Discussion:
[Shorewall-users] Shorewall iptrace not working
James Andrewartha
2014-09-24 08:13:17 UTC
Permalink
Hi,

I'm running Shorewall 4.6.2.2 on Debian 7.6 (wheezy) with Linux
3.2.60-1+deb7u3, and shorewall iptrace doesn't work - no output appears
in the kernel log. It wasn't working back when I was running 4.5.5.3
(the version shipped with wheezy) which is one reason I upgraded. IIRC
it did work for a day or two after I last rebooted. The TRACE entry does
show up in the raw table.

I realise it's probably more of a kernel issue, but I thought I'd ask
here first and see if anyone had any suggestions for what I could
investigate. It's also coming up to school holidays so I can perform
some more in-depth debugging if necessary.

http://pastebin.com/Uc4Vc4H6 has shorewall version and ip (addr|route)
show per the support guide. The system is the core firewall, it used to
run quagga too but I moved that off to another system after upgrading to
4.6.2.2 as I was still having problems even after adding nohostroute in
shorewall-providers.

Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
Tom Eastep
2014-09-24 14:28:49 UTC
Permalink
Post by James Andrewartha
Hi,
I'm running Shorewall 4.6.2.2 on Debian 7.6 (wheezy) with Linux
3.2.60-1+deb7u3, and shorewall iptrace doesn't work - no output appears
in the kernel log. It wasn't working back when I was running 4.5.5.3
(the version shipped with wheezy) which is one reason I upgraded. IIRC
it did work for a day or two after I last rebooted. The TRACE entry does
show up in the raw table.
I realise it's probably more of a kernel issue, but I thought I'd ask
here first and see if anyone had any suggestions for what I could
investigate. It's also coming up to school holidays so I can perform
some more in-depth debugging if necessary.
Works fine here, but the Shorewall documentation is out of date. Rather
than logging to kern.warning, the TRACE records are now logged to ulogd:

Sep 24 07:27:16 gateway TRACE: mangle:tcpre:return:4 IN=eth2 OUT=
SRC=172.20.1.210 DST=8.8.8.8 LEN=60 TOS=00 PREC=0x00 TTL=65 ID=0 DF
PROTO=UDP SPT=55879 DPT=53 LEN=40
Sep 24 07:27:16 gateway TRACE: mangle:PREROUTING:policy: IN=eth2 OUT=
SRC=172.20.1.210 DST=8.8.8.8 LEN=60 TOS=00 PREC=0x00 TTL=65 ID=0 DF
PROTO=UDP SPT=55879 DPT=53 LEN=40
Sep 24 07:27:16 gateway TRACE: nat:PREROUTING:rule:3 IN=eth2 OUT=
SRC=172.20.1.210 DST=8.8.8.8 LEN=60 TOS=00 PREC=0x00 TTL=65 ID=0 DF
PROTO=UDP SPT=55879 DPT=53 LEN=40
Sep 24 07:27:16 gateway TRACE: nat:loc_dnat:return:3 IN=eth2 OUT=
SRC=172.20.1.210 DST=8.8.8.8 LEN=60 TOS=00 PREC=0x00 TTL=65 ID=0 DF
PROTO=UDP SPT=55879 DPT=53 LEN=40
Sep 24 07:27:16 gateway TRACE: nat:PREROUTING:policy:15 IN=eth2 OUT=
SRC=172.20.1.210 DST=8.8.8.8 LEN=60 TOS=00 PREC=0x00 TTL=65 ID=0 DF
PROTO=UDP SPT=55879 DPT=53 LEN=40
Sep 24 07:27:16 gateway TRACE: mangle:FORWARD:rule:1 IN=eth2 OUT=eth1
SRC=172.20.1.210 DST=8.8.8.8 LEN=60 TOS=00 PREC=0x00 TTL=64 ID=0 DF
PROTO=UDP SPT=55879 DPT=53 LEN=40
Sep 24 07:27:16 gateway TRACE: mangle:accountfwd:rule:4 IN=eth2
OUT=eth1 SRC=172.20.1.210 DST=8.8.8.8 LEN=60 TOS=00 PREC=0x00 TTL=64
ID=0 DF PROTO=UDP SPT=55879 DPT=53 LEN=40

I'll update the documentation.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
Thomas D.
2014-09-24 19:27:16 UTC
Permalink
Hi,
Post by Tom Eastep
Works fine here, but the Shorewall documentation is out of date. Rather
[...]
I'll update the documentation.
This is configurable. To see the current active logger,

