[Leaplist] Oddball iptables messages in my syslog file ....

William A. Mahaffey III wam at hiwaay.net
Fri Sep 19 15:21:50 EDT 2008 

Scott Moe wrote:
> Looks like you have your log and drop rule on the FORWARD hook of the filter table, but I'm not sure about that. I'd move it to the end of the INPUT hook and add this rule:
>
> iptables -t filter -I INPUT -p tcp --dport 22 -i eth0 -s 192.168.0.0/24 -j ACCEPT
>
> to just accept any ssh packets from the LAN.
>
> Sure is fun to roll your own firewall.
>
> Scott Moe
>
>
>
> ----- Original Message ----
> From: William A. Mahaffey III <wam at hiwaay.net>
> To: Linux Group HuntsVegas <luna-list at luna.huntsville.al.us>
> Cc: Linux Enthusiasts & Professionals <leaplist at leap-cf.org>
> Sent: Friday, September 19, 2008 8:37:36 AM
> Subject: [Leaplist] Oddball iptables messages in my syslog file ....
>
>
> .... I have 2 linux boxen on my LAN, 1 (this box) an AMD64X2 running 
> FC9, the other an Intel Q6600 sorta-server running FC7 in runlevel 3. I 
> have iptables running on both boxen, with a rule at the end to log 
> whatever traffic it doesn't pass & then drop it. I log into the Q6600 
> from the FC9 box & often stay logged in for weeks/months. I get many 
> messages in the syslog file on the Q6600 like this:
>
>
> Sep 19 04:21:18 Q6600 kernel: FWDROP:FW:IN=eth0 OUT= 
> MAC=00:1a:4d:84:4d:89:00:1a:4d:41:55:27:08:00 SRC=192.168.0.4 
> DST=192.168.0.9 LEN=100 TOS=0x08 PREC=0x00 TTL=64 ID=65128 DF PROTO=TCP 
> SPT=22 DPT=54804 WINDOW=657 RES=0x00 ACK PSH URGP=0
> Sep 19 04:22:02 Q6600 kernel: FWDROP:FW:IN=eth0 OUT= 
> MAC=00:1a:4d:84:4d:89:00:1a:4d:41:55:27:08:00 SRC=192.168.0.4 
> DST=192.168.0.9 LEN=100 TOS=0x08 PREC=0x00 TTL=64 ID=8822 DF PROTO=TCP 
> SPT=22 DPT=36486 WINDOW=2309 RES=0x00 ACK PSH URGP=0
> Sep 19 04:22:02 Q6600 kernel: FWDROP:FW:IN=eth0 OUT= 
> MAC=00:1a:4d:84:4d:89:00:1a:4d:41:55:27:08:00 SRC=192.168.0.4 
> DST=192.168.0.9 LEN=100 TOS=0x08 PREC=0x00 TTL=64 ID=9021 DF PROTO=TCP 
> SPT=22 DPT=36486 WINDOW=4618 RES=0x00 ACK PSH URGP=0
> Sep 19 04:23:21 Q6600 kernel: FWDROP:FW:IN=eth0 OUT= 
> MAC=00:1a:4d:84:4d:89:00:1a:4d:41:55:27:08:00 SRC=192.168.0.4 
> DST=192.168.0.9 LEN=100 TOS=0x08 PREC=0x00 TTL=64 ID=12000 DF PROTO=TCP 
> SPT=22 DPT=36494 WINDOW=2218 RES=0x00 ACK PSH URGP=0
>
>
> That MAC address is the concatenation of the MAC address on the 2 
> machines. Spt 22 is ssh, presumably from the FC9 box into the Q6600. 
> Everything (logins/shells under SSH) is working AOK, just lots of stuff 
> in the syslog file as above. This just started happening a few weeks ago 
> after a 'yum update all' on the FC9 box. What is causing this clutter ? 
> How do I stop it, so more important stuff in the syslog file is not 
> drowned out by these messages ? TIA ....
>
>   


Roger that, put it in & all has been quiet since (about 6 hours, we'll 
see ....). I was kinda curious why it started after a yum-update of FC9, 
well after the initial FC9 install .... I didn't google it, I figured it 
might be some well-known bug/feature of the updated SSH .....


-- 

	William A. Mahaffey III

 ----------------------------------------------------------------------

	"The M1 Garand is without doubt the finest implement of war
	 ever devised by man."
                           -- Gen. George S. Patton Jr.


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Leaplist mailing list