470 lines
14 KiB
HTML
470 lines
14 KiB
HTML
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
||
|
<HTML
|
||
|
><HEAD
|
||
|
><TITLE
|
||
|
>( Logs ) - Now that I have IP Masquerading up, I'm getting all sorts of weird
|
||
|
notices and errors in the SYSLOG log files. How do I read the IPTABLES/IPCHAINS/IPFWADM
|
||
|
firewall errors?</TITLE
|
||
|
><META
|
||
|
NAME="GENERATOR"
|
||
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
||
|
REL="HOME"
|
||
|
TITLE="Linux IP Masquerade HOWTO"
|
||
|
HREF="index.html"><LINK
|
||
|
REL="UP"
|
||
|
TITLE="Frequently Asked Questions"
|
||
|
HREF="faq.html"><LINK
|
||
|
REL="PREVIOUS"
|
||
|
TITLE="( PORTFW - Locally ) - I can't reach my PORTFWed server from the INTERNAL lan"
|
||
|
HREF="portfw-local.html"><LINK
|
||
|
REL="NEXT"
|
||
|
TITLE='( Log Reduction ) - My logs are filling up with packet hits due to the
|
||
|
new "stronger" rulesets. How can I fix this? '
|
||
|
HREF="reducing-masq-logs.html"></HEAD
|
||
|
><BODY
|
||
|
CLASS="SECT1"
|
||
|
BGCOLOR="#FFFFFF"
|
||
|
TEXT="#000000"
|
||
|
LINK="#0000FF"
|
||
|
VLINK="#840084"
|
||
|
ALINK="#0000FF"
|
||
|
><DIV
|
||
|
CLASS="NAVHEADER"
|
||
|
><TABLE
|
||
|
SUMMARY="Header navigation table"
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TH
|
||
|
COLSPAN="3"
|
||
|
ALIGN="center"
|
||
|
>Linux IP Masquerade HOWTO</TH
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="portfw-local.html"
|
||
|
ACCESSKEY="P"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="80%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="bottom"
|
||
|
>Chapter 7. Frequently Asked Questions</TD
|
||
|
><TD
|
||
|
WIDTH="10%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="bottom"
|
||
|
><A
|
||
|
HREF="reducing-masq-logs.html"
|
||
|
ACCESSKEY="N"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"></DIV
|
||
|
><DIV
|
||
|
CLASS="SECT1"
|
||
|
><H1
|
||
|
CLASS="SECT1"
|
||
|
><A
|
||
|
NAME="MASQ-LOGS"
|
||
|
></A
|
||
|
>7.20. ( Logs ) - Now that I have IP Masquerading up, I'm getting all sorts of weird
|
||
|
notices and errors in the SYSLOG log files. How do I read the IPTABLES/IPCHAINS/IPFWADM
|
||
|
firewall errors?</H1
|
||
|
><P
|
||
|
>There is probably a few common things that you are going to see:
|
||
|
|
||
|
<P
|
||
|
></P
|
||
|
><UL
|
||
|
><LI
|
||
|
><P
|
||
|
><STRONG
|
||
|
>MASQ: Failed TCP Checksum error:</STRONG
|
||
|
> You
|
||
|
might see this error when a packet coming from the Internet gets corrupt in
|
||
|
the data section of the packet but the rest of it "seems" ok. When the Linux
|
||
|
box receives this packet, it will calculate the CRC of the packet and
|
||
|
determine that its corrupt. On most machines running OSes like Microsoft
|
||
|
Windows, they just silently drop the packets but Linux IP MASQ reports it. If
|
||
|
you get a LOT of them over your PPP link, first follow the FAQ entry above for
|
||
|
"(Performance) - Masq seems is slow". </P
|
||
|
><P
|
||
|
>If the (Performance) FAQ tips don't help and you run PPP over dialup or PPPoE,
|
||
|
you might try adding the line "-vj" (disabled VanJacobson header compression) to
|
||
|
your /etc/ppp/options file and restart the PPPd connection.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
><STRONG
|
||
|
>Firewall hits</STRONG
|
||
|
>: Because you are on the
|
||
|
Internet with a decent firewall, you will be surprised with the number of users
|
||
|
trying to penetrate your Linux box! So what do all these firewall logs mean? </P
|
||
|
><P
|
||
|
>More so, if they are filling your logs, see the next FAQ entry on thoughts
|
||
|
<EM
|
||
|
>how to reduce</EM
|
||
|
> all these log entries.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
