User Tools

Site Tools


doc:recipes:iptables-log
This wiki is read only and for archival purposes only. >>>>>>>>>> Please use the new OpenWrt wiki at https://openwrt.org/ <<<<<<<<<<

TODO(risk): write up tcpdump.

Often, we'll have configuration and networking issues….

Troubleshooting basic connectivity

There are several basic things that can help to keep in mind when troubleshooting networking.

1. Most people think of networks as collections of connections, think of packets instead.

Network engineers more often think of networks as streams of packets. Each packet is just a collection of bytes, almost always the first couple of bytes, the header, are packet destination and source.

2. Every host on the network, even your laptop and your phone, is also a router (a very simple one).

For example, when they want to start talking to the internet, they create a packet, and then they need to make a decision where to route that packet (to which physical network interface).

3. Every host on the network, even your laptop and your phone, is also a firewall (a very simple one).

For example, they look at a packet and make some decisions whether to take it or reject it.

ethernet / ip switching and basic routing in 5min

todo(risk): find some 1-2 minute crashcourse videos, e.g. what a subnet is, what's a hub/switch, what's a gateway route .. what's a route …

@risk: A video like this one? http://warriorsofthe.net/

Internet is a yarn of wet string and magic

One thing you can always fall back to is looking at the packets as they come into the network interface, and as they go out.

Even if you can't understand the contents, having the contents and showing it to someone who can understand it, is usually enough to figure out how to get things working again.

In some cases, looking at even a single incoming packet is enough to detect "evil ISP" behavior.

To capture the contents, so either you, or a friend can look at it, you can use tools such as tcpdump, or even linux firewall itself through iptables -j LOG.

Examples

tcpdump

tcpdump -ni eth0.2 port 53

iptables

Refer to this diagram to see how packets traverse the linux firewall: – http://www.linuxhomenetworking.com/wiki/images/f/f0/Iptables.gif

to enable logging of outgoing dns udp packets:

iptables -A POSTROUTING -t nat -i eth0.2 -p udp --dst-port 53 -j LOG

to enable logging of incomding dns udp packets:

iptables -I PREROUTING -t mangle -i eth0.2 -p udp --src-port 53 -j LOG

to view logs use dmesg or logread -f

to generate internet packets / requests, in order to capture packets

ping www.google.com
# or
nslookup www.google.com 8.8.8.8

to disable logging:

iptables -D POSTROUTING -t nat -i eth0.2 -p udp --dst-port 53 -j LOG
iptables -D PREROUTING -t mangle -i eth0.2 -p udp --src-port 53 -J LOG

other things to keep in mind

  • Openwrt (as do most routers) modifies the contents of the packets as they flow through the router (reducing the ttl, doing nat, etc).
  • Sometimes they can modify the packet just by looking at a simple packet, sometimes seeing a packet makes them remember things and keep state (ie. in a stateful firewall), and that state might impacts future routing and firewalling decisions.
doc/recipes/iptables-log.txt · Last modified: 2016/10/13 13:07 by yminus