Re: strange upd traffic (ipchains newbie)

To: Thomas Guettler <guettli@interface-business.de>
Cc: debian-security@lists.debian.org
Subject: Re: strange upd traffic (ipchains newbie)
From: Alexander Hvostov <vulture@aoi.dyndns.org>
Date: Fri, 14 Jul 2000 04:30:10 -0700 (PDT)
Message-id: <[🔎] Pine.LNX.4.21.0007140423160.19184-100000@cornerstone.core.aoi>
In-reply-to: <[🔎] 20000714131041.G1505@gurkensalat.interface-business.de>

Thomas,

Create a rule for each possible source address, i.e.:

for i in 127.0.0.1 192.168.1.1 192.168.1.2 192.168.1.3; do
  ipchains -A input -s $i
done

That will set up counters for traffic coming from 127.0.0.1, 192.168.1.1,
192.168.1.2, and 192.168.1.3, all with their own counters. Alternatively,
you could do this:

ipchains -N incoming
inchains -A incoming
for i in 127.0.0.1 192.168.1.1 192.168.1.2 192.168.1.3; do
  ipchains -A input -s $i -j incoming
done

Notice the ipchains -A incoming line; that creates a no-op rule whose sole
purpose is for the counters attached to each rule. It would match _all_
packets, but not alter them in any way -- just count them. In addition,
the rules for each host (with `-j incoming' on the end) would also have
their own, separate counters. This entire rule set does nothing to
incoming packets other than to count them.

Regards,

Alex.

---
PGP/GPG Fingerprint:
  EFD1 AC6C 7ED5 E453 C367  AC7A B474 16E0 758D 7ED9

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM>CC/IT d- s:+ a16 C++(++++)>$ UL++++>$ P---() L+++>+ E+>+ W+(-) N o? K? w--() 
!O M- !V PS+>+ PE- Y+ PGP t+ !5 X-- !R tv b DI D++ 
G>+++ e-- h! !r y 
------END GEEK CODE BLOCK------

On Fri, 14 Jul 2000, Thomas Guettler wrote:

> 
> Thanks, Leen, Alexander and Tim for your answers.
> 
> I found the solution. I produced the traffic myself.
> I did "ipchains -v -L" every second in a script to see what happens
> on my network. I am interested in amount of traffic, at the moment.
> But ipchains itselfs displays ip-adresses with names, not numbers, 
> so I had several dns-queries every second!
> Now I do "watch -n 1 -d 'echo started at: $DATE_START; ipchains -vn -L'"
> (-n!) and it works fine.
> 
> Alexander, you said I shouldn't use "-j ACCEPT", but I want
> to split the traffic in three categories: 
> from 127.* from company-addresses and from rest. 
> Unfortunately you can't use boolean operators in "-s / -d".
> "-s (127.0.0.0/8 | 192.168.0.0/16)" would be cool.
> Is there a way of doing this?
> 
> That's way I use "-j rule" at the moment. I want to change
> ACCEPT to my_rule someday if I have time to.
> 
> # count access from localhost
> ipchains -A input -s 127.0.0.0/8 -i lo -j ACCEPT
> # count access from gurkensalat (localhost)
> ipchains -A input -s gurkensalat -j ACCEPT
> # count access from internal network
> ipchains -A input -s 193.101.57.0/24 -j ACCEPT
> # count access from rest (internet)
> ipchains -A input -j ACCEPT
> 
> 
> 
> -- 
>                        Thomas Guettler
> Office: 
>   <guettli@interface-business.de>  http://www.interface-business.de
> Private:
>   <guettli@gmx.de>  http://yj.org/guettli
> 
> 
> 
> --  
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>

Reply to:

References:
- Re: strange upd traffic (ipchains newbie)
  - From: Thomas Guettler <guettli@gurkensalat.interface-business.de>

Prev by Date: Re: strange upd traffic (ipchains newbie)
Next by Date: Logging atempts
Previous by thread: Re: strange upd traffic (ipchains newbie)
Next by thread: Oracle And Pam
Index(es):
- Date
- Thread