149 lines
6.9 KiB
HTML
149 lines
6.9 KiB
HTML
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
|
<HTML><HEAD><TITLE>Man page of XTABLES-MONITOR</TITLE>
|
|
</HEAD><BODY>
|
|
<H1>XTABLES-MONITOR</H1>
|
|
Section: iptables 1.8.4 (8)<BR>Updated: <BR><A HREF="#index">Index</A>
|
|
<A HREF="/cgi-bin/man/man2html">Return to Main Contents</A><HR>
|
|
|
|
<A NAME="lbAB"> </A>
|
|
<H2>NAME</H2>
|
|
|
|
xtables-monitor --- show changes to rule set and trace-events
|
|
<A NAME="lbAC"> </A>
|
|
<H2>SYNOPSIS</H2>
|
|
|
|
<B>xtables-monitor</B> [<B>-t</B>] [<B>-e</B>] [<B>-4</B>|<B>|-6]
|
|
<P>
|
|
|
|
</B><A NAME="lbAD"> </A>
|
|
<H2>DESCRIPTION</H2>
|
|
|
|
<P>
|
|
|
|
<B>xtables-monitor</B>
|
|
|
|
is used to monitor changes to the ruleset or to show rule evaluation events
|
|
for packets tagged using the TRACE target.
|
|
<B>xtables-monitor</B>
|
|
|
|
will run until the user aborts execution, typically by using CTRL-C.
|
|
|
|
<A NAME="lbAE"> </A>
|
|
<H2>OPTIONS</H2>
|
|
|
|
<B>-e</B>, <B>--event</B>
|
|
<DL COMPACT>
|
|
<DT id="1">Watch for updates to the rule set.<DD>
|
|
Updates include creation of new tables, chains and rules and
|
|
the name of the program that caused the rule update.
|
|
<DT id="2"><B>-t</B>, <B>--trace</B><DD>
|
|
Watch for trace events generated by packets that have been tagged
|
|
using the TRACE target.
|
|
<DT id="3"><B>-4</B><DD>
|
|
Restrict output to IPv4.
|
|
<DT id="4"><B>-6</B><DD>
|
|
Restrict output to IPv6.
|
|
</DL>
|
|
<A NAME="lbAF"> </A>
|
|
<H2>EXAMPLE OUTPUT</H2>
|
|
|
|
<DL COMPACT>
|
|
<DT id="5"><B>xtables-monitor --trace</B>
|
|
|
|
<DD>
|
|
<P>
|
|
<BR> 1 TRACE: 2 fc475095 raw:PREROUTING:rule:0x3:CONTINUE -4 -t raw -A PREROUTING -p icmp -j TRACE
|
|
<BR> 2 PACKET: 0 fc475095 IN=lo LL=0x304 0000000000000000000000000800 SRC=127.0.0.1 DST=127.0.0.1 LEN=84 TOS=0x0 TTL=64 ID=38349DF
|
|
<BR> 3 TRACE: 2 fc475095 raw:PREROUTING:return:
|
|
<BR> 4 TRACE: 2 fc475095 raw:PREROUTING:policy:ACCEPT
|
|
<BR> 5 TRACE: 2 fc475095 filter:INPUT:return:
|
|
<BR> 6 TRACE: 2 fc475095 filter:INPUT:policy:DROP
|
|
<BR> 7 TRACE: 2 0df9d3d8 raw:PREROUTING:rule:0x3:CONTINUE -4 -t raw -A PREROUTING -p icmp -j TRACE
|
|
</DL>
|
|
<P>
|
|
|
|
The first line shows a packet entering rule set evaluation.
|
|
The protocol number is shown (AF_INET in this case), then a packet
|
|
identifier number that allows to correlate messages coming from rule set evaluation of
|
|
this packet. After this, the rule that was matched by the packet is shown.
|
|
This is the TRACE rule that turns on tracing events for this packet.
|
|
<P>
|
|
The second line dumps information about the packet. Incoming interface
|
|
and packet headers such as source and destination addresses are shown.
|
|
<P>
|
|
The third line shows that the packet completed traversal of the raw table
|
|
PREROUTING chain, and is returning, followed by use the chain policy to make accept/drop
|
|
decision (the example shows accept being applied).
|
|
The fifth line shows that the packet leaves the filter INPUT chain, i.e., no rules in the filter tables
|
|
INPUT chain matched the packet.
|
|
It then got DROPPED by the policy of the INPUT table, as shown by line six.
