Troubleshooting The Linux Firewall By Inserting A Trace Rule

Posted on February 11, 2017

If you are having trouble figuring out whether or not a packet is being dropped by the Linux firewall there is a way to trace the path a packet takes. It does require some knowledge of the ports and protocols involved as well as the ability to make iptables rules. The basic idea is that traffic leaving a Linux box directly, or being routed through it will hit a special table called the "raw" table first where users can put in trace rules. If the traffic is leaving the box directly the rule is added to the "OUTPUT" chain of the "raw" table. If the traffic is being routed through the box then the rule is added to the "PREROUTING" chain of the "raw" table. The general format is

# For traffic being routed through the box
user@linux# iptables -t raw -A PREROUTING [ RULE TO DETECT DESIRED TRAFFIC ] -j TRACE

# For traffic that originates from the box itself
user@linux# iptables -t raw -A OUTPUT [ RULE TO DETECT DESIRED TRAFFIC ] -j TRACE

Please note: Adding trace rules can add a very heavy burden on the kernel and can impact performance and potentially the stability of the system. They are for troubleshooting purposes only. Trace rules should always be deleted immediately after are done! To delete a rule you inserted simply change the -A for append to -D for delete.

Most of the time the kernel will not be built with the trace modules included by default. If they are not already present you can use modprobe to install the logging modules. Here are some examples:

# For older kernels.
user@linux# sudo modprobe ipt_LOG

# For newer kernels.
sudo modprobe nf_log_ipv4

# Trace TCP traffic leaving the Linux box
user@linux# iptables -t raw -A OUTPUT -p tcp --dport 80 -j TRACE

# Trace TCP traffic returning to the Linux box
user@linux# iptables -t raw -A PREROUTING -p tcp -sport 80 -j TRACE

The logs themselves will appear in /var/log/kern.log. Here are some sample logs I collected while connecting to with wget:

Feb 11 10:41:13 ubuntuvm kernel: [ 4199.166329] TRACE: raw:OUTPUT:policy:2 IN= OUT=eth0 SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=37314 DF PROTO=TCP SPT=42240 DPT=80 SEQ=3750653972 ACK=0 WINDOW=29200 RES=0x00 SYN URGP=0 OPT (020405B40402080A000EE1D60000000001030307) UID=0 GID=0 Feb 11 10:41:13 ubuntuvm kernel: [ 4199.182926] TRACE: raw:PREROUTING:policy:2 IN=eth0 OUT= MAC=08:00:27:2e:a1:89:00:90:7f:91:68:b4:08:00 SRC= DST= LEN=60 TOS=0x00 PREC=0x00 TTL=56 ID=31143 PROTO=TCP SPT=80 DPT=42240 SEQ=1985453739 ACK=3750653973 WINDOW=42540 RES=0x00 ACK SYN URGP=0 OPT (020405780402080A082895B6000EE1D601030307)

While this example clearly isn't very useful it should be enough to get most people going with tracing packets through the Linux firewall. The only thing you must know is how to write the correct trace rules for the traffic you are interested in. There is tons information in the blogosphere about Linux IPTables and how to write firewall rules, or you can just RTFM with "man iptables", and "man iptables-extensions".

Styled Math Inline HTML with LaTeX

Posted on January 23, 2017

The fact that it was so easy to get code styled inline HTML got me wondering what else could be quickly put together using a JavaScript library. What about complex math symbols? Another quick Google search and sure enough someone has already done something like this. In academia it's common for people to write whitepapers that have math symbols in them that are generated by compiling Tex or LaTeX markup. The MathJax library allows one to place Tex/LaTeX symbols inline an HTML document and to automatically generate pretty automatically formatted math symbols into a webpage. You just take the LaTeX and surround it with \[ and \] and it automatically gets converted into beautifully formatted math symbols. The LaTeX text below:

\[ \oint_C {E \cdot d\ell = - \frac{d}{{dt}}} \int_S {B_n dA} \]

becomes Faraday's law:

\[ \oint_C {E \cdot d\ell = - \frac{d}{{dt}}} \int_S {B_n dA} \]

Automatically Styled Code Inline HTML

Posted on January 21, 2017

I've always wondered how so many programming blogs have neatly formatted code examples. After doing a quick google search it turns out there's many existing options out there. The one in particular I used for the example below is called "SyntaxHighligther." The documentation over there is very well written and easy to follow. All that is required is to download 4 files, a couple of core CSS and JavaScript files, an additional CSS file for the theme, and a JavaScript file corresponding the programming language being used. Then simply add links to the JavaScript and CSS files in the head of your page, and apply the style inline (in my case "bush: cpp") to the <pre> tag and you're good to go.

class Rectangle {
    int width, height;
    void set_values (int,int);
    int area (void);
} rect;

Blog Goes Live

Posted on January 20, 2017

The goal here is to post at least one entry a week. Eventually once there are enough posts about the same subject I will create individual pages for each subject.