[lug] Interpreting iptables log messages
Ben Whaley
bwhaley at gmail.com
Tue Oct 2 17:25:21 MDT 2007
Bill,
I'm sure Google would be your friend for documentation details. As far
as this exchange goes, however, it looks like 106.118.153.84 sent a
UDP packet to 111.222.217.247 port 1026. The destination,
111.222.217.247, replied with an ICMP Type 3 Code 3 (destination
unreachable, port unreachable) response - basically stating that the
port is filtered. The incoming packet was matched against rules on the
INPUT chain (destined for your router) and the outgoing packet was
matched against rules on the OUTPUT chain (outbound from the router).
- Ben
On 10/2/07, Bill Thoen <bthoen at gisnet.com> wrote:
> I'm exploring the arcane world of iptables and firewalls, and I was
> wondering if there's a good online document that explains how to
> interpret the log messages that can be produced by this software?
> Specifically, I'm trying to make sense of exchanges like this (since I
> don't recognize IP 106.118.153.84, and I suspect it's up to no good):
>
> Oct 2 13:41:24 bill kernel: **DEFAULT-INPUT** IN=eth0 OUT=
> MAC=00:11:5b:e6:aa:38:00:b0:c2:88:c3:c2:08:00 SRC=106.118.153.84
> DST=111.222.217.247 LEN=394 TOS=0x00 PREC=0x00 TTL=51 ID=26187 PROTO=UDP
> SPT=30296 DPT=1026 LEN=374
> Oct 2 13:41:24 bill kernel: **DEFAULT-OUTPUT** IN= OUT=eth0
> SRC=111.222.217.247 DST=106.118.153.84 LEN=422 TOS=0x00 PREC=0xC0 TTL=64
> ID=37515 PROTO=ICMP TYPE=3 CODE=3 [SRC=106.118.153.84
> DST=111.222.217.247 LEN=394 TOS=0x00 PREC=0x00 TTL=51 ID=26187 PROTO=UDP
> SPT=30296 DPT=1026 LEN=374 ]
>
> - Bill Thoen
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
More information about the LUG
mailing list