8

So I added

sudo iptables -t raw -A PREROUTING -p tcp --dport 25 -j TRACE

as well as

sudo iptables -t raw -A OUTPUT -p tcp --dport 25 -j TRACE

and when I grep my syslog for TRACE I get output that looks like this 

Jan 19 09:14:46 dev109 kernel: [29067248.683235] TRACE: raw:OUTPUT:rule:2 IN= OUT=eth0  ...
Jan 19 09:14:46 dev109 kernel: [29067248.683244] TRACE: raw:OUTPUT:policy:5 IN= OUT=eth0 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683254] TRACE: mangle:OUTPUT:policy:1 IN= OUT=eth0 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683262] TRACE: filter:OUTPUT:policy:1 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683269] TRACE: mangle:POSTROUTING:policy:1 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683432] TRACE: raw:OUTPUT:rule:4 IN= OUT=eth0 ...
Jan 19 09:14:46 dev109 kernel: [29067248.683441] TRACE: raw:OUTPUT:policy:5 IN= OUT=eth0 ...

I am trying to understand what the policy numbers refer to, is policy:1 == ACCEPT?, if so what does policy:5 mean?

loonyuni
  • 1,373
  • 3
  • 16
  • 24

2 Answers2

9

policy:1 is type:rulenum. Or put another way type="policy" and rulenum=1.

Read this carefully. Specifically:

TRACE This target marks packes so that the kernel will log every rule which match the packets as those traverse the tables, chains, rules. (The ipt_LOG or ip6t_LOG module is required for the logging.) The packets are logged with the string prefix:

"TRACE: tablename:chainname:type:rulenum " where type can be "rule" for plain rule, "return" for implicit rule at the end of a user defined chain and "policy" for the policy of the built in chains. It can only be used in the raw table.

Now let's take one of the prefixes from the question TRACE: mangle:OUTPUT:policy:1 and apply what we've learned:

tablename = mangle
chainname = OUTPUT
type      = policy]
rulenum   = 1
Bruno Bronosky
  • 66,273
  • 12
  • 162
  • 149
OscarAkaElvis
  • 5,384
  • 4
  • 27
  • 51
  • This was a very terse answer, but it got me to where I needed to be after reading it a dozen time. I edited the answer to help better explain. That first sentence was hard to grasp when it was alone. – Bruno Bronosky Dec 14 '17 at 05:00
  • came to this question too and dit some testing: **policy:5** seem to refer to the fictive last "rule" of your chain, where the policy is considered. so loonyuni's traced chain should have **4** explicit rules in it. – Nico Rittner May 01 '18 at 23:57
  • 2
    I fail to understand if the last fictive last rule 5 means it's accepted or dropped. – Johnathan Aug 01 '19 at 13:38
  • 1
    @Johnathan Isn't that the default policy then? – U. Windl Mar 19 '20 at 11:09
  • 1
    @U.Windl How would you determine that? –  May 06 '20 at 16:49
  • @internetdotcom You can see the default policy for each chain by printing out the chain with a command such as `iptables -L -t filter`. See my answer below for an example. – Stefan Lasiewski Jul 22 '21 at 01:18
1

I want to provide a simple explanation based off of the answer written by @OscarAkaElvis and others.

Every chain has a default policy, which can be seen if you print out rules. Here, we can see that the INPUT chain in the filter table has a default policy of ACCEPT:

# iptables -L -t filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     icmp --  anywhere             anywhere             /* 000 accept all icmp */
ACCEPT     all  --  anywhere             anywhere             /* 001 accept all to lo interface */
REJECT     all  --  anywhere             127.0.0.0/8          /* 002 reject local traffic not on loopback interface */ reject-with icmp-port-unreachable

As stated in https://backreference.org/2010/06/11/iptables-debugging/ , the format for the log message is TRACE: tablename:chainname:type:rulenum.

For Policies, the last part of the format is type:rulenum. The rulenum number is referring to the default rule for the policy, which is the last rule. It's basically "The number of rules that you added to the chain" + 1.

Here are two explanations using the chains put forth in the original question:

  • mangle:OUTPUT:policy:1 This chain (mangle:OUTPUT) contains no rules. The default rule is the first and only rule. Therefore the number is :1.
  • raw:OUTPUT:policy:5 This chain contains 4 rules. Therefore, the default is rule #5.
Stefan Lasiewski
  • 17,380
  • 5
  • 28
  • 35