[kwlug-disc] iptables logging/port confusion
paul_nijjar at yahoo.ca
Wed May 20 10:30:34 EDT 2009
First, the port confusion. We're getting warnings from Rogers that we
have an IRC bot, and I am having troubles even interpreting their
Times are in GMT.
[2009-04-22 14:50:11][a.b.c.d:59609] CONNECT 6669
[2009-04-22 14:50:11][a.b.c.d:59609:6669] PASS dci
[2009-04-22 14:50:12][a.b.c.d:59609:6669] NICK [SNiFFER]prewya
[2009-04-22 14:50:12][a.b.c.d:59609:6669] USER thmcft ""
[2009-04-22 14:50:12][[SNiFFER]prewya!thmcft at a.b.c.d:59609:6669] JOIN
"a.b.c.d" is our IP address, given to us by Rogers.
I think that this means that some machine on our network is connecting
to a port 6669 someplace else by opening port 59609 on our network.
The Rogers tech support suggests the opposite: that we are connecting
out (or being connected to) on port 6669 on our network. Who is right?
Secondly: to catch these problems I have a bunch of IPTables logging
rules in my IPCop box. Here is rule A:
/sbin/iptables -A CUSTOMFORWARD -o $RED_DEV -m state --state NEW,RELATED -m limit --limit 30/min -j LOG --log-prefix "RED Outgoing: "
and here is another, rule B:
/sbin/iptables -A CUSTOMFORWARD -p tcp --dport 6669 -m limit --limit 30/min -j LOG --log-prefix "DANGER 6669 TCP DPT: "
There are a bunch of other rules that run along the same lines. All of then have the "-m limit --limit 30/min" clause on them.
Say that Rule A fires 30 times in one minute. Now the firewall will
stop logging for Rule A for a while. Say that during this time rule B
fires. Is it going to write to the firewall log (because it has a
different limit counter) or will it be suppressed (because it uses the
same limit counter as rule A)?
It is obvious to me that 30 entries a minute is way too low. I don't
know what the right value is, though. Every message that is written to
my IPCop box gets mirrored to a log server. I don't want to bog down
the (IDE) hard drive on the IPCop box and I don't want to flood my
What value do I want? Is 300 messages per minute safe? Maybe I should
take away the limit altogether, since the limit is mostly supposed to
prevent denial of service attacks, and Rogers is threatening to deny
our service anyways?
More information about the kwlug-disc