[Firehol-support] transparent proxy with UNROUTABLE_IPS

Costa Tsaousis costa at tsaousis.gr
Thu Jan 19 22:03:37 GMT 2006


Max Kutny wrote:

>Reverting back to the problem: could you be so kind to confirm that on
>your kernel & iptables configuration interface name is set to 'lo'
>before nat table is processed? What kernel/iptables do you use?
>
>  
>
I use kernel 2.6.14-gentoo-r5 with iptables 1.3.4

>Could it be possible to add 'trace' helper to firehol configurations
>that inserts 'LOG'  target at the beginning of every chain so it's
>easy to see how packets travers tables and chains? It would simplify
>root cause analysis of such problems.
>  
>
No need for a helper...
Start the firewall, then run this script. It generates LOG entries for 
all tables and every chain within each table.
Be prepared: this generates A LOT of logs even for a single packet.
To stop the logging, restart the firewall.

---
#!/bin/bash

for t in `cat /proc/net/ip_tables_names`
do
   for c in `iptables -t $t -nL | grep "^Chain " | cut -d ' ' -f 2`
   do
      iptables -t $t -I $c -j LOG --log-prefix "${t:0:8}/${c:0:20}" 
--log-tcp-sequence --log-tcp-options --log-ip-options --log-uid
   done
done
---

Costa





More information about the Firehol-support mailing list