Random Thoughts by Paul

This is a pretty quick post but I wanted to throw it out here as it might help somebody. When you start getting into several tables and a large rule base it can get to be a bit difficult to figure out what rule blocked a packet that shouldn't have gotten through.

Instead of:
IN=eth1 OUT=tun0 SRC=10.2.1.2 DST=10.3.1.6 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=16679 PROTO=ICMP TYPE=0 CODE=0 ID=29120 SEQ=4

Your log entry can have a prefix that you can use as a breadcrumb to get you headed in the right direction for tracking down the over zealous rule. This is done with the log prefix parameter. For example lets say you have a table where you keep all your rules for PBX connectivity you could add a prefix to let you know that chain's cleanup rule is hosing you. You add the prefix like so:
--log-prefix "[PBX-OUT CLEANUP]"

Now the log entries look like:
[PBX-OUT CLEANUP]IN=eth1 OUT=tun0 SRC=10.2.1.2 DST=10.3.1.6 LEN=84 TOS=0x00 PREC=0x00 TTL=63 ID=16679 PROTO=ICMP TYPE=0 CODE=0 ID=29120 SEQ=4

In this instance I am adding this to the "cleanup" rule, the last rule in the table that blocks all traffic not specifically allowed above it. You could add a prefix to any rule in a chain or a special prefix to any rule to help you better troubleshoot unexpected behavior. This definitely comes in handy on firewalls you might touch a couple times a year.