I am trying to figure out what command to use to show the number of DROPPED and INVALID packets that the firewall is handling.I'm going to put these commands into a log analyzer script which will run every 15 minutes with cron. The firewall is running and operating the way I want it to. I'm running CentOS 5.4.
View 2 RepliesI switched over to Fedora a couple of days ago. I'm using the built-in firewall shipped with it but I can't find out how to enable logging of dropped packets. Among others I'd like to use psad that needs firewall logging. Is there an easy way to do this? I'm not an iptables "expert".
View 6 Replies View RelatedOn April 10, 2010, I upgraded some packages on my Ubuntu 9.04 server. This included an upgrade to "ufw 0.27-0ubuntu2". I rebooted the server, and all appeared to be fine.
Now I've noticed that UFW is not logging blocked packets since that reboot. It used to do this. It is still logging the allowed packets that I've configured it to log.
Here's what a "ufw status verbose" says code...
One of our RHEL 5.3 servers has trouble about 30% of the time with TCP-based communications, but it does not seem to be firewall issues. From another computer on the same switch, you can SSH to the server sometimes and other times the SSH command will just hang. When it hangs, you can often just Ctrl+C and try it again and it works. Same with HTTP connections. You'll get part of a web page and then FireFox will just hang waiting for the rest and eventually time out. Same goes for communication initiated FROM the server. SSH'ing from the server to any outside server or connecting to any web site works sometimes, but most times not. iptables if off. No other firewalls are running. Tcpdump shows communication gets so far and then stops. It does not matter whether tou run tcpdump on that server or the client connecting to it. Either way you see the connection stops working. MEANWHILE, pinging with small or large packets works flawlessly. 10,000 packets, zero drops.
View 5 Replies View RelatedI've recently installed Ubunter 9.10 Server Edition to use as a NAT firewall for the lab I run. I'm using iptables to do NAT forwarding and everything works great except that, occasionally, connections seem to break. Ssh connections close with "Connection reset by peer" and HTTP connections just stall out.I believe this has to do with the firewall's internal network interface occasionally dropping packets.
View 2 Replies View RelatedI have question regarding netstat? When performing a "netstat -s" I receive the following information regarding dropped packets under IP:
IP:
93978695 total packets received
0 forwarded
0 incoming packets discarded
79472157 incoming packets delivered
65235033 requests sent out
29527 outgoing packets dropped
However if I run a "netstat -i" I have no dropped packets whatsoever: (apologies for the table format):
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR Flg
bond0 1500 0 34326528 0 0 0 72755307 0 0 0 BMmRU
bond0:1 1500 0 - no statistics available - BMmRU
bond1 1500 0 28605491 0 0 0 20948952 0 0 0 BMmRU
eth0 1500 0 34199550 0 0 0 72755278 0 0 0 BMsRU
eth1 1500 0 126978 0 0 0 29 0 0 0 BMsRU
eth2 1500 0 97911 0 0 0 1 0 0 0 BMsRU
eth3 1500 0 28507580 0 0 0 20948951 0 0 0 BMsRU
lo 16436 0 34094225 0 0 0 34094225 0 0 0 LRU
I am using ubuntu 9.10. Configuring my firewall using guarddog. I have setup a rule to allow traffic OUT on port 7078 UDP, and just because i'm having problems i added an IN rule.
# Create the filter chains
# Create chain to filter traffic going from 'Internet' to 'Local'
ipchains -N f0to1
[code]....
I've run into a of a routing issue pertaining to packets leaving a firewall, traversing and IPSec tunnel, hitting the target and then returning via a different tunnel, finally arriving back on the source firewall but on a different interface from where it started. Once the packet has returned to the firewall it is dropped I've been unable to discover the reason for the drop. Two sides to the system, Firewall A and Firewall B. Each firewall provides the default gateway to its respective side and offers a backup IPSec tunnel to the high capacity tunnel handled internally. The Layer 3 Switch uses OSPF and takes care of the bulk of the behind the scenes routing between the sides. In case of failure the Layer 3 switches direct traffic to use the Firewall tunnels to route traffic.
