On Tue, 19 Nov 2002, Bob Miller wrote:
At the firewall presentation, you showed me a tool that
summarized network traffic. It was curses-based, updated
regularly like top, and had several info screens.
What was that tool? I'd like to run it here.
Bob, I don't know which tool fits your request, but below is Cory's
summary of tool. (most of those are obviously not the answer, but since
Cory did such a great job putting that all together someone else may
bennefit from having this information posted once) .. Horst
Troubleshooting and Admin utilities:
- ping -
Remember the firewall is configured to not respond to ICMP! When sending
out,
if you get sendto: Operation not permitted errors. Very likely your
ruleset
is incorrect.
# iptables -P OUTPUT DROP
# ping 12.12.12.12
PING 12.12.12.12 (12.12.12.12): 56 data bytes
ping: sendto: Operation not permitted
ping: wrote 12.12.12.12 64 chars, ret=-1
--- 12.12.12.12 ping statistics ---
2 packets transmitted, 0 packets received, 100% packet loss
# iptables -P OUTPUT ACCEPT
- tcpdump -
Very useful for when it should work, but just doesn't. It's
immensely helpful to know some of the filter commands so you can see a
subset
of the traffic that you are having trouble with. For instance, you have
trouble portforwarding to an internal server 10.0.0.10:
tcpdump -n -i any ip and host 10.0.0.10
Another scenario, your firewall is a dns caching server for your local
lan, but
your clients can't seem to get resolved names:
tcpdump -n -i any udp and port 53
This is what a successful ping should look through tcpdump like from a
client
(10.0.0.50) to google.com (216.239.53.101). The firewall has an example
public
ip address 15.225.140.6:
16:26:06.107110 10.0.0.50 216.239.53.101: icmp: echo request (DF)
16:26:06.107162 15.225.140.6 216.239.53.101: icmp: echo request (DF)
16:26:06.208137 216.239.53.101 15.225.140.6: icmp: echo reply
16:26:06.208182 216.239.53.101 10.0.0.50: icmp: echo reply
Other flags:
-X prints a hex and ascii dump of each packet
-q prints less protocol information
-v prints more. q and v can be used usefully together
-t does not print a time stamp
- ethereal -
Ethereal is a graphical program that dumps the network like
tcpdump. However
there are some great features, most notably, Follow TCP Stream, which
combines all of the packets for a particular connection extracts all of
their
data and displays it in ascii or hex. The conversation is color coded to
show
who is talking. This is an extremely powerful tool for tracing the
communications on an application level (ie seeing the client connect to a
webserver and say, GET /index.html HTTP/1.0\nUser-Agent: Linux
Rules! and the
webserver saying, HTTP/1.1 200 OK
- nmap -
Network Mapper (nmap) is your friend. You can bet your predators are
using
it. Use it to scan your firewall and hosts. Read the man page, or at
least
the major parts. Look at options -sS, -P0, -p, -O and -v. Try nmap
--help to
see the most commonly used options then read up on those.
- lsconntrack - Who's connected?
With ipchains one could view masqueraded connections with netstat
-M. With
full NAT this does not work. Here's how to view the natted connections:
cat /proc/net/ip_conntrack
Here is a nice script that will parse and nicely display all of that info:
http://www.hensema.net/software/lsconntrack/
This is useful in troubleshooting for looking at states. Perhaps a rule
was
wrong and a client couldn't connect. You fix the rule and you know it
is
correct, however the client can't connect. Look up the connection
tracking and
perhaps there is a line in the client that says [UNREPLIED] or something.
Display it a again and you'll see the time out field counting down. Wait
until
this is cleared and then try the client again. Note that I have edited
this
file to manually remove entries, however I can not recommend this practice
in a
production environment.
- iptraf - Bandwidth and other statistical monitoring
Try iptraf -g to go right to general statistics showing the amount of
bandwidth
on all interfaces. Configure it for kbits/sec or kbytes/sec. Look at
packet
sizes, traffic distribution by ports and a variety of other things.
- How to disable firewall and flush all rules -
Your policies may be set to DROP so flushing may effectively disable your
network interfaces.
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -F -t filter
iptables -F -t nat
- iptables -
Of course the most useful tool is the interface to netfilter itself. Read
the
iptables for good information on syntax and other features. Look at the
LOG
target. It is good for troubleshooting, accounting or security
auditing. Be
sure to use the limit match module or you'll fill up your logs
quickly! The -L
and -v options are the most helpful for trouble shooting. -L to look at
your
rules, -v will show how many packets matched each rule.
