Troubleshooting iptables in BrazilFW or Coyote Linux

It is imperative that you understand the theory in the Firewall primer if you are going to troubleshoot iptables firewall rules. If you have not read that section, or do not understand it, don't even bother reading this.

Troubleshooting or debugging is one of the hardest thing to learn because "humanoid carbon units" are biased by their knowledge whereas machines are not. Who said that?₁

Both Coyote Linux and Brazil Firewall create intermediate files when you fill those firewall configuration forms. Reloading the firewall converts these to iptables commands, flushes all the rules, and executes the iptables commands. They look like the following when edited. Many people enter them this way and quote like this in the forums. Forget these files. You need to look at the filter tables and their chains.

auto Y tcp 80 192.168.0.10 # Example - WWW
port N 192.168.0.10 tcp 8000 80 # Example - WWW redirect

In the BrazilFW webadmin Diagnostic Tools there are two items: "Active Firewall Rules" and "Active Firewall Rules - nat". This is what we are interested in. Coyote Linux users: When you click these links there is a %20-v missing in the URL. Add it to the end. You can make this permanent by editing and saving /var/http/htdocs/cgi-bin/diags.cgi

http://192.168.0.1:8180/cgi-bin/diags.cgi?COMMAND=/usr/sbin/iptables%20-L%20-n%20-v

A real live example from the BrazilFW forum

A user wants to block all ports for an IP except WWW and SMTP and submits what he is trying. At first glance it is obvious. Rule 1 will block anything from that IP so there is no use looking at the Active Firewall Rules.

access Y deny all 192.168.0.22 any all #restricted pc
access Y permit all 192.168.0.22 any 25 #restricted pc
access Y permit all 192.168.0.22 any 80 #restricted pc

A second attempt is made where I suggest putting the deny rule at the end. Sounds good: allow 25 and 80 but deny everything else. The result was that nothing was blocked. It does not seem possible!

access Y permit all 192.168.0.22 any 25 #restricted pc
access Y permit all 192.168.0.22 any 80 #restricted pc
access Y deny all 192.168.0.22 any all #restricted pc

Let's analyse the rules created and see what happens when packets match against them. The first rule in chain access-acl below has a target of accept for packets using all (any) protocols in on any interface out to any interface (* means any) from source IP 192.168.0.22 to destination any (0.0.0.0/0 represents any). Notice 3 packets (pkts) processed by the access-acl rule in FORWARD (and the rest are zero). It is the same number as rule 1 in the access-acl chain meaning it never went back to FORWARD because it was accepted.

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in  out source    destination
  3   144 access-acl  all  --  *    *  0.0.0.0/0 0.0.0.0/0
  0     0 autofw-acl  all  --  *    *  0.0.0.0/0 0.0.0.0/0
  0     0 portfw-acl  all  --  *    *  0.0.0.0/0 0.0.0.0/0
  0     0 user-filter all  --  *    *  0.0.0.0/0 0.0.0.0/0
  0     0 port-filter all  --  *    *  0.0.0.0/0 0.0.0.0/0
  0     0 ACCEPT      all  --  *    *  0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
  0     0 DROP        all  --  *    *  0.0.0.0/0 0.0.0.0/0 state INVALID
  0     0 DROP        all  --  eth1 *  0.0.0.0/0 0.0.0.0/0 state NEW

Chain access-acl (1 references)
 pkts bytes target  prot opt in  out  source        destination
   3  144   ACCEPT  all  --  *   *    192.168.0.22  0.0.0.0/0
   0    0   ACCEPT  all  --  *   *    192.168.0.22  0.0.0.0/0
   0    0   REJECT  all  --  *   *    192.168.0.22  0.0.0.0/0 reject-with 
                                                              icmp-port-unreachable

That's the answer to why nothing is blocked for 192.168.0.22 but where's the reference to ports 25 and 80? There are none because the wrong format was used when editing the Configuration File with the user's rules above. You can't specify a port number when using the all protocol parameter.Remember the "humanoid carbon units" being biased statement? When I read the rules presented in the correct order I saw "allow 25 and 80 but deny everything else". The computer did not. Trust the iptables listing and not what you think you see. This would not have happened if the rules had been entered via the forms in Webadmin.