View 2 Replies View RelatedI'm running a Debian Squeeze 6.0.1a box that's connected to my ISP via an L2TP connection that's managed by OpenL2TPD. The box is configured to perform NAT from local clients (on eth0) to the internet (on ppp0).
However, I'm having an issue with TCP packets that are sent from the box itself to the internet (packets originally coming from the local clients get sent and received over the internet just fine)
I'm using this Python app to test this:
Code:
#!/usr/bin/env python
import socket, time
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(('', 5003))
s.listen(1)
while 1:
conn, addr = s.accept()
[Code]...
In my Fedora13 machine, while in mobile broadband, i can ping and skype outside, but cannot browse/yum etc. Few output that may be of relevence are here:
$ netstat -s
IP:
149468 total packets received
6 with invalid headers
16174 with invalid addresses
0 forwarded
0 incoming packets discarded
118821 incoming packets delivered
101331 requests sent out
124 outgoing packets dropped
866 dropped because of missing route .....
I'm looking for an open source/free network emulator tool that I could use on Mac OS X, to simulate a slow network connection, limited bandwidth and other network characteristics such as dropped packets etc for both UDP/TCP connections (or even on the physical layer).
I'm looking for the simplest solution that would allow me to run TCP/UDP servers and have a few clients connect to them on localhost emulating various network connections. I'm mainly wondering if I can use something like Linux's netem on Mac OS X (or even better cross-platform Windows/Linux/Mac). Perhaps I can run VirtualBox and a Linux kernel running netem, has anyone had luck with that?[URL]...
I've been receiving a LOT of log cruft ever since I installed my WUSB100V2 (using the rt2870sta community driver from the Linux kernel) and was wondering what it all meant.
Many times when these messages occur it is accompanied by slow network speeds and many DNS queries and outgoing SYNs being dropped. I have searched for documentation for these (error?) messages and have come up empty as far as what they mean or how I can stop them from occurring.
I reside on the opposite side of the building from my WAP. I have taken steps to improve the signal strength, but the signal quality hovers between 50% and 70%, sometimes dropping to 40% for unknown reasons.
My /var/log/messages:
Sep 12 05:04:40 necronomicon -- MARK --
Sep 12 05:29:48 necronomicon kernel: 0:3 LTL=0 , TL=0 L:4284
Sep 12 05:29:53 necronomicon kernel: 0:3 LTL=0 , TL=0 L:4104
Sep 12 05:30:06 necronomicon kernel: 0:3 LTL=0 , TL=0 L:4156
[code]....
with my other ethernet card problem solved, I suddenly run into this:
Code:
eth1
Link encap:Ethernet HWaddr 00:02:e3:16:37:4c
inet addr:10.0.2.1 Bcast:10.0.2.255 Mask:255.255.255.0
inet6 addr: fe80::202:e3ff:fe16:374c/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
[Code]...
This card was working perfectly fine up until....an hour ago and it started doing this. My iptables isn't blocking it somehow, because I didn't change anything. I tried reverting to an older kernel and that didn't help. It's not the network cable, it works fine in any other card. Also, the dropped packets seem to count down? It seems to go down by exactly one every time I run ifconfig, no matter the length of time in between running it.
As is known, there is a queue lies between the kernel subsystem and the network driver for incoming data. And if data come when this queue has no space for it, the data got dropped by kernel. Is there some way to see how many packets are dropped due to this buff penury? I tried netstat -s but could not find something useful. On the other hand, I found this 12176 packets collapsed in receive queue due to low socket buffer from netstat -s. I think this is something related to the per-socket buffer, but not the incoming queue between the network driver and kernel. Is this right?
