|
Packit |
7b22a4 |
.TH XTABLES\-MONITOR 8 "" "@PACKAGE_STRING@" "@PACKAGE_STRING@"
|
|
Packit |
7b22a4 |
.SH NAME
|
|
Packit |
7b22a4 |
xtables-monitor \(em show changes to rule set and trace-events
|
|
Packit |
7b22a4 |
.SH SYNOPSIS
|
|
Packit |
7b22a4 |
\fBxtables\-monitor\fP [\fB\-t\fP] [\fB\-e\fP] [\fB\-4\fP|\fB|\-6\fB]
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
\
|
|
Packit |
7b22a4 |
.SH DESCRIPTION
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
.B xtables-monitor
|
|
Packit |
7b22a4 |
is used to monitor changes to the ruleset or to show rule evaluation events
|
|
Packit |
7b22a4 |
for packets tagged using the TRACE target.
|
|
Packit |
7b22a4 |
.B xtables-monitor
|
|
Packit |
7b22a4 |
will run until the user aborts execution, typically by using CTRL-C.
|
|
Packit |
7b22a4 |
.RE
|
|
Packit |
7b22a4 |
.SH OPTIONS
|
|
Packit |
7b22a4 |
\fB\-e\fP, \fB\-\-event\fP
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
Watch for updates to the rule set.
|
|
Packit |
7b22a4 |
Updates include creation of new tables, chains and rules and
|
|
Packit |
7b22a4 |
the name of the program that caused the rule update.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-t\fP, \fB\-\-trace\fP
|
|
Packit |
7b22a4 |
Watch for trace events generated by packets that have been tagged
|
|
Packit |
7b22a4 |
using the TRACE target.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-4\fP
|
|
Packit |
7b22a4 |
Restrict output to IPv4.
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
\fB\-6\fP
|
|
Packit |
7b22a4 |
Restrict output to IPv6.
|
|
Packit |
7b22a4 |
.SH EXAMPLE OUTPUT
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
.B xtables-monitor \-\-trace
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
1 TRACE: 2 fc475095 raw:PREROUTING:rule:0x3:CONTINUE \-4 \-t raw \-A PREROUTING \-p icmp \-j TRACE
|
|
Packit |
7b22a4 |
2 PACKET: 0 fc475095 IN=lo LL=0x304 0000000000000000000000000800 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x0 TTL=64 ID=38349DF
|
|
Packit |
7b22a4 |
3 TRACE: 2 fc475095 raw:PREROUTING:return:
|
|
Packit |
7b22a4 |
4 TRACE: 2 fc475095 raw:PREROUTING:policy:ACCEPT
|
|
Packit |
7b22a4 |
5 TRACE: 2 fc475095 filter:INPUT:return:
|
|
Packit |
7b22a4 |
6 TRACE: 2 fc475095 filter:INPUT:policy:DROP
|
|
Packit |
7b22a4 |
7 TRACE: 2 0df9d3d8 raw:PREROUTING:rule:0x3:CONTINUE \-4 \-t raw \-A PREROUTING \-p icmp \-j TRACE
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
The first line shows a packet entering rule set evaluation.
|
|
Packit |
7b22a4 |
The protocol number is shown (AF_INET in this case), then a packet
|
|
Packit |
7b22a4 |
identifier number that allows to correlate messages coming from rule set evaluation of
|
|
Packit |
7b22a4 |
this packet. After this, the rule that was matched by the packet is shown.
|
|
Packit |
7b22a4 |
This is the TRACE rule that turns on tracing events for this packet.
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
The second line dumps information about the packet. Incoming interface
|
|
Packit |
7b22a4 |
and packet headers such as source and destination addresses are shown.
