[Firehol-support] transparent proxy with UNROUTABLE_IPS
Costa Tsaousis
costa at tsaousis.gr
Thu Jan 19 22:03:37 GMT 2006
Max Kutny wrote:
>Reverting back to the problem: could you be so kind to confirm that on
>your kernel & iptables configuration interface name is set to 'lo'
>before nat table is processed? What kernel/iptables do you use?
>
>
>
I use kernel 2.6.14-gentoo-r5 with iptables 1.3.4
>Could it be possible to add 'trace' helper to firehol configurations
>that inserts 'LOG' target at the beginning of every chain so it's
>easy to see how packets travers tables and chains? It would simplify
>root cause analysis of such problems.
>
>
No need for a helper...
Start the firewall, then run this script. It generates LOG entries for
all tables and every chain within each table.
Be prepared: this generates A LOT of logs even for a single packet.
To stop the logging, restart the firewall.
---
#!/bin/bash
for t in `cat /proc/net/ip_tables_names`
do
for c in `iptables -t $t -nL | grep "^Chain " | cut -d ' ' -f 2`
do
iptables -t $t -I $c -j LOG --log-prefix "${t:0:8}/${c:0:20}"
--log-tcp-sequence --log-tcp-options --log-ip-options --log-uid
done
done
---
Costa
More information about the Firehol-support
mailing list