Re: newbie iptables question
On Fri, 13 Aug 2004 at 08:13:21AM -0700, Wanda Round wrote:
> After reading that I should look through /var/log/messages, I did
> and found many lines like these:
>
> Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC=
> SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115
> ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
>
> Aug 12 04:40:59 towern kernel: |iptables -- IN=ppp0 OUT= MAC=
> SRC=83.36.139.197 DST=12.65.24.43 LEN=52 TOS=0x00 PREC=0x00 TTL=46
> ID=19155 DF PROTO=TCP SPT=4845 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
>
> The 12.65.24.43 was my dialup connection. The 201.129.etc and 83.36.etc
> were from Mexico and Spain.
>
> MAN iptables didn't help me at all!
>
> What are these lines telling me? Where can I find a simpler explanation
> of iptables logs?
It is saying a rule matched. Doesn't say what you did with the packet
though, just tells you about the packet. If you want to know what you
did with it you would need to include a log-prefix in your iptables
scripts.
Here is what we know:
Interface Traffic came IN on: ppp0
The IP Address the traffic came from is: 83.36.139.197
THE IP Address it was destined to: 12.65.24.43
The length of the packet was: 53 bytes
The Type of Service flag was set to null (00)
The SYN flag was set, this was a connection attempt
The IP ID Field (for IP Fragmentation) was: 19155
The layer 4 protocol was: TCP
The layer 4 port was (source): 4346
The layer 4 port destination was: 445
The size of the TCP Window was: 16384 bytes
Shorter version: Someone from 83.36.139.197 tried to connect to
12.65.24.43 (presumably you) on port 445 via interface ppp0. We cannot
deduce what action was taken by your computer because you (or your
IPTABLES Interface program) did not log this. It is for this reason I
run my own IPTABLES script and edit it by hand (pretty
masochistic....huh?). My guess is this packet was related to an
automated attack (worm).
Hope this helps,
--
Phillip Hofmeister
Reply to: