[Gllug] Logging in iptables and Debian install woes

Tet tethys at gmail.com
Fri Apr 28 10:55:38 UTC 2006 

Problem 1:

OK, so iptables sucks. But until I get of my arse and finish my
firewalling project, it's all I've got to work with for now. However,
can anyone shed some light on how to get information out about what
it's doing at any given point?

I've installed Xen. Which has screwed around with my networking in
various unpleasant ways. I can understand what it does for virtual
machines. But I can't really see the need to mess around with the way
dom0 talks to the outside world. But it does. The most obvious symptom
of this is that packets no longer go via the OUTPUT chain. At least,
not directly. They go via the FORWARD chain too (or instead of?).

Is there any way of getting iptables to log which chains it's
traversing for a given packet, so I can see what's happening to my
packets and craft an appropriate rule?

On a vaguely related note, I can ssh to our other server (on a
completely different subnet) from the box, but can't do DNS lookups.
So I want to log information about those packets to find out why one's
working and not the other. I've created a LOGSTUFF chain that logs
details about packets that match those criteria, and added a rule with
unconditionally jumps to that chain as the rule rule in the INPUT,
OUTPUT and FORWARD chains. So far, so good. But how do I know which
chain the packet was in when it was logged? I could duplicate the
rules explicitly in each of the three chains, but that seems more than
a little awkward. I'd really want to log the chain hierarchy that the
packet traversed to get to the LOGSTUFF chain.

It's at times like these that I appreciate OpenBSD's pf more and more.

Problem 2:

Ye gods, Debian sucks when it comes to the installer! I haven't tried
installing Debian in anger for some years, and was shocked at how
primitive it feels compared to the slick installers found in other
distributions. I was trying to install Etch on amd64. Can anyone shed
any light on how I'm meant to get the thing installed onto LVM over
RAID1? After spending far too long trying, I gave up and went for
CentOS, which Just Worked(tm). But I'm sure it must be possible. Any
ideas? I could get a RAID device set up, but whenever I tried to
create a PV on top of that, it just barfed and told me I couldn't.
Sorry, I don't have the exact text of the error message (I know, I
know, but business pressures meant the machine needed to be built and
shipped off to the hosting company, so I didn't have time to mess
around with it).

Tet
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

More information about the GLLUG mailing list