Troubleshooting firewall and routing on Linux

Are there any tools or API hooks for troubleshooting iptables or routing on Linux? (besides the obvious -j LOG)

In other words: what to do when tables with 200 or 300 firewalling rules after adding a new rule still doesn’t allow new traffic.

Or when a router with over a dozen network interfaces replies to packets coming interface A on interface B.

Is reading and manually tracking the rules and tables the only option?


iptables will list all your rules with packet counts. These can be valuable in determining if you are hitting particular rules.

Given you have 200 or 300 rules, it would be a good idea to look at a tool to build and configure your firewall. I like Shorewall which has some good show functionality to list important data about the running firewall. Some of the features I like include:

  • Pre-built macros for common services, ability to add your own.
  • Ease of configuring zones and hosts.
  • Ease of configuring logging for specific rules.
  • Simplicity and clarity of configuration files.
  • Available example configurations for 1, 2, and 3 interfaces.
  • Shorewall-lite to separate config on a different server.
  • Shorewall6 to handle ipv6.

I had thought there was a utility to trace the route a specific packet would take, but wasn’t able to find it last time I looked. A little looking through the Shorewall show command output got me my answer.

Source : Link , Question Author : Hubert Kario , Answer Author : BillThor

Leave a Comment