[lug] Interpreting iptables log messages

Brian Talley b225ccc at gmail.com
Sun Oct 7 11:01:30 MDT 2007 

On 10/3/07, Bill Thoen <bthoen at gisnet.com> wrote:
> Thanks Ben,
>
> I did try Google first, but I didn't find anything about interpreting the
> iptables logs specifically. I must not be using the right search terms. I
> did find (by Googling on 'udp port 1026') that this was probably an attempt
> to send me some instant message spam, and it failed.
>
> I can guess what most of the parameter abbreviations mean, but I don't know
> what TOS= and PREC= mean.

It looks like TOS=Type of Service and PREC=Precedence
http://www.rhyshaden.com/ipdgram.htm


>
> On Tue, Oct 02, 2007 at 05:25:21PM -0600, Ben Whaley wrote:
> > Bill,
> >
> > I'm sure Google would be your friend for documentation details. As far
> > as this exchange goes, however, it looks like 106.118.153.84 sent a
> > UDP packet to 111.222.217.247 port 1026. The destination,
> > 111.222.217.247, replied with an ICMP Type 3 Code 3 (destination
> > unreachable, port unreachable) response - basically stating that the
> > port is filtered. The incoming packet was matched against rules on the
> > INPUT chain (destined for your router) and the outgoing packet was
> > matched against rules on the OUTPUT chain (outbound from the router).
> >
> > - Ben
> >
> >
> > On 10/2/07, Bill Thoen <bthoen at gisnet.com> wrote:
> > > I'm exploring the arcane world of iptables and firewalls, and I was
> > > wondering if there's a good online document that explains how to
> > > interpret the log messages that can be produced by this software?
> > > Specifically, I'm trying to make sense of exchanges like this (since I
> > > don't recognize IP 106.118.153.84, and I suspect it's up to no good):
> > >
> > > Oct  2 13:41:24 bill kernel:  **DEFAULT-INPUT** IN=eth0 OUT=
> > > MAC=00:11:5b:e6:aa:38:00:b0:c2:88:c3:c2:08:00 SRC=106.118.153.84
> > > DST=111.222.217.247 LEN=394 TOS=0x00 PREC=0x00 TTL=51 ID=26187 PROTO=UDP
> > > SPT=30296 DPT=1026 LEN=374
> > > Oct  2 13:41:24 bill kernel:  **DEFAULT-OUTPUT** IN= OUT=eth0
> > > SRC=111.222.217.247 DST=106.118.153.84 LEN=422 TOS=0x00 PREC=0xC0 TTL=64
> > > ID=37515 PROTO=ICMP TYPE=3 CODE=3 [SRC=106.118.153.84
> > > DST=111.222.217.247 LEN=394 TOS=0x00 PREC=0x00 TTL=51 ID=26187 PROTO=UDP
> > > SPT=30296 DPT=1026 LEN=374 ]
> > >
> > > - Bill Thoen
> > > _______________________________________________
> > > Web Page:  http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> > >
> > _______________________________________________
> > Web Page:  http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>


-- 
Brian Talley
b225ccc at gmail.com ::: (970) 689 - 0108

"Chance favors the prepared mind." -- Louis Pasteur

More information about the LUG mailing list