Re: newbie iptables question
On Fri, Aug 13, 2004 at 08:13:21AM -0700, Wanda Round wrote:
> Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC=
> SRC=18.104.22.168 DST=22.214.171.124 LEN=48 TOS=0x00 PREC=0x00 TTL=115
> ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
> What are these lines telling me? Where can I find a simpler explanation
> of iptables logs?
They are TCP/IP header fields, and if you don't already know what they
mean, they probably aren't useful to you; but a reference on TCP/IP
would be enlightening.
If you're trying to figure out why they were printed in the first place,
it's because your iptables configuration ("iptables --list") decided
they were worth logging, probably because the packets were dropped. You
should try to figure out which rule matched the packet. You can do this
by either tracing the rules "by hand", or adding a --log-prefix to the
logging rules. If the rules are created by a firewall tool, the latter
might be hard (I wish firewall tools would always add a string to the
log, so the user can see which policy is violated); perhaps you could
iptables-save, add the --log-prefix options, iptables-restore.
But it's probably not worth spending too much time tracking this down.
Bad packets, not even malicious ones, are part of the background noise
of the internet.