One way to expose container or virtual machines to the wider internet is to use iptables or nftables to translate incoming connection requests so those will be sent to the container/vm address instead.
I’d like to write a series of smaller posts that show ways to debug nat/connection tracking to figure out why something is not working as expected.
I would write following articles:
- An introduction to netfilter rule/packet tracing
This shows how to use iptables/nftables tracing to figure out what address rewrite/nat rule is actually used/matched. Will also cover best practices to avoid drowning in “useless noise” aka “too much irrelevant debug output”.
2. The conntrack tool
This gives an introduction to the “conntrack” command.
This would cover use to inspect the conntion tracking table, the statistic counters, how to read this output and how to delete entries.
- The conntrack event framework
This is “part 2” of previous article. This shows how to use the conntrack command to tap into the event notification framework in oder to follow the “lifecycle” of a connection handled by netfilters connection tracking component.
- conntrack troubleshooting
This will show how to get more information as to why packets are getting dropped inside of conntrack by means of conntrack sysctl knobs.