tcpdump and Iptables

tcpdump and Iptables

[CC]

Hi,

I think I've asked this before here, but I
don't remember what the answer was.

If I have iptables running and I do a
tcpdump -i eth0,   at what point is
tcpdump listening to the connection?

I'm trying to troubleshoot my firewall,
but am not seeing the right behaviour
as the packets that I'm trying to block
by the following command:

$IPTABLES -A FORWARD -i eth1 -p tcp \
              -d 192.168.7.1 -j DROP

But I still get tcp packets going to
192.168.7.1.

And wouldn't :

$IPTABLES -A FORWARD -i eth1 -p tcp \
             -s 192.168.7.1 -j DROP

in effect disables all access to the
internet for machine IP 192.168.7.1?

But my main query is about the
relationship between the packets that
TCPDUMP sees and where the packets
are within the packet filtering
process.

Thanks

Re: tcpdump and Iptables

[Jason Opperisano]

On Thu, 2004-09-02 at 13:56, CC wrote:
> Hi,
> 
> I think I've asked this before here, but I
> don't remember what the answer was.
> 
> If I have iptables running and I do a
> tcpdump -i eth0,   at what point is
> tcpdump listening to the connection?

tcpdump operates at the BPF layer, which is below netfilter.

if the the inbound interface is eth0; packets that will eventually be
dropped by netfilter will be captured by tcpdump.

if you're trying to see whether packets make it *through* the
firewall--tcpdump on the exiting interface.

-j

-- 
Jason Opperisano <opie@817west.com>

Re: tcpdump and Iptables

[Nick Drage]

On Fri, Sep 03, 2004 at 01:56:33AM +0800, CC wrote:

> If I have iptables running and I do a tcpdump -i eth0,   at what point
> is tcpdump listening to the connection?

tcpdump will see the packets before IPTables does anything to them.

-- 
mors omnia vincit

Re: tcpdump and Iptables

[Jose Maria Lopez]

El jue, 02 de 09 de 2004 a las 19:56, CC escribió:
> Hi,
> 
> I think I've asked this before here, but I
> don't remember what the answer was.
> 
> If I have iptables running and I do a
> tcpdump -i eth0,   at what point is
> tcpdump listening to the connection?
> 
> I'm trying to troubleshoot my firewall,
> but am not seeing the right behaviour
> as the packets that I'm trying to block
> by the following command:
> 
> $IPTABLES -A FORWARD -i eth1 -p tcp \
>               -d 192.168.7.1 -j DROP
> 
> But I still get tcp packets going to
> 192.168.7.1.

Wouldn't it work if you use -o eth1 instead of
-i eth1. Where it's situated 192.168.7.1? If
the routes says it has to go through eth1 to
get to 192.168.7.1 then you need -o.

Or maybe you have packets routed through other
interfaces, not eth1. Or maybe the packets
are being originated in the same firewall, so
the FORWARD rule does not apply.

> 
> And wouldn't :
> 
> $IPTABLES -A FORWARD -i eth1 -p tcp \
>              -s 192.168.7.1 -j DROP
> 
> in effect disables all access to the
> internet for machine IP 192.168.7.1?
> 
> But my main query is about the
> relationship between the packets that
> TCPDUMP sees and where the packets
> are within the packet filtering
> process.
> 
> Thanks
-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"

Re: tcpdump and Iptables

[cc]

Nick Drage wrote:

> On Fri, Sep 03, 2004 at 01:56:33AM +0800, CC wrote:
> 
> 
>>If I have iptables running and I do a tcpdump -i eth0,   at what point
>>is tcpdump listening to the connection?
> 
> 
> tcpdump will see the packets before IPTables does anything to them.
> 


Thanks NIck for the info.  Exactly what I wanted to know.

Edmund

Re: tcpdump and Iptables

[Nick Drage]

On Fri, Sep 03, 2004 at 08:41:42AM +0800, cc wrote:
> Nick Drage wrote:

> >>If I have iptables running and I do a tcpdump -i eth0,   at what
> >>point is tcpdump listening to the connection?
> >
> >tcpdump will see the packets before IPTables does anything to them.
> 
> Thanks NIck for the info.  Exactly what I wanted to know.

