ehternet in debug mode

toferloafer · September 28, 2009, 10:44pm

I have a little dell running redhat server. it's getting ethernet traffic to console and /var/log/messages (up 60Mb) i can't seem to find where to turn it off!
any help would be greatly appreciated.

here's syslog:

here's a snip from the log:

Sep 28 21:34:08 zgarch_serv kernel: IN=eth0 OUT= MAC=00:18:8b:74:89:1e:00:0e:a6:1b:ff:e7:08:00 SRC=192.168.10.18 DST=65.55.25.60 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=25854 DF PROTO=TCP SPT=2934 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
Sep 28 21:34:10 zgarch_serv kernel: IN=eth0 OUT= MAC=00:18:8b:74:89:1e:00:0e:a6:1b:ff:e7:08:00 SRC=192.168.10.18 DST=65.54.81.101 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=25910 DF PROTO=TCP SPT=2935 DPT=80 WINDOW=65535 RES=0x00 SYN URGP=0
Sep 28 21:34:45 zgarch_serv kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:0e:a6:1b:ff:e7:08:00 SRC=192.168.10.18 DST=192.168.10.255 LEN=252 TOS=0x00 PREC=0x00 TTL=128 ID=26060 PROTO=UDP SPT=138 DPT=138 LEN=232
Sep 28 21:37:34 zgarch_serv kernel: IN=eth1 OUT= MAC=00:10:18:27:a3:ef:00:0f:cc:05:96:e0:08:00 SRC=69.162.105.98 DST=76.215.106.233 LEN=40 TOS=0x00 PREC=0x00 TTL=118 ID=256 DF PROTO=TCP SPT=12200 DPT=8085 WINDOW=8192 RES=0x00 SYN URGP=0
Sep 28 21:38:54 zgarch_serv kernel: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:1e:58:ee:6d:81:08:00 SRC=192.168.0.1 DST=255.255.255.255 LEN=96 TOS=0x00 PREC=0x00 TTL=64 ID=31482 PROTO=UDP SPT=137 DPT=137 LEN=76

-toferloafer

pludi · September 29, 2009, 2:17am

Those look like lines generated by iptables when a rule has LOG as the target. As root, check the output of

iptables -L -n

for that target.

toferloafer · September 29, 2009, 8:52am

looks there are several LOG entries... and a bunch of other stuff.
should i start suppressing the lines with "LOG"? or just start over.
this table looks like it suffers from to many users hacking at it.

#
*mangle
:PREROUTING ACCEPT [46908:11484653]
:INPUT ACCEPT [34192:5111549]
:FORWARD ACCEPT [472:46450]
:OUTPUT ACCEPT [69305:5927626]
:POSTROUTING ACCEPT [69838:5988719]
COMMIT
# Completed on Fri Oct 13 16:34:09 2006
# Generated by iptables-save v1.3.5 on Fri Oct 13 16:34:09 2006
*nat
:PREROUTING ACCEPT [85:25137]
:POSTROUTING ACCEPT [79:10430]
:OUTPUT ACCEPT [79:10430]
#Routing Rules
-A PREROUTING -s 192.168.0.0/255.255.0.0 -i eth0 -j LOG
-A PREROUTING -s 192.168.0.0/255.255.0.0 -i eth0 -j ACCEPT
-A PREROUTING -s 172.16.0.0/255.240.0.0 -j LOG
-A PREROUTING -s 172.16.0.0/255.240.0.0 -j DROP
-A PREROUTING -s 10.0.0.0/255.0.0.0 -j ACCEPT
#Web Filter Prerouting
-A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
-A PREROUTING -i eth0 -p tcp --dport 3128 -j REDIRECT --to-port 8080
-A PREROUTING -i lo -p tcp --dport 80 -j REDIRECT --to-port 3128
-A PREROUTING -i lo -p tcp --dport 3128 -j REDIRECT --to-port 8080
#VNC Rules:
-A PREROUTING -i eth1 -p tcp --dport 5900 -j DNAT --to-destination 192.168.10.18
-A PREROUTING -i eth1 -p tcp --dport 5901 -j DNAT --to-destination 192.168.10.11