|
|
The last line shows another packet arriving -- the packet id is different.
|
|
<P>
|
|
When using the TRACE target, it is usually a good idea to only select packets
|
|
that are relevant, for example via
|
|
<PRE>
|
|
iptables -t raw -A PREROUTING -p tcp --dport 80 --syn -m limit --limit 1/s -j TRACE
|
|
</PRE>
|
|
|
|
<DL COMPACT>
|
|
<DT id="6"><B>xtables-monitor --event</B>
|
|
|
|
<DD>
|
|
<BR> 1 EVENT: nft: NEW table: table filter ip flags 0 use 4 handle 444
|
|
<BR> 2 EVENT: # nft: ip filter INPUT use 2 type filter hook input prio 0 policy drop packets 0 bytes 0
|
|
<BR> 3 EVENT: # nft: ip filter FORWARD use 0 type filter hook forward prio 0 policy accept packets 0 bytes 0
|
|
<BR> 4 EVENT: # nft: ip filter OUTPUT use 0 type filter hook output prio 0 policy accept packets 0 bytes 0
|
|
<BR> 5 EVENT: -4 -t filter -N TCP
|
|
<BR> 6 EVENT: -4 -t filter -A TCP -s 192.168.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
|
|
<BR> 7 EVENT: -4 -t filter -A TCP -p tcp -m multiport --dports 80,443 -j ACCEPT
|
|
<BR> 8 EVENT: -4 -t filter -A INPUT -p tcp -j TCP
|
|
<BR> 9 EVENT: -4 -t filter -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
|
|
<BR> 10 NEWGEN: GENID=13904 PID=25167 NAME=iptables-nftables-restore
|
|
</DL>
|
|
<P>
|
|
|
|
This example shows event monitoring. Line one shows creation of a table (filter in this case), followed
|
|
by three base hooks INPUT, FORWARD and OUTPUT. The iptables-nftables tools all create tables and base
|
|
chains automatically when needed, so this is expected when a table was not yet initialized or when it is
|
|
re-created from scratch by iptables-nftables-restore. Line five shows a new user-defined chain (TCP)
|
|
being added, followed by addition a few rules. the last line shows that a new ruleset generation has
|
|
become active, i.e., the rule set changes are now active. This also lists the process id and the programs name.
|
|
<A NAME="lbAG"> </A>
|
|
<H2>LIMITATIONS</H2>
|
|
|
|
<B>xtables-monitor</B>
|
|
|
|
only works with rules added using iptables-nftables, rules added using
|
|
iptables-legacy cannot be monitored.
|
|
<A NAME="lbAH"> </A>
|
|
<H2>BUGS</H2>
|
|
|
|
Should be reported or by sending email to <A HREF="mailto:netfilter-devel@vger.kernel.org">netfilter-devel@vger.kernel.org</A> or
|
|
by filing a report on <A HREF="https://bugzilla.netfilter.org/.">https://bugzilla.netfilter.org/.</A>
|
|
<A NAME="lbAI"> </A>
|
|
<H2>SEE ALSO</H2>
|
|
|
|
<B><A HREF="/cgi-bin/man/man2html?8+iptables">iptables</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+xtables">xtables</A></B>(8), <B><A HREF="/cgi-bin/man/man2html?8+nft">nft</A></B>(8)
|
|
<P>
|
|
|
|
<HR>
|
|
<A NAME="index"> </A><H2>Index</H2>
|
|
<DL>
|
|
<DT id="7"><A HREF="#lbAB">NAME</A><DD>
|
|
<DT id="8"><A HREF="#lbAC">SYNOPSIS</A><DD>
|
|
<DT id="9"><A HREF="#lbAD">DESCRIPTION</A><DD>
|
|
<DT id="10"><A HREF="#lbAE">OPTIONS</A><DD>
|
|
<DT id="11"><A HREF="#lbAF">EXAMPLE OUTPUT</A><DD>
|
|
<DT id="12"><A HREF="#lbAG">LIMITATIONS</A><DD>
|
|
<DT id="13"><A HREF="#lbAH">BUGS</A><DD>
|
|
<DT id="14"><A HREF="#lbAI">SEE ALSO</A><DD>
|
|
</DL>
|
|
<HR>
|
|
This document was created by
|
|
<A HREF="/cgi-bin/man/man2html">man2html</A>,
|
|
using the manual pages.<BR>
|
|
Time: 00:06:18 GMT, March 31, 2021
|
|
</BODY>
|
|
</HTML>
|