From: "U.Mutlu" <for-gmane@mutluit.com>
To: netfilter@vger.kernel.org
Subject: Re: do not understand these logged iptables packets
Date: Thu, 18 Oct 2012 04:28:23 +0200 [thread overview]
Message-ID: <507F6947.1020903@mutluit.com> (raw)
In-Reply-To: <50742084.7080802@comcast.net>
AJ Weber wrote, On 10/09/2012 03:03 PM:
>> Sorry, I'm a bit of a novice with understanding the iptables logged output. I'm obviously rejecting some
>> packets that don't appear to be generated by my server, yet they seem to indicate that they were generated
>> by my server? I can not identify any process/daemon of mine that should be generating any of these entries.
>>
>> Do they look "familiar" to anyone? Are there any tools recommended to better determine what rule they're
>> triggering or something?
These are standard LOG results, here specified for invalid tcp state, ie. unexpected ACK SYN packets.
Here's a slightly different example for the INPUT chain (yours is for OUTPUT I think):
iptables -A INPUT -p tcp --tcp-flags RST RST -m state --state INVALID -j LOG --log-prefix "[TCP reject]"
>> Thanks in advance,
>> AJ
>>
>> Oct 8 22:22:41 servername kernel: [TCP reject] IN= OUT=eth0 SRC=74.x.x.x DST=54.248.104.161 LEN=40 TOS=0x00
>> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=80 DPT=50740 WINDOW=5 RES=0x00 ACK SYN URGP=0
>> Oct 8 22:52:20 servername kernel: [TCP reject] IN= OUT=eth0 SRC=74.x.x.x DST=1.34.22.39 LEN=40 TOS=0x00
>> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1080 DPT=6000 WINDOW=5 RES=0x00 ACK SYN URGP=0
>> Oct 8 22:57:35 servername kernel: [TCP reject] IN= OUT=eth0 SRC=74.x.x.x DST=61.160.195.24 LEN=40 TOS=0x00
>> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=1433 DPT=6000 WINDOW=5 RES=0x00 ACK SYN URGP=0
>> Oct 8 23:06:34 servername kernel: [TCP reject] IN= OUT=eth0 SRC=74.x.x.x DST=218.201.121.99 LEN=40 TOS=0x00
>> PREC=0x40 TTL=64 ID=0 DF PROTO=TCP SPT=8080 DPT=3955 WINDOW=5 RES=0x00 ACK SYN URGP=0
>> Oct 8 23:11:23 servername kernel: [TCP reject] IN= OUT=eth0 SRC=74.x.x.x DST=58.218.199.227 LEN=40 TOS=0x00
>> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=9000 DPT=12200 WINDOW=5 RES=0x00 ACK SYN URGP=0
>> Oct 8 23:11:23 servername kernel: [TCP reject] IN= OUT=eth0 SRC=74.x.x.x DST=58.218.199.227 LEN=40 TOS=0x00
>> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=2479 DPT=12200 WINDOW=5 RES=0x00 ACK SYN URGP=0
>> Oct 8 23:11:23 servername kernel: [TCP reject] IN= OUT=eth0 SRC=74.x.x.x DST=58.218.199.227 LEN=40 TOS=0x00
>> PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=8118 DPT=12200 WINDOW=5 RES=0x00 ACK SYN URGP=0
>>
prev parent reply other threads:[~2012-10-18 2:28 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <5073A4E5.10406@comcast.net>
2012-10-09 13:03 ` do not understand these logged iptables packets AJ Weber
2012-10-18 2:28 ` U.Mutlu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=507F6947.1020903@mutluit.com \
--to=for-gmane@mutluit.com \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.