Re: Analyze the output

From: Thomas (tdshepard_at_comcast.net)
Date: 11/28/03 

Date: 28 Nov 2003 09:25:21 -0800

arafeek@hotmail.com (Ali Rafeek) wrote in message news:<ab547c4c.0311261209.79546900@posting.google.com>...
> Hi,
>
> Can someone analyze the following output from the /var/log/messages of
> a RH 9, I am running an IPTABLE Masquerading service, this output
> repeats several times a day, and during that time, I loose the
> translation service for around 5 minutes, I will be very gratefull if
> someone can guide me on what is happening, and why do I loose the
> service, and how do I resolve it. Thanks alot.
>
> Ali Rafeek
>
> ---------------------------------------------------------------------------------
>
> Nov 26 19:36:19 Firewall2 kernel: IN=eth0 OUT=eth0 SRC=10.1.3.13
> DST=213.156.32.145 LEN=59 TOS=0x00 PREC=0x00 TTL=127 ID=2010 PROTO=UDP
> SPT=1028 DPT=53 LEN=39

Another poster gave a url for a good reference on how to decypher
this. But I still think they are just messages indicating successful
packet forwarding from your system. But I'll look more closely to see
if there is something evil in them. (The command "dig" is useful for
doing reverse dns lookups on those IP addresses.)

One thing I didn't catch before: It looks like you are using only one
ethernet card. I strongly recommend using two ethernet cards. (I can't
be sure you are using only one card, but I didn't see any messages
indicating activity from anything other than eth0. But maybe you are
only logging activity from your external card. I could figure this out
by looking at your "iptables --list" output but am in a hurry to go
shopping now.) Anyway, you should have one card (eth0 typically)
connected to the outside world and another one (eth1 typically)
connected to your internal computers. This is more secure than using
only one card.

Your iptables ruleset does expect two cards by these names, by the
way.
(EXTIF="eth0" and INTIF="eth1").

I'll look more closely at your stuff to see if there is something
there.

I still recommend disabling the iptables logging to more easily see
logging from other kernel modules. Iptables logging generates a huge
volume of messages, making it very difficult to weed out what you are
looking for.

Relevant Pages

  • 3 nic cards and iptables
    ... network cards. ... using iptables and nat and masquerading. ... Need to add eth2 as second external facing card to allow only two ... to access the internet with masquerading. ...
    (comp.os.linux.networking)
  • Re: dhcp does not work with SiS SiS900 PCI Fast Ethernet (rev 91)
    ... eth0 is your wireless card) and watched its output? ... at the DHCP server's logs. ... hex octets) or that your iptables is blocking it. ...
    (Fedora)
  • RE: IPTables and forward
    ... Ok, I was wrong, I look it the error on Iptables (because I’m new using it I ... only difference found is that the eth0 (bad card) appear in the /proc/pci ... /proc/interrupts report: ... connection get in from one network card and get out from other) with out any ...
    (RedHat)
  • Re: iptables port forwarding fails when adding third NIC (r8169) Kernel: 2.6.17-1.2174_fC5
    ... provide the ifconfig output or the iptables rules, ... the irony in asking for help but not providing request information. ... Output from ifconfig before and after the new card is installed. ... Forward rules from iptables. ...
    (comp.os.linux.networking)