilter.nf_log.2=ipt_LOG

Nikolay Bryskin
  • 21