5

How to understand why the packet was considered INVALID by the `iptables`?

view full story
linux-howto

http://unix.stackexchange.com – I set up some iptables rules so it logs and drops the packets that are INVALID (--state INVALID). Reading the logs how can I understand why the packet was considered invalid? For example, the following: Nov 29 22:59:13 htpc-router kernel: [6550193.790402] ::IPT::DROP:: IN=ppp0 OUT= MAC= SRC=31.13.72.7 DST=136.169.151.82 LEN=40 TOS=0x00 PREC=0x00 TTL=242 ID=5104 DF PROTO=TCP SPT=80 DPT=61597 WINDOW=0 RES=0x00 AC K RST URGP=0 (HowTos)

Songlist's picture
Submitted by Songlist on 12/03/2012 – Made popular on 12/03/2012

Stories similar to How to understand why the packet was considered INVALID by the `iptables`?

How can i grep count and sort iptables log to get IPs qty and DPT? like i used this oneliner to get top IP qty

egrep -w "Invalid Packet" ipfirewall.log | grep -o '[0-9][0-9]*\.[0-9][0-9]*\.[0-9][0-9]*\.[0-9]*' | sort | uniq -c | sort -r -n | head

but how to get ip by DPT?

In my iptables rules files, I entered this at the end:

-A INPUT -j LOG --log-level 4 --log-ip-options --log-prefix "iptables: "

I DROP everything besides INPUT for SSH (port 22)

I have a web server and when I try to connect to it through my browser, through a forbidden port number (on purpose), I get something like that in my iptables.log

Sep 24 14:05:57 myserver kernel: [xx.xx] iptables: IN=

I've been using iptables for some time but recently noticed that the log prefix I'd set had got corrupted.

UFW is blocking some packets that I thought I was allowing.

every hour, the logfile on our firewall (IPCop 1.4.20, 192.168.1.8) lists nine lines, apparently caused by my Computer (Ubuntu 12.04, 192.168.1.55):

Jan 8 08:01:16 ipc9 kernel: NEW not SYN?

I have my kern.log flooded by these lines:

Jan 4 03:00:57 myhost kernel: [9040601.809740] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08:00 SRC=178.33.217.13 DST=xx.xx.xx.xx LEN=64 TOS=0x00 PREC=0x00 TTL=236 ID=33285 PROTO=UDP SPT=25345 DPT=53 LEN=44 Jan 4 03:01:09 myhost kernel: [9040613.699425] iptables denied: IN=eth0 OUT= MAC=10:00:25:09:e7:40:00:21:5e:3f:c4:04:08

Tracing out going attacks 32 weeks 3 days ago

I have noticed ALOT of the following:

Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=ME DST=OUT LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=44395 DF PROTO=TCP SPT=55901 DPT=10080 WINDOW=14600 RES=0x00 SYN URGP=0

How can I figure out which website is sending such an attack?

PHP is running as fast_cgid with CloudLinux.

I'm using a Panasonic Let's Note (= Touchbook) laptop, model CF-Y2, running openSUSE 11.2 / KDE 4.4.

A few days ago, I started experiencing problems with my network connection, and I'd like to find out whether this has to do with the internal wlan possibly being defect.

I would like to know what is this and how can i stop this?

Apr 10 15:30:17 -- kernel: [ 1182.295900] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3e:5b:f3:c1:00:08:e3:ff:fd:90:08:00 SRC=95.37.189.176 DST=109.123.***.*** LEN=159 TOS=0x00 PREC=0x00 TTL=114 ID=29111 PROTO=UDP SPT=49001 DPT=51413 LEN=139 Apr 10 15:30:37 -- kernel: [ 1202.267330] [UFW BLOCK] IN=eth0 OUT= MAC=00:16:3e:5b:f3:c1:00:08:e3:ff:fd:90