>The following details are from the
|
||
|
<A
|
||
|
HREF="http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html#TrinityOS"
|
||
|
TARGET="_top"
|
||
|
>TrinityOS - Section 10</A
|
||
|
>
|
||
|
documentation I also wrote:</P
|
||
|
><P
|
||
|
><TABLE
|
||
|
BORDER="0"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="90%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><FONT
|
||
|
COLOR="#000000"
|
||
|
><PRE
|
||
|
CLASS="PROGRAMLISTING"
|
||
|
> With the use of various firewall rulesets, a given ruleset can either
|
||
|
DENY (silently drop) or REJECT traffic (sends back a ICMP error). If
|
||
|
firewall logging is enabled, the errors will show up in the SYSLOG
|
||
|
"messages" file found at:
|
||
|
|
||
|
Redhat: /var/log
|
||
|
Slackware: /var/adm
|
||
|
|
||
|
If you take a look at one of these firewall logs, you would see something
|
||
|
like:
|
||
|
|
||
|
---------------------------------------------------------------------
|
||
|
IPTABLES:
|
||
|
---------
|
||
|
Feb 23 07:37:01 Roadrunner kernel: IPTABLES IN=eth0 OUT=
|
||
|
MAC=00:50:da:2e:e5:fb:00:03:47:73:c9:d2:08:00 SRC=12.75.147.174
|
||
|
DST=100.200.0.212 LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=39034 DF PROTO=TCP
|
||
|
SPT=4313 DPT=23 WINDOW=32120 RES=0x00 SYN URGP=0
|
||
|
|
||
|
|
||
|
IPCHAINS:
|
||
|
---------
|
||
|
Feb 23 07:37:01 Roadrunner kernel: input REJECT eth0 PROTO=6
|
||
|
12.75.147.174:1633 100.200.0.212:23 L=44 S=0x00 I=54054 F=0x0040 T=64
|
||
|
|
||
|
|
||
|
IPFWADM:
|
||
|
--------
|
||
|
Feb 23 07:37:01 Roadrunner kernel: IP fw-in rej eth0 TCP 12.75.147.174:1633
|
||
|
100.200.0.212:23 L=44 S=0x00 I=54054 F=0x0040 T=64
|
||
|
|
||
|
---------------------------------------------------------------------
|
||
|
|
||
|
There is a LOT of information in just this one line of SYSLOG. Lets break
|
||
|
out this example. You should refer back to the original firewall hit as you
|
||
|
read this.
|
||
|
|
||
|
--------------
|
||
|
|
||
|
1. ===================================================================
|
||
|
|
||
|
- This packet firewall "hit" occurred on "Feb 23 07:37:01"
|
||
|
|
||
|
2. ===================================================================
|
||
|
|
||
|
- This packet was logged on the "RoadRunner" computer via the kernel
|
||
|
|
||
|
3. ===================================================================
|
||
|
|
||
|
- IPTABLES: the SYSLOG prepend string is "iptables" for information purposes
|
||
|
|
||
|
- IPCHAINS: the packet was stopped on the INPUT chain
|
||
|
|
||
|
- IPFWADM: the packet was an IP packet
|
||
|
|
||
|
4. ===================================================================
|
||
|
|
||
|
- IPTABLES: the packet came IN on interface "eth0"
|
||
|
|
||
|
- IPCHAINS: the packet was REJECTED (vs. dropped or accepted)
|
||
|
|
||
|
- IPFWADM: the packet was stopped on INPUT (vs. "fw-out" for OUT or
|
||
|
"fw-fwd" for FORWARD)
|
||
|
|
||
|
5. ===================================================================
|
||
|
|
||
|
- IPTABLES: the packet had NO output interface
|
||
|
|
||
|
- IPCHAINS: the packet came in on the "eth0" interface
|
||
|
|
||
|
- IPFWADM: the packet was REJECTED "rej" (vs. "deny" or "accept")
|
||
|
|
||
|
6. ===================================================================
|
||
|
|
||
|
- IPTABLES: this display's the MAC address of the source and destination
|
||
|
Ethetnet MAC address (only relivant for Ethernet networks)
|
||
|
|
||
|
- IPCHAINS: the packet was IP protocol 6 or TCP
|
||
|
* If you don't know that protocol 6 is for TCP, look at
|
||
|
your /etc/protocols file to see what other protocol numbers
|
||
|
are used for.
