On Fri, 13 Aug 2004 at 08:13:21AM -0700, Wanda Round wrote: > After reading that I should look through /var/log/messages, I did > and found many lines like these: > > Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115 > ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > > Aug 12 04:40:59 towern kernel: |iptables -- IN=ppp0 OUT= MAC= > SRC=83.36.139.197 DST=12.65.24.43 LEN=52 TOS=0x00 PREC=0x00 TTL=46 > ID=19155 DF PROTO=TCP SPT=4845 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0 > > The 12.65.24.43 was my dialup connection. The 201.129.etc and 83.36.etc > were from Mexico and Spain. > > MAN iptables didn't help me at all! > > What are these lines telling me? Where can I find a simpler explanation > of iptables logs?
It is saying a rule matched. Doesn't say what you did with the packet though, just tells you about the packet. If you want to know what you did with it you would need to include a log-prefix in your iptables scripts. Here is what we know: Interface Traffic came IN on: ppp0 The IP Address the traffic came from is: 83.36.139.197 THE IP Address it was destined to: 12.65.24.43 The length of the packet was: 53 bytes The Type of Service flag was set to null (00) The SYN flag was set, this was a connection attempt The IP ID Field (for IP Fragmentation) was: 19155 The layer 4 protocol was: TCP The layer 4 port was (source): 4346 The layer 4 port destination was: 445 The size of the TCP Window was: 16384 bytes Shorter version: Someone from 83.36.139.197 tried to connect to 12.65.24.43 (presumably you) on port 445 via interface ppp0. We cannot deduce what action was taken by your computer because you (or your IPTABLES Interface program) did not log this. It is for this reason I run my own IPTABLES script and edit it by hand (pretty masochistic....huh?). My guess is this packet was related to an automated attack (worm). Hope this helps, -- Phillip Hofmeister -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]