View 1 Replies View Relatedmy NIC drives me crazy and I need some help to gather all relevant informations to file a decent bug report. Maybe someone could guide me through this process.My mainboard is an AsRock Z68 Pro3
[URL]
I use a dual-boot setup with Windows7 installed in parallel to Fedora 15-x64. Whenever I had Windows in use and jjust reboot the system into Fedora, the NIC does not work as expected. Instead it goes in an endless "em1: link up" loop which results in very low bandwith or even complete network timeouts. This happens in Firefox as well as with yum or ping.
Quote:
Originally Posted by dmesg
[ 58.763294] r8169 0000:05:00.0: em1: link up
[ 59.686773] r8169 0000:05:00.0: em1: link up
[ 61.936454] r8169 0000:05:00.0: em1: link up
[code]....
If I directly cold boot into Fedora (after the power cord has been removed and the system got completely re-initialized) there are no problems at alll and I get a fast and stable network conection. This also happens with other linux distributions, for example SysRescCD.
i need to write a program in c that can sniff packets from Ethernet and distinguish RTP packets from Non-RTP packets, i have no idea what should i do
View 9 Replies View RelatedWe do NOT support samba on our Unbuntu servers but still zillions of windows machines are constantly trying to connect on the SMB ports. I've added a rule that drops access to destination ports 137-138 and that seems to work. But it creates many many log entries documenting that the packet has been dropped. I've been researching and cannot come up with a way to suppress logging for these drops.
View 4 Replies View Relatedi dont know why packets dropped? and something else what are those numbers for default policy in [] means?this is rules:
Code:
# Generated by iptables-save v1.4.4 on Sun May 1 00:09:57 2011
*mangle
[code]....
I setup a SSH server on my computer on a very high port, so that my brother could surf the web through my computer from Iran, since the majority of websites are filtered there.
Today, he told me he cannot connect to my computer. That's why, I got suspicious that they are doing packet based filtering instead of port. Then I decided to change the port to 433 for https, but one of my friend told me that they just banned https in Iran as well.
I was wondering if there's any way I can manipulate SSH packets between two computers so that my brother's ISP won't figure out he's exchanging SSH packets?
My machine is trying to communicate with another computer. I�ve blocked the traffic with this machine with iptables (input and output traffic), but I want to find the origin of this traffic. There�re 90% of probabilities it�s a trojan, and I want to find it.I have logged the packets with iptables (and then dropped), but with this I don�t know the proccess source.I�ve tried with netstat -o, but I don�t get nothing.How can I see the Process source (i.e. the PID) of this traffic?The traffic are TCP packets, with SYN flagged active (my machine is trying to establish a connection with that IP).
View 9 Replies View RelatedMy VPS host a mail, blog and web site. So i want to block port i not use. The port that i use is 80,21,2022,443. The other port will be drop. I want to block bad packet and all packet that not related. Can anyone how to write in iptables?
View 2 Replies View Relatedi have configured racoon (ipsec tunnel) between 2 hosts and i am afraid of unencrypted ICMP which appears in TCPDUMP logs. There ale also encrypted ESP packets. Is this result of wrong racoon configuration?
172.16.220.133
Code:
[root@localhost ~]# cat /etc/racoon/racoon.conf
# racoon.conf
path pre_shared_key "/etc/racoon/psk.txt" ;
remote anonymous
[Code]...
I keep finding packets that appear to be whois on port 44. they appear to originate from me to whois.arin.net (2 packets each time) and 199.212.0.43 (also 2 packets each time) when I put 199.212.0.43 in the URL box it says "Failure To Connect To Web Server". when I whois it it says:
Quote:
Available at [url] And yes, I did get the same packets when I used whois. Why is my computer randomly whoising stuff?
In my network I have 25 workstations and some serves. Everything working in local LAN with firewall. The problem is that on one machine (I dont know which one) is installed software which sending data to the internet. Actually I dont know what it is. Last time as I remember was trojan which can create new network interfaces in windows and send some data to the internet. The half speed of my network connection is used by this infected machine. How can I detect which machine it is? How can I listen/capture some traffic and analyze from which machine I have more connections.
