Linux: ipchains logging

Title:

This is where the title goes

Author:

Douglas O’Leary <dkoleary@olearycomputers.com>

Description:

Description goes here

Date created:

09/1999

Date updated:

09/1999

Disclaimer:

Standard: Use the information that follows at your own risk. If you screw up a system, don’t blame it on me…

(Taken from the logging section of the IPCHAINS-HOWTO)

Logging Packets

This is a side effect that matching a rule can have; you can have the matching packet logged using the ‘-l’ flag. You will usually not want this for routine packets, but it is a useful feature if you want to look for exceptional events.

The kernel logs this information looking like:

Packet log: input DENY eth0 PROTO=17 192.168.2.1:53 192.168.1.1:1025 L=34 S=0x00 I=18 F=0x0000 T=254

This log message is designed to be terse, and contain technical information useful only to networking gurus, but it can be useful to the rest of us. It breaks down like so:

  1. ‘input’ is the chain which contained the rule which matched the packet, causing the log message.

  2. ‘DENY’ is what the rule said to do to the packet. If this is ‘-’ then the rule didn’t effect the packet at all (an accounting rule).

  3. ‘eth0’ is the interface name. Because this was the input chain, it means that the packet came in ‘eth0’.

  4. ‘PROTO=17’ means that the packet was protocol 17. A list of protocol numbers is given in ‘/etc/protocols’. The most common are 1 (ICMP), 6 (TCP) and 17 (UDP).

  5. ‘192.168.2.1’ means that the packet’s source IP address was 192.168.2.1.

  6. ‘:53’ means that the source port was port 53. Looking in ‘/etc/services’ shows that this is the ‘domain’ port (ie. this is probably an DNS reply). For UDP and TCP, this number is the source port. For ICMP, it’s the ICMP type. For others, it will be 65535.

  7. ‘192.168.1.1’ is the destination IP address.

  8. ‘:1025’ means that the destination port was 1025. For UDP and TCP, this number is the destination port. For ICMP, it’s the ICMP code. For others, it will be 65535.

  9. ‘L=34’ means that packet was a total of 34 bytes long.

  10. ‘S=0x00’ means the Type of Service field (divide by 4 to get the Type of Service as used by ipchains).

  11. ‘I=18’ is the IP ID.

  12. ‘F=0x0000’ is the 16-bit fragment offset plus flags. A value starting with ‘0x4’ or ‘0x5’ means that the Don’t Fragment bit is set. ‘0x2’ or ‘0x3’ means the ‘More Fragments’ bit is set; expect more fragments after this. The rest of the number is the offset of this fragment, divided by 8.

  13. ‘T=254’ is the Time To Live of the packet. One is subtracted from this value for every hop, and it usually starts at 15 or 255.

  14. ‘(#5)’ there may be a final number in brackets on more recent kernels (perhaps after 2.2.9). This is the rule n