# sysctl net.netfilter.nf_log.2
net.netfilter.nf_log.2 = ipt_ULOG

To see a list of all available logger,

# cat /proc/net/netfilter/nf_log
0 NONE (nfnetlink_log)
1 NONE (nfnetlink_log)
2 ipt_ULOG (nfnetlink_log,ipt_ULOG,ipt_LOG)
3 NONE (nfnetlink_log)
4 NONE (nfnetlink_log)
5 NONE (nfnetlink_log)
6 NONE (nfnetlink_log)
7 NONE (nfnetlink_log)
8 NONE (nfnetlink_log)
9 NONE (nfnetlink_log)
10 ip6t_LOG (nfnetlink_log,ip6t_LOG)
11 NONE (nfnetlink_log)
12 NONE (nfnetlink_log)

Now if you want to log to syslog, set "net.netfilter.nf_log.2" to "ipt_LOG"

# sysctl net.netfilter.nf_log.2=ipt_LOG

...now, TRACE would log to syslog.

People who may ask about the magic numbers (why 2, why 10, why not 7...),
these are the address type numbers, see
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/include
/linux/socket.h



Maybe we can add this to shorewall's configuration like can speciy other
logging options in shorewall.conf?

What do you and others think?


-Thomas
Tom Eastep
2014-09-24 20:39:25 UTC
Permalink
Post by Thomas D.
This is configurable. To see the current active logger,
# sysctl net.netfilter.nf_log.2
net.netfilter.nf_log.2 = ipt_ULOG
To see a list of all available logger,
Thanks, Thomas
Post by Thomas D.
Maybe we can add this to shorewall's configuration like can speciy other
logging options in shorewall.conf?
What do you and others think?
I'll give it a look.

-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
James Andrewartha
2014-09-25 07:17:30 UTC
Permalink
Hi,
Post by Thomas D.
This is configurable. To see the current active logger,
# sysctl net.netfilter.nf_log.2
net.netfilter.nf_log.2 = ipt_ULOG
Hmm, I appear to be using nfnetlink_log currently:

***@antares-a:/etc/shorewall# sysctl net.netfilter.nf_log.2
net.netfilter.nf_log.2 = nfnetlink_log

Although the iptables LOG target still ends up in /var/log/kernel.log:
Sep 25 14:02:59 antares-a kernel: [3547392.348520]
Shwll:logflags:DROP:IN=vlan20 OUT=vlan22
MAC=00:60:dd:45:81:26:a8:88:08:cd:9d:ae:08:00:45:00:00:40
SRC=10.20.252.234 DST=74.125.237.222 LEN=64 TOS=0x00 PREC=0x00 TTL=63
ID=31278 DF PROTO=TCP SPT=51137 DPT=443 WINDOW=65535 RES=0x00 SYN FIN
URGP=0

***@antares-a:/etc/shorewall# iptables -nvL|grep LOG
2323 135K LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 4 level 6 prefix "Shwll:logflags:DROP:"
270 18098 LOG all -- * * 0.0.0.0/0
0.0.0.0/0 LOG flags 0 level 6 prefix "Shwll:sfilter:DROP:"
***@antares-a:/etc/shorewall# lsmod|grep LOG
ipt_LOG 12605 2
x_tables 19118 20
xt_TRACE,ip_tables,iptable_filter,xt_conntrack,xt_multiport,iptable_raw,xt_CT,xt_tcpudp,iptable_mangle,xt_mark,xt_addrtype,ipt_REJECT,xt_dscp,iptable_nat,xt_comment,xt_time,xt_iprange,xt_recent,xt_mac,ipt_LOG
Post by Thomas D.
Now if you want to log to syslog, set "net.netfilter.nf_log.2" to "ipt_LOG"
# sysctl net.netfilter.nf_log.2=ipt_LOG
...now, TRACE would log to syslog.
Cool, I've done this and now I can see my beloved TRACE logs again:
Sep 25 15:15:19 antares-a kernel: [3551732.698543] TRACE:
mangle:POSTROUTING:policy:2 IN= OUT=vlan10 SRC=10.22.0.11
DST=10.10.20.21 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=16677 PROTO=ICMP
TYPE=0 CODE=0 ID=17264 SEQ=1
Post by Thomas D.
Maybe we can add this to shorewall's configuration like can speciy other
logging options in shorewall.conf?
What do you and others think?
It's a good idea, or at least documentation on the fact that various
options exist and the default has changed.

Thanks,
--
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
Loading...