Here is the correct way along with the rules created. Notice tcp instead of all.

access Y permit tcp 192.168.0.22 any 25 #restricted pc
access Y permit tcp 192.168.0.22 any 80 #restricted pc
access Y deny all 192.168.0.22 any all #restricted pc

Look at the packet count for rule 2 in the access-acl chain. Same as access-acl in FORWARD which means it did not match rule 1 but matched rule 2 and was accepted. Any other port than 25 and 80 will get blocked by that third rule. No need to show it.

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target    prot opt in  out source    destination
  3   144 access-acl  all  --  *    *  0.0.0.0/0 0.0.0.0/0
  0    0  autofw-acl  all  --  *    *  0.0.0.0/0 0.0.0.0/0
  0    0  portfw-acl  all  --  *    *  0.0.0.0/0 0.0.0.0/0
  0    0  user-filter all  --  *    *  0.0.0.0/0 0.0.0.0/0
  0    0  port-filter all  --  *    *  0.0.0.0/0 0.0.0.0/0
  0    0  ACCEPT      all  --  *    *  0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
  0    0  DROP        all  --  *    *  0.0.0.0/0 0.0.0.0/0 state INVALID
  0    0  DROP        all  --  eth1 *  0.0.0.0/0 0.0.0.0/0 state NEW

Chain access-acl (1 references)
 pkts bytes target    prot opt in out source       destination
  0     0   ACCEPT    tcp  --  *    * 192.168.0.22 0.0.0.0/0 tcp dpt:25
  3   144   ACCEPT    tcp  --  *    * 192.168.0.22 0.0.0.0/0 tcp dpt:80
  0     0   REJECT    all  --  *    * 192.168.0.22 0.0.0.0/0 reject-with
                                                             icmp-port-unreachable

If you want to zero out the counters (like I did) replace the %20-v in the URL line of the diagnotics tool with %20-Z hit enter then restore it to %20-v

Now watch traffic from another IP address. The access-acl rule in FORWARD has +3 more packets but no change in the access-acl chain. You can see the 3 packets making it all the way through the rest of the rules in FORWARD and finally being accepted by the default policy.

Chain FORWARD (policy ACCEPT 3 packets, 144 bytes)
 pkts bytes target    prot opt in out source    destination
  6   288 access-acl  all  --  *    *  0.0.0.0/0 0.0.0.0/0
  3   144 autofw-acl  all  --  *    *  0.0.0.0/0 0.0.0.0/0
  3   144 portfw-acl  all  --  *    *  0.0.0.0/0 0.0.0.0/0
  3   144 user-filter all  --  *    *  0.0.0.0/0 0.0.0.0/0
  3   144 port-filter all  --  *    *  0.0.0.0/0 0.0.0.0/0
  0     0 ACCEPT      all  --  *    *  0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
  0     0 DROP        all  --  *    *  0.0.0.0/0 0.0.0.0/0 state INVALID
  0     0 DROP        all  --  eth1 *  0.0.0.0/0 0.0.0.0/0 state NEW

Chain access-acl (1 references)
 pkts bytes target    prot opt in out source       destination
  0     0   ACCEPT    tcp  --  *    * 192.168.0.22 0.0.0.0/0 tcp dpt:25
  3   144   ACCEPT    tcp  --  *    * 192.168.0.22 0.0.0.0/0 tcp dpt:80
  0     0   REJECT    all  --  *    * 192.168.0.22 0.0.0.0/0 reject-with
                                                             icmp-port-unreachable

When you read the iptables listing, ignore the order by which the user chains are listed. It's the order in the FORWARD chain that counts. The INPUT and OUTPUT chains are not shown along with empty user chains.

The tests were conducted in a controlled environment to produce these results. You would not see nice clean numbers like this in a live environment because they would change too rapidly.

_{1 - I did.}

Troubleshooting firewall rules:BrazilFW or Coyote Linux

A real live example from the BrazilFW forum

Troubleshooting firewall rules:
BrazilFW or Coyote Linux