Re: kernel log

To: debian-isp@lists.debian.org
Subject: Re: kernel log
From: Steve Suehring <sec@braingia.org>
Date: Thu, 25 Sep 2003 23:57:32 -0500
Message-id: <[🔎] 20030926045732.GA25728@mail.braingia.org>
Mail-followup-to: Steve Suehring <sec@braingia.org>, debian-isp@lists.debian.org
In-reply-to: <[🔎] 20030925163513.GB12634@te.pdft.ugm.ac.id>
References: <[🔎] 20030925163513.GB12634@te.pdft.ugm.ac.id>

On Thu, Sep 25, 2003 at 11:35:13PM +0700, jaya@te.pdft.ugm.ac.id wrote:
<snip from below>
> I tried iptables -I INPUT -s 172.20.113.60 -p all -j DROP in gateway
> computer (172.20.112.1), but I still got those message. The same way for
> squid computer (172.20.113.180) coz I suspected that it tried to access
> 8080

Why would you be dropping 172.20.113.60 on the INPUT chain?  From what I
see below, the source is 172.20.112.1.  Looking at the source port and
flags on the packets, it seems as though this may not be in the INPUT
chain anyway.

A good step to take would be making logging more verbose.  In other words, 
when a packet gets logged, log something with it indicating where it got 
dropped, like --log-prefix "OUTPUT packet dropped: ".  That might give you 
more information as to where it was dropped or what rule triggered the 
drop.

It might be useful to sniff the traffic too, using tcpdump or similar.

Steve

> since september 24, I got these messages in /var/log/kern.log, and all
> my console login(tty1-tty7) full of thoses messages:
> Sep 25 23:28:50 gate kernel: IN=eth0 OUT=eth0 SRC=172.20.112.1
> DST=172.20.113.60 LEN=41 TOS=0x00 PREC=0x00 TTL=63 ID=46529 DF PROTO=TCP
> SPT=8080 DPT=1060 WINDOW=6432 RES=0x00 ACK PSH URGP=0
> Sep 25 23:28:55 gate kernel: IN=eth0 OUT=eth0 SRC=172.20.112.1
> DST=172.20.113.60 LEN=41 TOS=0x00 PREC=0x00 TTL=63 ID=56975 DF PROTO=TCP
> SPT=8080 DPT=1039 WINDOW=6432 RES=0x00 ACK PSH URGP=0
> Sep 25 23:28:55 gate kernel: IN=eth0 OUT=eth0 SRC=172.20.112.1
> DST=172.20.113.60 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=60232 DF
> PROTO=TCP SPT=8080 DPT=4244 WINDOW=6432 RES=0x00 ACK URGP=0
> Sep 25 23:29:05 gate kernel: IN=eth0 OUT=eth0 SRC=172.20.112.1
> DST=172.20.113.60 LEN=41 TOS=0x00 PREC=0x00 TTL=63 ID=2720 DF PROTO=TCP
> SPT=8080 DPT=1065 WINDOW=6432 RES=0x00 ACK PSH URGP=0
> Sep 25 23:29:07 gate kernel: IN=eth0 OUT=eth0 SRC=172.20.112.1
> DST=172.20.113.60 LEN=1500 TOS=0x00 PREC=0x00 TTL=63 ID=60233 DF
> PROTO=TCP SPT=8080 DPT=4244 WINDOW=6432 RES=0x00 ACK URGP=0
> Sep 25 23:29:07 gate kernel: IN=eth0 OUT=eth0 SRC=172.20.112.1
> DST=172.20.113.60 LEN=41 TOS=0x00 PREC=0x00 TTL=63 ID=52918 DF PROTO=TCP
> SPT=8080 DPT=4928 WINDOW=6432 RES=0x00 ACK PSH URGP=0
> Sep 25 23:29:10 gate kernel: IN=eth0 OUT=eth0 SRC=172.20.112.1
> DST=172.20.113.60 LEN=560 TOS=0x00 PREC=0x00 TTL=63 ID=50755 DF
> PROTO=TCP SPT=8080 DPT=4925 WINDOW=6432 RES=0x00 ACK PSH URGP=0
> 
> Those message wills stop when the client (172.20.113.60) is shutdown
> (between 09.00AM and 04PM). But this day I could check those client
> because his room is locked:-(
> 
<snip to above>
> 
> I used Debian 3.0r0 kernel 2.4.18bf
> 
> TIA

Reply to:

References:
- kernel log
  - From: jaya@te.pdft.ugm.ac.id

Prev by Date: ieee1394 and webcasting
Next by Date: Re: splitting a subnet in an odd way
Previous by thread: kernel log
Next by thread: ieee1394 and webcasting
Index(es):
- Date
- Thread