[kwlug-disc] iptables logging/port confusion

Paul Nijjar paul_nijjar at yahoo.ca
Wed May 20 10:30:34 EDT 2009 

First, the port confusion. We're getting warnings from Rogers that we
have an IRC bot, and I am having troubles even interpreting their
logs: 

 Times are in GMT.
 [2009-04-22 14:50:11][a.b.c.d:59609] CONNECT 6669
 [2009-04-22 14:50:11][a.b.c.d:59609:6669] PASS dci
 [2009-04-22 14:50:12][a.b.c.d:59609:6669] NICK [SNiFFER]prewya
 [2009-04-22 14:50:12][a.b.c.d:59609:6669] USER thmcft ""
"dvo" :thmcft
 [2009-04-22 14:50:12][[SNiFFER]prewya!thmcft at a.b.c.d:59609:6669] JOIN
??hackz?? loser

"a.b.c.d" is our IP address, given to us by Rogers.

I think that this means that some machine on our network is connecting
to a port 6669 someplace else by opening port 59609 on our network.
The Rogers tech support suggests the opposite: that we are connecting
out (or being connected to) on port 6669 on our network. Who is right?

Secondly: to catch these problems I have a bunch of IPTables logging
rules in my IPCop box. Here is rule A: 

        /sbin/iptables -A CUSTOMFORWARD -o $RED_DEV -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "RED Outgoing: "

and here is another, rule B: 

        /sbin/iptables -A CUSTOMFORWARD -p tcp --dport 6669 -m limit --limit 30/min -j LOG --log-prefix "DANGER 6669 TCP DPT: "

There are a bunch of other rules that run along the same lines. All of then have the "-m limit --limit 30/min" clause on them. 

Say that Rule A fires 30 times in one minute. Now the firewall will
stop logging for Rule A for a while. Say that during this time rule B
fires. Is it going to write to the firewall log (because it has a
different limit counter) or will it be suppressed (because it uses the
same limit counter as rule A)?

It is obvious to me that 30 entries a minute is way too low. I don't
know what the right value is, though. Every message that is written to
my IPCop box gets mirrored to a log server. I don't want to bog down
the (IDE) hard drive on the IPCop box and I don't want to flood my
network. 

What value do I want? Is 300 messages per minute safe? Maybe I should
take away the limit altogether, since the limit is mostly supposed to
prevent denial of service attacks, and Rogers is threatening to deny
our service anyways?

Help!

- Paul

More information about the kwlug-disc mailing list