Re: [RLUG] ipchains -> iptables migration - luser density problem.

Ed Jaeger Tue, 28 Dec 2004 17:45:37 -0800

It just seems to put up the ip numbers, no reverse lookups. Also there is strange stuff in there (also in /proc/ip_conntrack) which references ip address on my networks which I know have nothing on them - odd.

My setup:

Internal network   192.168.100.0/24

Internal router    192.168.100.10 <-NAT & Shorewall-> 192.168.0.201

"DMZ" Area         192.168.0/24

T1 Connection      192.168.0.1    <-NAT, no firewall-> Internet via ATG

But iptstate -s gives me some odd entries:

[EMAIL PROTECTED] ~]# iptstate -s | less IP Tables State Top -- Sort by: SrcIP Source Destination Proto State TTL 192.168.0.201,54934 192.168.0.230,80 tcp ESTABLISHED 18:02:53 192.168.0.201,54937 192.168.0.141,80 tcp ESTABLISHED 18:02:48 192.168.0.201,54938 192.168.0.92,80 tcp ESTABLISHED 18:02:47 192.168.0.201,54937 192.168.0.17,80 tcp ESTABLISHED 18:02:47 192.168.0.201,54938 192.168.0.62,80 tcp ESTABLISHED 18:02:47 192.168.0.201,54938 192.168.0.85,80 tcp ESTABLISHED 18:02:47 192.168.0.201,54938 192.168.0.155,80 tcp ESTABLISHED 18:02:48 192.168.0.201,54938 192.168.0.139,80 tcp ESTABLISHED 18:02:48 192.168.0.201,54937 192.168.0.160,80 tcp ESTABLISHED 18:02:48 192.168.0.201,54937 192.168.0.120,80 tcp ESTABLISHED 18:02:48 192.168.0.201,54938 192.168.0.66,80 tcp ESTABLISHED 18:02:47 192.168.0.201,54934 192.168.0.224,80 tcp ESTABLISHED 18:02:53 192.168.0.201,54937 192.168.0.10,80 tcp ESTABLISHED 18:02:46 192.168.0.201,54937 192.168.0.28,80 tcp ESTABLISHED 18:02:47 192.168.0.201,54937 192.168.0.106,80 tcp ESTABLISHED 18:02:47 192.168.0.201,54938 192.168.0.37,80 tcp ESTABLISHED 18:02:47 192.168.0.201,54938 192.168.0.13,80 tcp ESTABLISHED 18:02:46 192.168.0.201,54937 192.168.0.151,80 tcp ESTABLISHED 18:02:48 ... None of those 192.168.0 "Destination" addresses exist - how can there be an established connection to tcp port 80 on them from my firewall? ... 192.168.100.10,62929 192.168.100.15,80 tcp ESTABLISHED 18:00:57 192.168.100.10,48530 192.168.100.85,80 tcp ESTABLISHED 111:52:10 192.168.100.10,62929 192.168.100.80,80 tcp ESTABLISHED 18:00:58 192.168.100.10,33612 192.168.100.79,80 tcp ESTABLISHED 18:00:40 192.168.100.10,48530 192.168.100.170,80 tcp ESTABLISHED 111:52:11 192.168.100.10,62929 192.168.100.169,80 tcp ESTABLISHED 18:00:59 192.168.100.10,62928 192.168.100.166,80 tcp ESTABLISHED 18:00:58 192.168.100.10,62929 192.168.100.14,80 tcp ESTABLISHED 18:00:57 192.168.100.10,62929 192.168.100.185,80 tcp ESTABLISHED 18:00:59 192.168.100.10,48530 192.168.100.23,80 tcp ESTABLISHED 111:52:09 192.168.100.10,62929 192.168.100.105,80 tcp ESTABLISHED 18:00:58 192.168.100.10,33612 192.168.100.131,80 tcp ESTABLISHED 18:00:41 192.168.100.10,62928 192.168.100.65,80 tcp ESTABLISHED 18:00:57 192.168.100.10,62929 192.168.100.17,80 tcp ESTABLISHED 18:00:57 192.168.100.10,48530 192.168.100.218,80 tcp ESTABLISHED 111:52:11 192.168.100.10,48530 192.168.100.125,80 tcp ESTABLISHED 111:52:10 192.168.100.10,62928 192.168.100.31,80 tcp ESTABLISHED 18:00:57 ... Same as above, but on the other side of the firewall ... 192.168.100.12,123 192.168.100.10,123 udp 0:02:03 192.168.100.92,56063 216.19.40.74,6881 tcp ESTABLISHED 24:19:47 192.168.100.92,57830 200.84.203.246,6881 tcp ESTABLISHED 33:17:44 192.168.100.92,57851 200.84.203.246,6881 tcp ESTABLISHED 33:18:25 192.168.100.100,138 192.168.100.255,138 udp 0:00:22 192.168.100.110,1047 205.188.7.208,5190 tcp ESTABLISHED 119:59:43 192.168.100.110,1060 205.188.248.163,5190 tcp ESTABLISHED 119:59:45 192.168.100.112,2910 207.228.35.39,110 tcp TIME_WAIT 0:00:04 192.168.100.112,2912 66.163.171.139,110 tcp TIME_WAIT 0:01:12 192.168.100.112,1267 64.42.8.135,80 tcp ESTABLISHED 119:56:06 192.168.100.112,2915 207.228.35.39,110 tcp TIME_WAIT 0:01:11 192.168.100.112,2833 64.42.8.136,80 tcp TIME_WAIT 0:00:49 192.168.100.112,2829 64.42.8.135,80 tcp TIME_WAIT 0:00:48 192.168.100.112,2913 66.163.171.139,110 tcp TIME_WAIT 0:01:11 192.168.100.112,1265 64.42.8.137,80 tcp ESTABLISHED 119:56:07 192.168.100.112,2914 207.228.35.39,110 tcp TIME_WAIT 0:01:11 192.168.100.112,1272 64.42.8.137,80 tcp ESTABLISHED 119:56:06 192.168.100.112,1767 192.168.100.10,22 tcp ESTABLISHED 119:59:59 192.168.100.112,2911 207.228.35.39,110 tcp TIME_WAIT 0:01:10 192.168.100.112,2830 64.42.8.135,80 tcp TIME_WAIT 0:00:48 192.168.100.123,49655 66.127.52.185,6346 tcp ESTABLISHED 96:50:18

