[lug] Interpreting iptables log messages

Bill Thoen bthoen at gisnet.com
Wed Oct 3 07:15:33 MDT 2007 

Thanks Ben, 

I did try Google first, but I didn't find anything about interpreting the
iptables logs specifically. I must not be using the right search terms. I
did find (by Googling on 'udp port 1026') that this was probably an attempt
to send me some instant message spam, and it failed. 
 
I can guess what most of the parameter abbreviations mean, but I don't know
what TOS= and PREC= mean.


On Tue, Oct 02, 2007 at 05:25:21PM -0600, Ben Whaley wrote:
> Bill,
> 
> I'm sure Google would be your friend for documentation details. As far
> as this exchange goes, however, it looks like 106.118.153.84 sent a
> UDP packet to 111.222.217.247 port 1026. The destination,
> 111.222.217.247, replied with an ICMP Type 3 Code 3 (destination
> unreachable, port unreachable) response - basically stating that the
> port is filtered. The incoming packet was matched against rules on the
> INPUT chain (destined for your router) and the outgoing packet was
> matched against rules on the OUTPUT chain (outbound from the router).
> 
> - Ben
> 
> 
> On 10/2/07, Bill Thoen <bthoen at gisnet.com> wrote:
> > I'm exploring the arcane world of iptables and firewalls, and I was
> > wondering if there's a good online document that explains how to
> > interpret the log messages that can be produced by this software?
> > Specifically, I'm trying to make sense of exchanges like this (since I
> > don't recognize IP 106.118.153.84, and I suspect it's up to no good):
> >
> > Oct  2 13:41:24 bill kernel:  **DEFAULT-INPUT** IN=eth0 OUT=
> > MAC=00:11:5b:e6:aa:38:00:b0:c2:88:c3:c2:08:00 SRC=106.118.153.84
> > DST=111.222.217.247 LEN=394 TOS=0x00 PREC=0x00 TTL=51 ID=26187 PROTO=UDP
> > SPT=30296 DPT=1026 LEN=374
> > Oct  2 13:41:24 bill kernel:  **DEFAULT-OUTPUT** IN= OUT=eth0
> > SRC=111.222.217.247 DST=106.118.153.84 LEN=422 TOS=0x00 PREC=0xC0 TTL=64
> > ID=37515 PROTO=ICMP TYPE=3 CODE=3 [SRC=106.118.153.84
> > DST=111.222.217.247 LEN=394 TOS=0x00 PREC=0x00 TTL=51 ID=26187 PROTO=UDP
> > SPT=30296 DPT=1026 LEN=374 ]
> >
> > - Bill Thoen
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>

More information about the LUG mailing list