Thanks... though Jason's explanation was rather better :)

tcpdump is an excellent tool, but ( excuse me if I'm stating the obvious
), don't underestimate the usefulness of the logging rules in IPTables
combined with 

tail -f /var/log/$logfile | grep $string_you_are_looking_for

-- 
mors omnia vincit

RE: tcpdump and Iptables

[Hudson Delbert J Contr 61 CS/SCBN]

netcat (nc shows up under ps) might be usefull...

itsa net utility which does I-O across connex using tcp/ip.

it can make its paths or driven by other programs like ssh.

its got a lot of debug and discovery modules in it so it can (and has)
create
almost any kind of connection..........and some other `interesting
built-ins`.

does:

any tcp or udp 
any direction
any tcp port
any udp port

sound godd...wait ther's more..

tunnel with any/all params on/off.
excellent at port-scanning YOUR own networks
clock controlled buffered send-mode like 1 every X seconds
hexdump
std<err,out> available which means this stuff can be send to tthe syslogs if
desired.


and as usual mileage will vary.....make sure you have permission to do this
if you aint sure ask again...

nufsaid.

v/r,
~piranha


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Nick Drage
Sent: Friday, September 03, 2004 3:23 AM
To: netfilter@lists.netfilter.org
Subject: Re: tcpdump and Iptables


On Fri, Sep 03, 2004 at 08:41:42AM +0800, cc wrote:
> Nick Drage wrote:

> >>If I have iptables running and I do a tcpdump -i eth0,   at what
> >>point is tcpdump listening to the connection?
> >
> >tcpdump will see the packets before IPTables does anything to them.
> 
> Thanks NIck for the info.  Exactly what I wanted to know.

Thanks... though Jason's explanation was rather better :)

tcpdump is an excellent tool, but ( excuse me if I'm stating the obvious
), don't underestimate the usefulness of the logging rules in IPTables
combined with 

tail -f /var/log/$logfile | grep $string_you_are_looking_for

-- 
mors omnia vincit

RE: tcpdump and Iptables

[Hudson Delbert J Contr 61 CS/SCBN]

oops,,,sorry list i forgot to mention that one should
manipulate SO_BROADCAST option on UDP sockets.

this doesnt work on TCP so you are on your own on that one..

ignore the bogus manner in which it treats bcast addresses.

the other info is worth the trade off.

v/r
~piranha

-----Original Message-----
From: piranha
Sent: Friday, September 03, 2004 7:23 AM
To: 'Netfilter Mailing List'
Subject: RE: tcpdump and Iptables


netcat (nc shows up under ps) might be usefull...

itsa net utility which does I-O across connex using tcp/ip.

it can make its paths or driven by other programs like ssh.

its got a lot of debug and discovery modules in it so it can (and has)
create
almost any kind of connection..........and some other `interesting
built-ins`.

does:

any tcp or udp 
any direction
any tcp port
any udp port

sound godd...wait ther's more..

tunnel with any/all params on/off.
excellent at port-scanning YOUR own networks
clock controlled buffered send-mode like 1 every X seconds
hexdump
std<err,out> available which means this stuff can be send to tthe syslogs if
desired.


and as usual mileage will vary.....make sure you have permission to do this
if you aint sure ask again...

nufsaid.

v/r,
~piranha


-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org]On Behalf Of Nick Drage
Sent: Friday, September 03, 2004 3:23 AM
To: netfilter@lists.netfilter.org
Subject: Re: tcpdump and Iptables


On Fri, Sep 03, 2004 at 08:41:42AM +0800, cc wrote:
> Nick Drage wrote:

> >>If I have iptables running and I do a tcpdump -i eth0,   at what
> >>point is tcpdump listening to the connection?
> >
> >tcpdump will see the packets before IPTables does anything to them.
> 
> Thanks NIck for the info.  Exactly what I wanted to know.

Thanks... though Jason's explanation was rather better :)

tcpdump is an excellent tool, but ( excuse me if I'm stating the obvious
), don't underestimate the usefulness of the logging rules in IPTables
combined with 

tail -f /var/log/$logfile | grep $string_you_are_looking_for

-- 
mors omnia vincit

Re: tcpdump and Iptables

[Jose Maria Lopez]

El jue, 02 de 09 de 2004 a las 20:07, Nick Drage escribió:
> On Fri, Sep 03, 2004 at 01:56:33AM +0800, CC wrote:
> 
> > If I have iptables running and I do a tcpdump -i eth0,   at what point
> > is tcpdump listening to the connection?
> 
> tcpdump will see the packets before IPTables does anything to them.

If that's true (I don't doubt it) then I have a question:
Where in the routing process does tcpdump see the traffic?
It can be very important to know it for some studies.


-- 
Jose Maria Lopez Hernandez
Director Tecnico de bgSEC
jkerouac@bgsec.com
bgSEC Seguridad y Consultoria de Sistemas Informaticos
http://www.bgsec.com
ESPAÑA

The only people for me are the mad ones -- the ones who are mad to live,
mad to talk, mad to be saved, desirous of everything at the same time,
the ones who never yawn or say a commonplace thing, but burn, burn, burn
like fabulous yellow Roman candles.
                -- Jack Kerouac, "On the Road"