#Your routing table (Refer to /etc/hosts for list of clients)
-A POSTROUTING -s 192.168.10.10 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.11 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.12 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.13 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.14 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.15 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.16 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.17 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.18 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.19 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.20 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.21 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.22 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.23 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.24 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.25 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.26 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.27 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.28 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.29 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.30 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.0.200 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.0.201 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.0.202 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.0.203 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.0.204 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.0.205 -o eth1 -j MASQUERADE
-A POSTROUTING -s 192.168.10.254 -o eth1 -j MASQUERADE
COMMIT
# Completed on Fri Oct 13 16:34:09 2006
# Generated by iptables-save v1.3.5 on Fri Oct 13 16:34:09 2006
*filter
:INPUT DROP [56:30000]
:FORWARD ACCEPT [236:16474]
:OUTPUT ACCEPT [30489:1988516]
#Accept Ping request
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
#Allow all packets from network
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
#-A INPUT -i ath0 -j ACCEPT (WIRELESS)
#Customized Security
-A INPUT -i eth1 -p tcp -m tcp --dport 8009 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 8008 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 8080 -j DROP
-A INPUT -i eth1 -p udp -m udp --dport 68 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 67 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth1 -p udp -m udp --dport 53 -j ACCEPT
#Squid Routing Rules
-A INPUT -i eth0 -p tcp --dport 3128 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 8080 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Allow IDENT port
-A INPUT -i eth1 -p tcp -m tcp --dport 113 -m state --state NEW,ESTABLISHED -j ACCEPT
#Apache WebServer
-A INPUT -i eth1 -p tcp -m tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#More Customized security
-A INPUT -i eth1 -p udp -m udp --dport 518 -j LOG
-A INPUT -i eth1 -p udp -m udp --dport 518 -j DROP
-A INPUT -i eth1 -p udp -m udp --dport 517 -j LOG
-A INPUT -i eth1 -p udp -m udp --dport 517 -j DROP
-A INPUT -i eth1 -p udp -m udp --dport 514 -j LOG
-A INPUT -i eth1 -p udp -m udp --dport 514 -j DROP
-A INPUT -i eth1 -p udp -m udp --dport 177 -j LOG
-A INPUT -i eth1 -p udp -m udp --dport 177 -j DROP
-A INPUT -i eth1 -p tcp -m state --state INVALID,NEW -j LOG
-A INPUT -i eth1 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 455 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 137 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 138 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 139 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 1080 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 445 -j DROP
#OpenSSH Rules
-A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -m recent --update --seconds 15 --name DEFAULT --rsource -j DROP
-A INPUT -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -m recent --set --name DEFAULT --rsource -j ACCEPT
#FTP Rules
-A INPUT -i eth1 -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 21 -j ACCEPT
-A INPUT -i eth1 -p tcp -m tcp --dport 20 -j ACCEPT
#SMTP Rule
-A INPUT -i eth1 -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
#POP3 Rules
-A INPUT -i eth1 -p tcp -m tcp --dport 110 -m state --state INVALID -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
#POP3 Secure Rules
-A INPUT -i eth1 -p tcp -m tcp --dport 995 -m state --state INVALID -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 995 -m state --state NEW,ESTABLISHED -j DROP
#Some known problem ports
-A INPUT -i eth1 -p udp -m udp --dport 1026 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 3306 -j DROP
-A INPUT -i eth1 -p tcp -m tcp --dport 1433 -j DROP
#IRC Chat Relay Rule
-A INPUT -i eth1 -p tcp -m tcp --dport 6667 -j DROP
#Forwarding Rules
-A FORWARD -i eth1 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
#Accept all output from network
-A OUTPUT -o eth0 -j ACCEPT
#Block specific IPAddresses from attacks (generally, outside US)
-A INPUT -i eth1 -s 58.20.23.126 -j DROP
-A INPUT -i eth1 -s 202.171.132.228 -j DROP
-A INPUT -i eth1 -s 220.0.0.0/8 -j DROP
-A INPUT -i eth1 -s 221.0.0.0/8 -j DROP
-A INPUT -i eth1 -s 222.0.0.0/8 -j DROP
-A INPUT -i eth1 -s 114.44.142.36 -j DROP
-A INPUT -i eth1 -s 221.224.81.194 -j DROP
#-A OUTPUT -o ath1 -j ACCEPT (WIRELESS)

#Log and Drop packets from these ports going outside network
-A OUTPUT -o eth1 -p tcp -m tcp --sport 137 -j LOG
-A OUTPUT -o eth1 -p tcp -m tcp --sport 137 -j DROP
-A OUTPUT -o eth1 -p tcp -m tcp --sport 138 -j LOG
-A OUTPUT -o eth1 -p tcp -m tcp --sport 138 -j DROP
-A OUTPUT -o eth1 -p tcp -m tcp --sport 139 -j LOG
-A OUTPUT -o eth1 -p tcp -m tcp --sport 139 -j DROP
COMMIT
# Completed on Fri Oct 13 16:34:09 2006