Article proposal: NAT and port forwarding troubleshooting

One way to expose container or virtual machines to the wider internet is to use iptables or nftables to translate incoming connection requests so those will be sent to the container/vm address instead.

I’d like to write a series of smaller posts that show ways to debug nat/connection tracking to figure out why something is not working as expected.

I would write following articles:

  1. An introduction to netfilter rule/packet tracing

This shows how to use iptables/nftables tracing to figure out what address rewrite/nat rule is actually used/matched. Will also cover best practices to avoid drowning in “useless noise” aka “too much irrelevant debug output”.
2. The conntrack tool

This gives an introduction to the “conntrack” command.
This would cover use to inspect the conntion tracking table, the statistic counters, how to read this output and how to delete entries.

  1. The conntrack event framework

This is “part 2” of previous article. This shows how to use the conntrack command to tap into the event notification framework in oder to follow the “lifecycle” of a connection handled by netfilters connection tracking component.

  1. conntrack troubleshooting

This will show how to get more information as to why packets are getting dropped inside of conntrack by means of conntrack sysctl knobs.

1 Like

Sounds good to me! +1

+1. I’ve created the cards for tracking these articles. Have you signed into Taiga?

1 Like