Subject: Re: IPTables logging target: show pid/program name? - msg#00058

List: security.firewalls.wizards

Date: Prev Next Index Thread: Prev Next Index

Good afternoon, Chris,

On Fri, 14 Nov 2003, Chris de Vidal wrote:

> I have several rules like this:
> /sbin/iptables --append OUTPUT --jump LOG --log-level DEBUG --log-prefix
> "OUTPUT packet died: "
> at the bottom of my OUTPUT chain to debug which outgoing packets get
> dropped so I can adjust the rules as necessary. It's been working well
> for months.
>
> Trouble is I don't always know which program is producing these packets.
>
> It would be handy to also see the pid and/or program name responsible for
> these packets. Any idea how?

The "owner" match module could be used to check what
application/uid created the packet. This can only be used in the OUTPUT
and POSTROUTING chains, but that's perfect for what you need.
To use it, get a list of all applications - clients or servers -
that might be running at a given time. Then put in these rules instead of
the one you listed above:

for App in sshd gabber httpd netscape-communicator named ; do
/sbin/iptables --append OUTPUT -m owner --cmd-owner "$App" --jump LOG \
--log-level DEBUG --log-prefix "OUTPUT $App packet died: "
done
/sbin/iptables --append OUTPUT -m owner --cmd-owner $App --jump LOG \
--log-level DEBUG --log-prefix "OUTPUT packet died: "

To get a quick list of candidate Apps, try:

ls -al /proc/[0-9]*/exe 2>/dev/null | sed -e 's@.*/@@' | sort | uniq | grep -v
'exe'

For reference, here's the syntax for the module:

OWNER match v1.2.8-20030601 options:
[!] --uid-owner userid Match local uid
[!] --gid-owner groupid Match local gid
[!] --pid-owner processid Match local pid
[!] --sid-owner sessionid Match local sid
[!] --cmd-owner name Match local command name

Cheers,
- Bill

---------------------------------------------------------------------------
"Where do you think you're going today?"
(Courtesy of Matthias Andree <ma@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>)
--------------------------------------------------------------------------
William Stearns (wstearns@xxxxxxxxx). Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org
Linux articles at: http://www.opensourcedigest.com
--------------------------------------------------------------------------

Was this page helpful?

Thread at a glance:

Previous Message by Date: click to view message preview

IPTables logging target: show pid/program name?

I have several rules like this: /sbin/iptables --append OUTPUT --jump LOG --log-level DEBUG --log-prefix "OUTPUT packet died: " at the bottom of my OUTPUT chain to debug which outgoing packets get dropped so I can adjust the rules as necessary. It's been working well for months. Trouble is I don't always know which program is producing these packets. It would be handy to also see the pid and/or program name responsible for these packets. Any idea how? /dev/idal

Next Message by Date: click to view message preview

Re: IPTables logging target: show pid/program name?

William Stearns said: > The "owner" match module could be used to check what > application/uid created the packet. This can only be used in the OUTPUT and POSTROUTING chains, but that's perfect for what you need. Looks like exactly what I need. I'm sure someone might need to see a previously-unknown application. I block outbound as well as inbound on my servers and I would like to know if I have a trojan... without knowing the name, the above wouldn't give me more information, other than alerting me to be suspicious. But that's just icing on the cake; the above rules will be very helpful. Thank you very much!! /dev/idal

Previous Message by Thread: click to view message preview

Next Message by Thread: click to view message preview

Loading Comments...