Re: [Shorewall-users] providers track option and rtrules

Sat, 12 Sep 2015 16:05:35 -0700 


> We still need the iptrace output. That output is directed according to

> the current setting of LOG_BACKEND. If you want the output to be handled
> by syslog-ng, use LOG_BACKEND=LOG.



My LOG_BACKEND= is blank and I wrongly thought the default was LOG.
So before I read your reply I ran:
sysctl net.netfilter.nf_log.2=nf_log_ipv4
because it was set to nfnetlink_log.

So now I finally have TRACE messages.

The only change from my previous post is in the mangle file:

MARK(2):P       10.215.144.0/22 10.215.224.0/20 all
MARK(2):P       10.215.246.0/23 10.215.224.0/20 all
MARK(2):P       10.215.248.0/24 10.215.224.0/20 all
MARK(3):P       10.215.247.194  10.215.236.221 all

and I'm ping'ing from 10.215.246.24 to 10.215.237.237 (failed).

The TRACE messages follow:

Sep 13 00:43:13 inf-fw3 kernel: TRACE: raw:PREROUTING:policy:13 IN=enp5s3 OUT= 
MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938
Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:PREROUTING:rule:1 IN=enp5s3 OUT= 
MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938
Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:PREROUTING:rule:8 IN=enp5s3 OUT= 
MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938
Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:tcpre:rule:2 IN=enp5s3 OUT= 
MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938
Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:tcpre:return:5 IN=enp5s3 OUT= 
MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938 MARK=0x2
Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:PREROUTING:policy:9 IN=enp5s3 
OUT= MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938 MARK=0x2
Sep 13 00:43:13 inf-fw3 kernel: TRACE: nat:PREROUTING:policy:2 IN=enp5s3 OUT= 
MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=128 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938 MARK=0x2
Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:FORWARD:rule:1 IN=enp5s3 
OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938 MARK=0x2
Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:FORWARD:rule:2 IN=enp5s3 
OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938
Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:tcfor:return:1 IN=enp5s3 
OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938
Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:FORWARD:policy:3 IN=enp5s3 
OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938
Sep 13 00:43:13 inf-fw3 kernel: TRACE: filter:FORWARD:rule:2 IN=enp5s3 
OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938
Sep 13 00:43:13 inf-fw3 kernel: TRACE: filter:lan_frwd:rule:2 IN=enp5s3 
OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938
Sep 13 00:43:13 inf-fw3 kernel: TRACE: filter:lan-lan:rule:1 IN=enp5s3 
OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938
Sep 13 00:43:13 inf-fw3 kernel: TRACE: filter:dynamic:return:1 IN=enp5s3 
OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938
Sep 13 00:43:13 inf-fw3 kernel: TRACE: filter:lan-lan:return:4 IN=enp5s3 
OUT=enp5s3 MAC=00:30:6e:d7:61:18:52:54:00:c7:c0:9a:08:00 SRC=10.215.246.24 
DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 PROTO=ICMP TYPE=8 
CODE=0 ID=512 SEQ=28938
Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:POSTROUTING:rule:1 IN= OUT=enp5s3 
SRC=10.215.246.24 DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28938
Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:tcpost:return:1 IN= OUT=enp5s3 
SRC=10.215.246.24 DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28938
Sep 13 00:43:13 inf-fw3 kernel: TRACE: mangle:POSTROUTING:policy:2 IN= 
OUT=enp5s3 SRC=10.215.246.24 DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 
TTL=127 ID=1387 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28938
Sep 13 00:43:13 inf-fw3 kernel: TRACE: nat:POSTROUTING:policy:1 IN= OUT=enp5s3 
SRC=10.215.246.24 DST=10.215.237.237 LEN=60 TOS=0x00 PREC=0x00 TTL=127 ID=1387 
PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=28938

Anyway, I'm attaching a shorewall dump.

Vieri

Attachment: dump.gz
Description: application/gzip

------------------------------------------------------------------------------

_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to