Is log file incomplete?


I have set up port forwarding in the firewall rules. This works perfectly. If I deactivate the rule, access is no longer possible. If I now access this forwarding, I have an entry in /var/log/messages with DNAT and one with FORWARDFW, and if the rule is deactivated, one with DROP_INPUT. This is exactly how I expected it to be.

If I now create a new entry in the firewall rules (ON TOP OF port forwarding), in which all access from the external IP is blocked, I can no longer access the computer. This is also as expected. However, I still have entries with DNAT and FORWARDFW in the log, but nothing with DROP_INPUT. So I do not see that the external access is completely blocked.

Logging is switched on for all rules.

I found similar problems in the old forum, but no solution.

Does anyone know what I’m doing wrong.

Stay healthy

which of the two rules comes first?

A DNAT rule for a port redirect the connection to the LAN by changing the target address. This run before the main firewall.
This target address will decide if it run to FORWARD chain or INPUT chain so a port that have a active DNAT rule will never reach INPUT.

if you have a blocking and a forward rule both will create the same log entries. (FORWARDFW)


thank you very much for the answers.

The blocking rule comes first.

Rule 1: block all incoming network traffic from ip
Rule 10: port forwarding to port xxx.
Both rules work fine! Except the blocked IP, all others can access the port. It’s only about the entries in the logfile.

I understand (I hope) so far. But shouldn’t rule 1 already leave an entry in the log file (DROP_INPUT) when it is processed? If rule 10 is actually reached (but it should never reached because of rule 1), the log entries DNAT and FOWARDFW could appear.

If I activate rule 1, but not rule 10, then I have an entry DROP_INPUT in the log file. If I activate Rule 10, but not Rule 1, the entries DNAT and FOWARDFW appear. However, if I activate both rules, the DROP_INPUT is missing in the log file, although the drop rule is working, the blocked IP address cannot access the network.

thank you and please apologize my poor english

Rule 10 is splitted into two internal parts one in DNAT and on in the INPUT/FORWARDFW. The DNAT part is always running before the normal firewall because it change the target address. So the DNAT part of rule 10 is executed before rule1 and the packet not reach INPUT at all because it has to be FORWARDED.

So I got it right. It is just a shame that rule 1 does not have an entry in the log file. Proof that access has been blocked is practically impossible.

Do you maybe know if you can change the rules somehow so that there is an entry?