Mailinglist Archive: opensuse (4348 mails)

< Previous Next >
Re: [SLE] reading output from iptables.
  • From: Anders Johansson <andjoh@xxxxxxxxxxxxxxxxxxxxx>
  • Date: Tue, 1 Oct 2002 23:41:59 +0200
  • Message-id: <200210012341.59290.andjoh@xxxxxxxxxxxxxxxxxxxxx>
On Tuesday 01 October 2002 23.27, Ben Rosenberg wrote:
> Can someone recommend a document that will give me a heads up on how to
> read the output of iptables that's not 4 inches thick? ;)
>
> Example:
>
> Oct 1 14:21:32 zeus kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT=
> MAC=00:10:4b:10:69:c1:00:20:6f:13:82:d2:08:00 SRC=61.195.156.12
> DST=64.0.161.154 LEN=60 TOS=0x00 PREC=0x00 TTL=51 ID=10094 DF PROTO=TCP
> SPT=1332 DPT=443 WINDOW=5840 RES=0x00 SYN URGP=0 OPT
> (020405B40402080A03E4463C0000000001030300)ยท
>
> I found the output from ipchains much easier to read. It was more "this
> is the ip of the attacker..this is the port their coming from and this
> is the port their trying to gain access to.." but iptables seems
> different to me.

SUSE-FW-DROP-DEFAULT = Log title produced by the SuSEfirewall2 script
describing the action taken

IN = interface the packet came in on
OUT= interface packet went out on. In this case, nada
MAC=Combined mac address of sender and recipient
SRC= Source IP. "this is the ip of the attacker"
DST = Destination IP
LEN, TOS, PREC, TTL, ID = various stuff in the TCP/IP headers
PROTO = protocol of the packet
SPT= Source port "this is the port they're coming from"
DPT = Destination Port "this is the port they're trying to gain access to"
WINDOW, RES = more packet header stuff
SYN = The packet was a SYN packet, i.e. the first packet in a TCP negotiation.

The details of the header fields can be found in the RFC documents on TCP and
IP (http://www.faqs.org/rfcs/rfc793.html,
http://www.faqs.org/rfcs/rfc791.html).

//Anders

< Previous Next >
Follow Ups
References