The iptables TRACE target is specifically designed for debugging complex firewall rulesets by logging the traversal path of packets through tables and chains. Unlike the LOG target which records packet details, TRACE provides a rule-by-rule execution log.
First, ensure required kernel modules are loaded:
# Check for xt_TRACE and nf_log_ipv4 modules
lsmod | grep -E 'xt_TRACE|nf_log_ipv4'
# If missing, load them manually
modprobe xt_TRACE
modprobe nf_log_ipv4The placement of TRACE rules is critical. They must be in the raw table:
# Correct TRACE rule placement example
iptables -t raw -A PREROUTING -p tcp --dport 80 -j TRACE
iptables -t raw -A OUTPUT -p tcp --sport 80 -j TRACEDebian Squeeze requires specific syslog configuration to capture TRACE output:
# Edit /etc/syslog.conf or /etc/rsyslog.conf
kern.debug /var/log/iptables.log
# Then restart syslog
/etc/init.d/rsyslog restartIf TRACE still doesn't work, consider these alternatives:
# Method 1: Use LOG with chain prefix
iptables -N TRACE_LOG
iptables -A TRACE_LOG -j LOG --log-prefix "TRACE: "
iptables -A TRACE_LOG -j ACCEPT
# Method 2: Verbose logging with ULOG
iptables -A INPUT -j ULOG --ulog-prefix "IPTABLES ULOG: "Always verify your rules with detailed listing:
iptables -t raw -L -v -n --line-numbers
iptables -t mangle -L -v -n --line-numbers
iptables -t nat -L -v -n --line-numbers
iptables -t filter -L -v -n --line-numbersSome Debian Squeeze systems need additional kernel parameters:
echo 1 > /proc/sys/net/netfilter/nf_log_all_netns
echo 'net.netfilter.nf_log.2 = nf_log_ipv4' >> /etc/sysctl.conf
sysctl -pHere's a complete test case for HTTP traffic:
# Clear existing rules
iptables -t raw -F
iptables -t raw -X
# Set up TRACE
iptables -t raw -A PREROUTING -p tcp --dport 80 -j TRACE
iptables -t raw -A OUTPUT -p tcp --sport 80 -j TRACE
# Generate test traffic
curl http://example.com
# Check logs
tail -f /var/log/iptables.log | grep TRACEWhen trying to debug complex iptables rulesets, the TRACE target is an incredibly useful tool that shows exactly which rules packets match as they traverse through chains. However, on Debian Squeeze (6), you might find that while the TRACE rule gets hit (as shown by increasing packet counters), no trace information appears in system logs.
First, let's confirm the basic setup. The rule syntax should be:
iptables -t raw -A PREROUTING -p tcp -j TRACE
Check if packets are hitting the rule:
iptables -L -v -n -t raw
Several components need to be properly configured for TRACE to work:
- The
xt_TRACEmodule must be loaded - The logging subsystem needs proper configuration
- Kernel logging level must be set appropriately
1. First, load the required modules:
modprobe xt_TRACE
modprobe nf_log_ipv4
2. Configure the logging subsystem:
sysctl -w net.netfilter.nf_log.2=nf_log_ipv4
3. Adjust kernel logging level (temporarily for testing):
dmesg -n 7
4. For persistent configuration, add to /etc/sysctl.conf:
net.netfilter.nf_log.2 = nf_log_ipv4
If TRACE still doesn't work, you can simulate similar functionality with multiple LOG rules:
iptables -A INPUT -p tcp --dport 80 -j LOG --log-prefix "INPUT-CHAIN: "
iptables -A FORWARD -p tcp --dport 80 -j LOG --log-prefix "FORWARD-CHAIN: "
iptables -A OUTPUT -p tcp --dport 80 -j LOG --log-prefix "OUTPUT-CHAIN: "
After applying these changes, generate some test traffic and check the logs:
tail -f /var/log/kern.log | grep TRACE
You should now see detailed trace information showing the path packets take through your iptables ruleset.
For more targeted tracing, you can combine TRACE with matches:
iptables -t raw -A PREROUTING -p tcp --dport 80 -j TRACE
iptables -t raw -A PREROUTING -p tcp --sport 443 -j TRACE
Remember that TRACE can only be used in the raw table, and heavy tracing can impact performance on busy systems.