Please take a look on this time. Instead of 141-150ms should be 4-5ms.
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=1 ttl=249 time=141 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=2 ttl=249 time=135 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=3 ttl=249 time=147 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=4 ttl=249 time=127 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=5 ttl=249 time=156 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=6 ttl=249 time=129 ms
64 bytes from web30.ispnetz.de (62.xx.191.74): icmp_seq=7 ttl=249 time=188 ms
How can I detect which machine is infected using only linux and keyboard ?
I have a small network with 4 users, a Win2003 server for LAN/security functions, and a Dell Blade server running Ubuntu 8.04.1 which runs as our web server on port 80. I manage the Ubuntu server with Webmin v1.42Yesterday, my users weren't able to access the internet nor were they able to receive mail, etc. and no one could access any of the website hosted on the webserver. However, the internal users could access each other's PCs and internal printers and devices - just nothing outside.
I began to troubleshoot: I could see a lot of activity on the Router/Firewall on the port connected to the Ubuntu server. When I unplugged the server, everyone could immedately connect to the internet. So, the problem was originating with that server.When I logged in to the Ubuntu server using Webmin, I checked System>Running Processes and right at the top of the list was the process:ID Owner CPU Command23184 www-data 98.1% ./s 174.120.164.186 7777When I drilled down on this process it said that the parent process was:/bin/sh -c ./s 174.120.164.186 7777I pressed the Trace Process button and it appears to be sending the following repeatedly:Time System Call Parameters Returnxxxx send 125,0123456789ABCDE,15,0 15So, I manually Killed the process and added a rule to my firewall/router to block an IP range that includes 174:120:164:186
A few hours later the same process stars again in Ubuntu,, effectively plugging up my pipeline to the internet and preventing access to the websites being hosted.It suspect that there is some kind of virus on my Ubuntu machine but have no idea how to locate and destroy it. I am relatively new to the Ubuntu world and would appreciate anyone's help immensely! I just don't know what to do!
I was testing the security of my Ubuntu 10.04 64bit install by running a port scan from [URL] and I came upon some odd results. It appears that basically all my ports are closed, but only Port 646 is dropping packets silently. Furthermore, Port 80 is open.
View 5 Replies View RelatedBattlefield 2 server being attacked by packets that creates infinite loop, then when a player disconnects, server crash.
The packets seems to be always the same.....
Attacker Script: [URL]
Script in action:
[Code].....
I need to find a way to block these 4 packets (i think theyre 4 for what i tested) with IP TABLES.
EDIT: There seem to be other different replies, maybe 1 different but no more.... maybe you can find something useful in the script.
Just wanted input for this script i have cobbeled together. Its not done yet. I am trying to think of ways to close up my outgoing while maintaining full functionality of my laptop ( irc, web stuff, a torrent or two, etc.) . Anyways, I have done some myself; as well as, pulling bits and pieces from other stuff out on the web. I am starting to wonder why i have to write a specific rule to check for spoofed packets if my default input is set top drop. wouldnt it be caught?
Code:
#!/bin/bash
### Laptop + Desktop: No Forwarding firewall ip4 / ip6
### Distro > Debian / Ubuntu.
### oliverteasley@gmail.com
[Code]....
how can i drop igmp port 0 packets with iptables rule? my log file is full of this router advertisement.
View 2 Replies View RelatedI want to capture all packets from site "www.examplesite.com" so I checked its ip address in an ip address look up and it was 123.456.abc.def.So I set my filter to "dst host 23.456.abc.def"However I then realised that multiple ip address point to ww.examplesite.com, for example say the following ips also go to987.654.321.000111.222.333.444So is there a filter that will automatically capture all traffic going to www.examplesite.com or do I have to go and manually find all it's ip addresses and pass them all to the filter?
View 2 Replies View Related