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
The third line shows that the packet completed traversal of the raw table
|
|
Packit |
7b22a4 |
PREROUTING chain, and is returning, followed by use the chain policy to make accept/drop
|
|
Packit |
7b22a4 |
decision (the example shows accept being applied).
|
|
Packit |
7b22a4 |
The fifth line shows that the packet leaves the filter INPUT chain, i.e., no rules in the filter tables
|
|
Packit |
7b22a4 |
INPUT chain matched the packet.
|
|
Packit |
7b22a4 |
It then got DROPPED by the policy of the INPUT table, as shown by line six.
|
|
Packit |
7b22a4 |
The last line shows another packet arriving \-\- the packet id is different.
|
|
Packit |
7b22a4 |
|
|
Packit |
7b22a4 |
When using the TRACE target, it is usually a good idea to only select packets
|
|
Packit |
7b22a4 |
that are relevant, for example via
|
|
Packit |
7b22a4 |
.nf
|
|
Packit |
7b22a4 |
iptables \-t raw \-A PREROUTING \-p tcp \-\-dport 80 \-\-syn \-m limit \-\-limit 1/s \-j TRACE
|
|
Packit |
7b22a4 |
.fi
|
|
Packit |
7b22a4 |
.TP
|
|
Packit |
7b22a4 |
.B xtables-monitor \-\-event
|
|
Packit |
7b22a4 |
1 EVENT: nft: NEW table: table filter ip flags 0 use 4 handle 444
|
|
Packit |
7b22a4 |
2 EVENT: # nft: ip filter INPUT use 2 type filter hook input prio 0 policy drop packets 0 bytes 0
|
|
Packit |
7b22a4 |
3 EVENT: # nft: ip filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0
|
|
Packit |
7b22a4 |
4 EVENT: # nft: ip filter OUTPUT use 0 type filter hook output prio 0 policy accept packets 0 bytes 0
|
|
Packit |
7b22a4 |
5 EVENT: \-4 \-t filter \-N TCP
|
|
Packit |
7b22a4 |
6 EVENT: \-4 \-t filter \-A TCP \-s 192.168.0.0/16 \-p tcp \-m tcp \-\-dport 22 \-j ACCEPT
|
|
Packit |
7b22a4 |
7 EVENT: \-4 \-t filter \-A TCP \-p tcp \-m multiport \-\-dports 80,443 \-j ACCEPT
|
|
Packit |
7b22a4 |
8 EVENT: \-4 \-t filter \-A INPUT \-p tcp \-j TCP
|
|
Packit |
7b22a4 |
9 EVENT: \-4 \-t filter \-A INPUT \-m conntrack \-\-ctstate RELATED,ESTABLISHED \-j ACCEPT
|
|
Packit |
7b22a4 |
10 NEWGEN: GENID=13904 PID=25167 NAME=iptables-nftables-restore
|
|
Packit |
7b22a4 |
.PP
|
|
Packit |
7b22a4 |
This example shows event monitoring. Line one shows creation of a table (filter in this case), followed
|
|
Packit |
7b22a4 |
by three base hooks INPUT, FORWARD and OUTPUT. The iptables-nftables tools all create tables and base
|
|
Packit |
7b22a4 |
chains automatically when needed, so this is expected when a table was not yet initialized or when it is
|
|
Packit |
7b22a4 |
re-created from scratch by iptables-nftables-restore. Line five shows a new user-defined chain (TCP)
|
|
Packit |
7b22a4 |
being added, followed by addition a few rules. the last line shows that a new ruleset generation has
|
|
Packit |
7b22a4 |
become active, i.e., the rule set changes are now active. This also lists the process id and the programs name.
|
|
Packit |
7b22a4 |
.SH LIMITATIONS
|
|
Packit |
7b22a4 |
.B xtables-monitor
|
|
Packit |
7b22a4 |
only works with rules added using iptables-nftables, rules added using
|
|
Packit |
7b22a4 |
iptables-legacy cannot be monitored.
|
|
Packit |
7b22a4 |
.SH BUGS
|
|
Packit |
7b22a4 |
Should be reported or by sending email to netfilter-devel@vger.kernel.org or
|
|
Packit |
7b22a4 |
by filing a report on https://bugzilla.netfilter.org/.
|
|
Packit |
7b22a4 |
.SH SEE ALSO
|
|
Packit |
7b22a4 |
\fBiptables\fP(8), \fBxtables\fP(8), \fBnft\fP(8)
|