You can use the iptables-tracer tool to trace packets in iptables chains as they pass through the Linux firewall. This tool allows you to understand if traffic is passing through certain iptables chains.
To use iptables-tracer, you need to install git and go:
# dnf install git go
# git clone https://github.com/x-way/iptables-tracer
# cd ./iptables-tracer/
It remains to build the binary file:
# go build
As a result, you will get the iptables-tracer binary in the current directory.
List current rules in iptables firewall:
# iptables -L -v -n
# iptables -L -v -n -t nat
You need to select the iptables chains for which you want to trace traffic flow. For example, you want to understand which chains the ICMP ping traffic goes through:
# ./iptables-tracer -f "-d 192.168.1.56 -p icmp" -t 10s
nat PREROUTING NEW IP 192.168.1.1 > 192.168.1.56: ICMP echo request, [In:ens18 Out:]
filter INPUT NEW IP 192.168.1.1 > 192.168.1.56: ICMP echo request, [In:ens18 Out:]
nat INPUT NEW IP 192.168.1.1 > 192.168.1.56: ICMP echo request, [In:ens18 Out:]
In this example, it can be seen that external packets first go into the NAT table (PREROUTING chain), then into the FILTER table (INPUT chain).
Similarly, you can use other filters. The syntax for iptables-tracer filters is similar to iptables rules. For example, to display information about traffic from IP 192.168.1.98 to TCP port 22, run the command:
# ./iptables-tracer -f "-s 192.168.1.98 -p tcp --dport 22" -t 60s
When run without parameters, iptables-tracer displays information about UDP traffic from dport 53.