Can someone recommend a document that will give me a heads up on how to read the output of iptables that's not 4 inches thick? ;) Example: Oct 1 14:21:32 zeus kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:10:4b:10:69:c1:00:20:6f:13:82:d2:08:00 SRC=61.195.156.12 DST=64.0.161.154 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=10094 DF PROTO=TCP SPT=1332 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A03E4463C0000000001030300)· I found the output from ipchains much easier to read. It was more "this is the ip of the attacker..this is the port their coming from and this is the port their trying to gain access to.." but iptables seems different to me. -- Ben Rosenberg ---===---===---===--- mailto:ben@whack.org Tell me what you believe.. I tell you what you should see.
On Tuesday 01 October 2002 23.27, Ben Rosenberg wrote:
Can someone recommend a document that will give me a heads up on how to read the output of iptables that's not 4 inches thick? ;)
Example:
Oct 1 14:21:32 zeus kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:10:4b:10:69:c1:00:20:6f:13:82:d2:08:00 SRC=61.195.156.12 DST=64.0.161.154 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=10094 DF PROTO=TCP SPT=1332 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A03E4463C0000000001030300)·
I found the output from ipchains much easier to read. It was more "this is the ip of the attacker..this is the port their coming from and this is the port their trying to gain access to.." but iptables seems different to me.
SUSE-FW-DROP-DEFAULT = Log title produced by the SuSEfirewall2 script describing the action taken IN = interface the packet came in on OUT= interface packet went out on. In this case, nada MAC=Combined mac address of sender and recipient SRC= Source IP. "this is the ip of the attacker" DST = Destination IP LEN, TOS, PREC, TTL, ID = various stuff in the TCP/IP headers PROTO = protocol of the packet SPT= Source port "this is the port they're coming from" DPT = Destination Port "this is the port they're trying to gain access to" WINDOW, RES = more packet header stuff SYN = The packet was a SYN packet, i.e. the first packet in a TCP negotiation. The details of the header fields can be found in the RFC documents on TCP and IP (http://www.faqs.org/rfcs/rfc793.html, http://www.faqs.org/rfcs/rfc791.html). //Anders
I have a book called "Linux Firewalls" 2nd edition by Robert L. Ziegler (New Riders publication) for my firewall stuff. Pg 324-327 break apart the TCP and UDP packets nicely, and easily. (The first edition was ipchains, which I still use...but I am preparing for iptables for when I get 8.1 :D Although, it pretty much just has the same info that Anders Johansson replied with, but with slightly more detail. The only thing I can't seem to find...what is the "OPT" line is about? jeric On Tuesday 01 October 2002 23.27, Ben Rosenberg wrote:
Can someone recommend a document that will give me a heads up on how to read the output of iptables that's not 4 inches thick? ;)
Example:
Oct 1 14:21:32 zeus kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:10:4b:10:69:c1:00:20:6f:13:82:d2:08:00 SRC=61.195.156.12 DST=64.0.161.154 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=10094 DF PROTO=TCP SPT=1332 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A03E4463C0000000001030300)·
I found the output from ipchains much easier to read. It was more "this is the ip of the attacker..this is the port their coming from and this is the port their trying to gain access to.." but iptables seems different to me.
Install "prelude" to produce very wonderful and easily understandable reports (even for management) in html. I swear by it as it has made my life so much easier.... cheers Kat On Tue, 2002-10-01 at 17:27, Ben Rosenberg wrote:
Can someone recommend a document that will give me a heads up on how to read the output of iptables that's not 4 inches thick? ;)
Example:
Oct 1 14:21:32 zeus kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:10:4b:10:69:c1:00:20:6f:13:82:d2:08:00 SRC=61.195.156.12 DST=64.0.161.154 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=10094 DF PROTO=TCP SPT=1332 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A03E4463C0000000001030300)·
I found the output from ipchains much easier to read. It was more "this is the ip of the attacker..this is the port their coming from and this is the port their trying to gain access to.." but iptables seems different to me.
http://rpmfind.net/linux/rpm2html/search.php?query=prelude On Tue, 2002-10-01 at 18:42, Rowan Reid wrote:
Install "prelude" to produce very wonderful and easily understandable reports (even for management) in html. I swear by it as it has made my life so much easier....
Where can one find a copy of prelude.
On 01 Oct 2002 23:29:09 -0400
kathee
Those are Mandrake rpms, maybe they work with suse. The homepage is at: http://www.prelude-ids.org/
On Tue, 2002-10-01 at 18:42, Rowan Reid wrote:
Install "prelude" to produce very wonderful and easily understandable reports (even for management) in html. I swear by it as it has made my life so much easier....
Where can one find a copy of prelude.
-- use Perl; #powerful programmable prestidigitation
participants (6)
-
Anders Johansson -
Ben Rosenberg -
Jeric -
kathee -
Rowan Reid -
zentara