[lug] pxe boot and routing

Lee Woodworth blug-mail at duboulder.com
Wed Jan 13 15:00:52 MST 2016 

This report says virbr1 received 140Kb in 1981 packets via UDP, none via TCP for
port 53 that matched the rules. virbr0 never had any matches for its port 53 rules.
There are no rules for the output to port 53 so no details there.

Looks like DNS packets get received, at least post boot.

When run from the client, does
   # dig <repository.fqdn> +trace
return a line like this and is it the expected address:
   <respository.fqdn> 43200   IN      A       <ip-address>

To see the packets realtime for interface xxx (e.g. the physical interface):
   # tcpdump -i xxx -n -l port 53
You may want to do this on both the client and the host.

For firewall rule debugging, the pkts/bytes columns can be helpful for seeing
what rules have been matched. You can also add logging rules that can log
matches for interface xxx to dmesg output:
   # iptables -A INPUT -i xxx -p udp --sport 53 -j LOG --log-prefix 'DNS-in:'
   # iptables -A OUTPUT -o xxx -p udp --dport 53 -j LOG --log-prefix 'DNS-out:'

On 01/13/2016 01:55 PM, Michael J. Hammel wrote:
> On Wed, 2016-01-13 at 13:25 -0700, Lee Woodworth wrote:
>> iptables -L -n -v would show if you still have iptables rules active.
>> The -n prevents DNS translations of addresses in the rules to names.
> 
> Not completely sure how to read this, but it looks like all rules
> currently configured apply to the virbrX interfaces, either in or out. 
>  That's not the interface with the private network so don't *think* it
> applies to my current problem.
> 
> I tried to strip out excess space to make this fit, but it probably
> doesn't.
> 
> # iptables -L -n -v
> Chain INPUT (policy ACCEPT 369M packets, 1255G bytes)
>  pkts bytes target prot opt in     out source    destination
>  1981  140K ACCEPT udp  --  virbr1 *   0.0.0.0/0 0.0.0.0/0   udp dpt:53
>     0     0 ACCEPT tcp  --  virbr1 *   0.0.0.0/0 0.0.0.0/0   tcp dpt:53
>  4586 1504K ACCEPT udp  --  virbr1 *   0.0.0.0/0 0.0.0.0/0   udp dpt:67
>     0     0 ACCEPT tcp  --  virbr1 *   0.0.0.0/0 0.0.0.0/0   tcp dpt:67
>     0     0 ACCEPT udp  --  virbr0 *   0.0.0.0/0 0.0.0.0/0   udp dpt:53
>     0     0 ACCEPT tcp  --  virbr0 *   0.0.0.0/0 0.0.0.0/0   tcp dpt:53
>     5  2139 ACCEPT udp  --  virbr0 *   0.0.0.0/0 0.0.0.0/0   udp dpt:67
>     0     0 ACCEPT tcp  --  virbr0 *   0.0.0.0/0 0.0.0.0/0   tcp dpt:67
>  
> Chain FORWARD (policy ACCEPT 31 packets, 2154 bytes)
>  pkts bytes target prot opt in     out     source              
>  destination
>  119K  395M ACCEPT all  --  *      virbr1  0.0.0.0/0       
>  192.168.100.0/24 ctstate RELATED,ESTABLISHED
>  136K   12M ACCEPT all  --  virbr1 *       192.168.100.0/24 0.0.0.0/0
>    60 19680 ACCEPT all  --  virbr1 virbr1  0.0.0.0/0        0.0.0.0/0
>     0     0 REJECT all  --  *      virbr1  0.0.0.0/0        0.0.0.0/0  
>       reject-with icmp-port-unreachable  
>     0     0 REJECT all  --  virbr1 *       0.0.0.0/0        0.0.0.0/0  
>       reject-with icmp-port-unreachable  
>     0     0 ACCEPT all  --  *      virbr0  0.0.0.0/0       
>  192.168.122.0/24 ctstate RELATED,ESTABLISHED
>     0     0 ACCEPT all  --  virbr0 *       192.168.122.0/24 0.0.0.0/0
>     0     0 ACCEPT all  --  virbr0 virbr0  0.0.0.0/0        0.0.0.0/0
>     0     0 REJECT all  --  *      virbr0  0.0.0.0/0        0.0.0.0/0  
>       reject-with icmp-port-unreachable  
>     0     0 REJECT all  --  virbr0 *       0.0.0.0/0        0.0.0.0/0  
>       reject-with icmp-port-unreachable
> 
> Chain OUTPUT (policy ACCEPT 377M packets, 2105G bytes)
>  pkts bytes target prot opt in out     source    destination
>  4557 1583K ACCEPT udp  --  *  virbr1  0.0.0.0/0 0.0.0.0/0  udp dpt:68
>     5  1640 ACCEPT udp  --  *  virbr0  0.0.0.0/0 0.0.0.0/0  udp dpt:68
>

More information about the LUG mailing list