That's what I'm looking for - all those 192.168.100 machines exist & are doing what I expect them to do - mail, http, ntp - normal stuff.

I'm going to have to delve further into this.

I also found a page from the netfilter folks that suggests "cat /proc/ip_conntrack" as the replacement for "ipchains -L -M".

Steve wrote:

On Tue, 2004-12-28 at 16:00 -0800, Ed Jaeger wrote:

I may have found a solution:

http://iptstate.phildev.net/screenshot.html

Steve wrote:

On Tue, 2004-12-28 at 14:32 -0800, Ed Jaeger wrote:

Yes - it looks like the info is there, "cat"ing it is just not easy to read.

Steve wrote:

On Tue, 2004-12-28 at 09:40 -0800, Ed Jaeger wrote:

Sure!

Look in /proc/net/ip_conntrack and let me know if this is the
information you seek.

Like the rest of the /proc file system, it ain't too pretty but the
data's there. You might look into something like IPCop, it has a clean
webified interface to this data.


I have to apologize, I missed your earlier post that said you looked
in /proc.

This app looks helpful but does it do reverse lookups?


--
Ed Jaeger

_______________________________________________
RLUG mailing list
[email protected]
http://lists.rlug.org/mailman/listinfo/rlug

Re: [RLUG] ipchains -> iptables migration - luser density problem.

Reply via email to