Re: testing iptables filter rules

[Roberto Nibali <ratz@xxxxxx>]

Hi Joe,

Just came back from Florida and I'm trying to work off the pile
of emails in my inbox. So I'll be replying with huge delays the
next few days.

> I'm adding filter rules to the configure script. The rules
> are layered this way
> 
> top layer: if packet for VIP -j lvs_rules
> lvs_rules: if packet for lvs service_1 (eg telnet) -j ACCEPT
>            if packet for lvs service_2 (eg http) - j ACCEPT
> 
> I've done it in two layers so that I can add to lvs_rules as
> each service is configured.

Good idea. Did you add the policy DENY to INPUT and OUTPUT chains?
Because if not, you're going to open all incoming connections to
the LVS box.
 
> If I now telnet to the VIP in a working LVS, I would expect packets
> to go through the telnet rule in lvs_rules, but if I list the
> number of packets with
> 
> $iptables -L -v
> 
> I see packets only in the INPUT and OUTPUT chains, but not in FORWARD or
> or in lvs_rules chains. Have I done something wrong?

Hmm, how does the ruleset look like? If you're dealing with netfilter,
packets don't travel through all chains anymore. Julian once wrote
something about it:

packets coming from outside to the LVS do: 

        PRE_ROUTING -> LOCAL_IN(LVS in) -> POST_ROUTING
 
packets leaving the LVS travel:

        PRE_ROUTING -> FORWARD(LVS out) -> POST_ROUTING

From the iptables howto:
COMPATIBILITY WITH IPCHAINS
       This iptables is very similar to ipchains  by  Rusty  Rus­
       sell.   The  main  difference is that the chains INPUT and
       OUTPUT are only traversed  for  packets  coming  into  the
       local  host  and  originating  from the local host respec­
       tively.  Hence every packet only passes through one of the
       three  chains;  previously  a  forwarded packet would pass
       through all three.

> I remember reading that you can test your filter rules by running a command
> with the parameters of some hypothetical packet and the output will show
> the path through the rules. I can't find it in the iptables HOWTO's or with
> google. Anyone know how to do this?

It's the same syntax as with ipchains, more or less, iptables -C should work.
Funny enough, I wasn't able to find it in my man-page. So if you write it to
Rusty and send a patch you get at least 10 credit points an will have a place
in his hall of fame :)
 
> Julian, Ratz,
>         Are you guys planning on adding stats by service to the code sometime?

It's there unless I don't understand the 'by service'. It's the lines below
Virtual Service. Are you looking for something else?
 
Best regards,
Roberto Nibali, ratz

-- 
mailto: `echo NrOatSz@xxxxxxxxx | sed 's/[NOSPAM]//g'`