Menu
So I added
sudo iptables -t raw -A PREROUTING -p tcp --dport 25 -j TRACE
as well as
sudo iptables -t raw -A OUTPUT -p tcp --dport 25 -j TRACE
and when I grep my syslog for TRACE I get output that looks like this
Jan 19 09:14:46 dev109 kernel: [29067248.683235] TRACE: raw:OUTPUT:rule:2 IN= OUT=eth0 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683244] TRACE: raw:OUTPUT:policy:5 IN= OUT=eth0 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683254] TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth0 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683262] TRACE: filter:OUTPUT:policy:1 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683269] TRACE: mangle:POSTROUTING:policy:1 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683432] TRACE: raw:OUTPUT:rule:4 IN= OUT=eth0 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683441] TRACE: raw:OUTPUT:policy:5 IN= OUT=eth0 ...
I am trying to understand what the policy numbers refer to, is policy:1 == ACCEPT?, if so what does policy:5 mean?
564
The Mangle Table. The mangle table is used to alter the IP headers of the packet in various ways. For instance, you can adjust the TTL (Time to Live) value of a packet, either lengthening or shortening the number of valid network hops the packet can sustain.
It works by interfacing with the packet filtering hooks in the Linux kernel's networking stack. It's these kernel hooks that are collectively referred to as the netfilter framework. Every incoming/outgoing packet in the system will trigger these hooks as it progresses through the stack.
Run iptables -L -v (add -t nat for NAT rules), and you'll see packet and byte counters next to each of your rules. That'll show you which of your rules was the cause of a particular packet being accepted/rejected (whichever counter increased is the cause).
policy:1 is type:rulenum. Or put another way type="policy" and rulenum=1.
Read this carefully. Specifically:
TRACE This target marks packes so that the kernel will log every rule which match the packets as those traverse the tables, chains, rules. (The ipt_LOG or ip6t_LOG module is required for the logging.) The packets are logged with the string prefix:
"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for plain rule, "return" for implicit rule at the end of a user defined chain and "policy" for the policy of the built in chains. It can only be used in the raw table.
Now let's take one of the prefixes from the question TRACE: mangle:OUTPUT:policy:1 and apply what we've learned:
tablename = mangle
chainname = OUTPUT
type = policy]
rulenum = 1
I want to provide a simple explanation based off of the answer written by @OscarAkaElvis and others.
Every chain has a default policy, which can be seen if you print out rules. Here, we can see that the INPUT chain in the filter table has a default policy of ACCEPT:
# iptables -L -t filter
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere /* 000 accept all icmp */
ACCEPT all -- anywhere anywhere /* 001 accept all to lo interface */
REJECT all -- anywhere 127.0.0.0/8 /* 002 reject local traffic not on loopback interface */ reject-with icmp-port-unreachable
As stated in https://backreference.org/2010/06/11/iptables-debugging/ , the format for the log message is TRACE: tablename:chainname:type:rulenum.
For Policies, the last part of the format is type:rulenum. The rulenum number is referring to the default rule for the policy, which is the last rule. It's basically "The number of rules that you added to the chain" + 1.
Here are two explanations using the chains put forth in the original question:
mangle:OUTPUT:policy:1 This chain (mangle:OUTPUT) contains no rules. The default rule is the first and only rule. Therefore the number is :1.raw:OUTPUT:policy:5 This chain contains 4 rules. Therefore, the default is rule #5.
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