|
||
|
|
||
|
- IPFWADM: the packet on the "eth0" interface
|
||
|
|
||
|
7. ===================================================================
|
||
|
|
||
|
- IPTABLES: the packet's source IP address was 12.75.147.174
|
||
|
|
||
|
- IPCHAINS: the packet's source IP address was 12.75.147.174
|
||
|
|
||
|
- IPFWADM: the packet was a "TCP" packet
|
||
|
|
||
|
8. ===================================================================
|
||
|
|
||
|
- IPTABLES: the packet's destination IP address was 100.200.0.212
|
||
|
|
||
|
- IPCHAINS: the packet's source PORT was 1633
|
||
|
|
||
|
- IPFWADM: the packet's source IP address was 12.75.147.174
|
||
|
|
||
|
9. ===================================================================
|
||
|
|
||
|
- IPTABLES: the packet's length was 44 bytes
|
||
|
|
||
|
- IPCHAINS: the packet's destination IP address was 100.200.0.212
|
||
|
|
||
|
- IPFWADM: the packet's source PORT was 1633
|
||
|
|
||
|
10. ===================================================================
|
||
|
|
||
|
- IPTABLES: the packet's TOS markings (type of service which basically
|
||
|
means class of service) was 0x00 or zero.
|
||
|
|
||
|
- IPCHAINS: the packet's destination PORT was 23 (telnet)
|
||
|
* If you don't know that port 23 is for TELNETing, look at
|
||
|
your /etc/services file to see what other ports are used
|
||
|
for.
|
||
|
|
||
|
- IPFWADM: the packet's destination IP address was 100.200.0.212
|
||
|
|
||
|
11. ===================================================================
|
||
|
|
||
|
- IPTABLES: the packet's precedense markings (class of service) was
|
||
|
0x00 or zero.
|
||
|
|
||
|
- IPCHAINS: the packet's length was 44 bytes
|
||
|
|
||
|
- IPFWADM: the packet's destination PORT was 23 (telnet)
|
||
|
* If you don't know that port 23 is for TELNETing, look at
|
||
|
your /etc/services file to see what other ports are used
|
||
|
for.
|
||
|
|
||
|
12. ==================================================================
|
||
|
|
||
|
- IPTABLES: the packet's TTL or Time to Live was 64 or 64 router hops
|
||
|
* Every router hop over the Internet will subtract (1) from
|
||
|
this number. Usually, packets will start with a number of
|
||
|
255 (depends on the operating system) and if that number
|
||
|
ever reaches (0), it means that realistically, the packet
|
||
|
was lost in a network loop and should be deleted.
|
||
|
|
||
|
- IPCHAINS: the packet's TOS markings (type of service which basically
|
||
|
means class of service) was 0x00 or zero.
|
||
|
* divide this by 4 to get the Type of Service (presidence)
|
||
|
|
||
|
- IPFWADM: the packet was 44 bytes long
|
||
|
|
||
|
13. ==================================================================
|
||
|
|
||
|
- IPTABLES: the packet had various TCP flags set such as SYN, SYN+ACK,
|
||
|
etc. (shown in HEX)
|
||
|
|
||
|
- IPCHAINS: the packet had various TCP flags set (shown in hex)
|
||
|
|
||
|
- IPFWADM: the packet's TOS markings (type of service which basically
|
||
|
means class of service) was 0x00 or zero.
|
||
|
|
||
|
14. ==================================================================
|
||
|
|
||
|
- IPTABLES: the packet's "don't fragment" or DF bit was set from the
|
||
|
source computer
|
||
|
|
||
|
- IPCHAINS: the packet had a fragmentation offset of 40 (shown in HEX)
|
||
|
|
||
|
--Don't worry if you don't understand this..
|
||
|
* A value that started with "0x2..." or "0x3..." means the
|
||
|
"More Fragments" bit was set so more fragmented packets
|
||
|
will be coming in to complete this one BIG packet.
|
||
|
* A value which started with "0x4..." or "0x5..." means that
|
||
|
the "Don't Fragment" bit was set
|
||
|
* Any other values are the Fragment offset (divided by 8) to
|
||
|
be later used to recombine into the original LARGE packet
|
||
|
|
||
|
- IPFWADM: the packet had various TCP flags set such as SYN, SYN+ACK,
|
||
|
etc. (shown in HEX)
|
||
|
|
||
|
15. ==================================================================
|
||
|
|
||
|
- IPTABLES: the packet was a TCP packet
|
||
|
|
||
|
- IPCHAINS: the packet's TTL or Time to Live was 64 or 64 router hops
|
||
|
* Every router hop over the Internet will subtract (1) from
|
||
|
this number. Usually, packets will start with a number of
|
||
|
255 (depends on the operating system) and if that number
|
||
|
ever reaches (0), it means that realistically, the packet
|
||
|
was lost in a network loop and should be deleted.
|
||
|
|
||
|
- IPFWADM: the packet had a fragmentation offset of 40 (shown in HEX)
|
||
|
|
||
|
--Don't worry if you don't understand this..
|
||
|
* A value that started with "0x2..." or "0x3..." means the
|
||
|
"More Fragments" bit was set so more fragmented packets
|
||
|
will be coming in to complete this one BIG packet.
|
||
|
* A value which started with "0x4..." or "0x5..." means that
|
||
|
the "Don't Fragment" bit was set
|
||
|
* Any other values are the Fragment offset (divided by 8) to
|
||
|
be later used to recombine into the original LARGE packet
|
||
|
|
||
|
16. ==================================================================
|
||
|
|
||
|
- IPTABLES: the packet's soure PORT was 4313
|
||
|
|
||
|
- IPCHAINS:
|
||
|
|
||
|
- IPFWADM: the packet's TTL or Time to Live was 64 or 64 router hops
|
||
|
* Every router hop over the Internet will subtract (1) from
|
||
|
this number. Usually, packets will start with a number of
|
||
|
255 (depends on the operating system) and if that number
|
||
|
ever reaches (0), it means that realistically, the packet
|
||
|
was lost in a network loop and should be deleted.
|
||
|
|
||
|
17. ==================================================================
|
||
|
|
||
|
- IPTABLES: the packet's destination PORT was 23 (telnet)
|
||
|
* If you don't know that port 23 is for TELNETing, look at
|
||
|
your /etc/services file to see what other ports are used
|
||
|
for.
|
||
|
|
||
|
- IPCHAINS:
|
||
|
|
||
|
- IPFWADM:
|
||
|
|
||
|
18. ==================================================================
|
||
|
|
||
|
- IPTABLES: the packet's TCP window (sliding or selective TCP ack)
|
||
|
was 32120 bytes
|
||
|
|
||
|
- IPCHAINS:
|
||
|
|
||
|
- IPFWADM:
|
||
|
|
||
|
19. ==================================================================
|
||
|
|
||
|
- IPTABLES: the packet's TCP reserved bits were 0x00 (HEX) - unused
|
||
|
|
||
|
- IPCHAINS:
|
||
|
|
||
|
- IPFWADM:
|
||
|
|
||
|
20. ==================================================================
|
||
|
|
||
|
- IPTABLES: the packet's TCP header SYN bit was set
|
||
|
* IPTABLES displays all the TCP header bits by name and not
|
||
|
by a HEX dump
|
||
|
|
||
|
- IPCHAINS:
|
||
|
|
||
|
- IPFWADM:
|
||
|
|
||
|
21. ==================================================================
|
||
|
|
||
|
- IPTABLES: the packet's TCP header URGENT bit was set - rarely used
|
||
|
|
||
|
- IPCHAINS:
|
||
|
|
||
|
- IPFWADM: </PRE
|
||
|
></FONT
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
> </P
|
||
|
></LI
|
||
|
></UL
|
||
|
></P
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="NAVFOOTER"
|
||
|
><HR
|
||
|
ALIGN="LEFT"
|
||
|
WIDTH="100%"><TABLE
|
||
|
SUMMARY="Footer navigation table"
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
CELLPADDING="0"
|
||
|
CELLSPACING="0"
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="portfw-local.html"
|
||
|
ACCESSKEY="P"
|
||
|
>Prev</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="index.html"
|
||
|
ACCESSKEY="H"
|
||
|
>Home</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="reducing-masq-logs.html"
|
||
|
ACCESSKEY="N"
|
||
|
>Next</A
|
||
|
></TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="left"
|
||
|
VALIGN="top"
|
||
|
>( PORTFW - Locally ) - I can't reach my PORTFWed server from the INTERNAL lan</TD
|
||
|
><TD
|
||
|
WIDTH="34%"
|
||
|
ALIGN="center"
|
||
|
VALIGN="top"
|
||
|
><A
|
||
|
HREF="faq.html"
|
||
|
ACCESSKEY="U"
|
||
|
>Up</A
|
||
|
></TD
|
||
|
><TD
|
||
|
WIDTH="33%"
|
||
|
ALIGN="right"
|
||
|
VALIGN="top"
|
||
|
>( Log Reduction ) - My logs are filling up with packet hits due to the
|
||
|
new "stronger" rulesets. How can I fix this?</TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
></DIV
|
||
|
></BODY
|
||
|
></HTML
|
||
|
>
|