* [Sysadmins] странное поведение iptables log
@ 2014-01-22 9:26 Anton Gorlov
0 siblings, 0 replies; only message in thread
From: Anton Gorlov @ 2014-01-22 9:26 UTC (permalink / raw)
To: ALT Linux sysadmin discuss
Есть на сервере правило вида
===
-A OUTPUT -o eth1 -m state --state NEW -m recent --update --seconds 60
--hitcount 150 --name DEFAULT --rdest -j LOG --log-prefix
"iptables_flud: " --log-uid
-A OUTPUT -o eth1 -m state --state NEW -m recent --update --seconds 60
--hitcount 150 --name DEFAULT --rdest -j REJECT --reject-with
icmp-port-unreachable
-A OUTPUT -o eth1 -m state --state NEW -m recent --set --name DEFAULT
--rdest
===
Всё было ок последний год наверное, а вчера на 1 сервере начало
твориться странное в логах, а именно
====
iptables_flud: IN= OUT=eth1 SRC=193.106.xx.131 DST=109.207.13.125
LEN=1420 TOS=0x00 PREC=0x00 TTL=64 ID=50669 DF PROTO=TCP SPT=80
DPT=19411 WINDOW=54 RES=0x00 ACK URGP=0
iptables_flud: IN= OUT=eth1 SRC=193.106.xx.131 DST=109.207.13.125
LEN=1420 TOS=0x00 PREC=0x00 TTL=64 ID=28375 DF PROTO=TCP SPT=80
DPT=22156 WINDOW=54 RES=0x00 ACK URGP=0
iptables_flud: IN= OUT=eth1 SRC=193.106.xx.131 DST=109.207.13.125
LEN=1420 TOS=0x00 PREC=0x00 TTL=64 ID=33580 DF PROTO=TCP SPT=80
DPT=22717 WINDOW=54 RES=0x00 ACK URGP=0
iptables_flud: IN= OUT=eth1 SRC=193.106.xx.131 DST=109.207.13.125
LEN=1420 TOS=0x00 PREC=0x00 TTL=64 ID=32287 DF PROTO=TCP SPT=80
DPT=21456 WINDOW=54 RES=0x00 ACK URGP=0
===
То есть нету uid/gid того кто породил пакеты.
Как такое может быть?
до этого в логи писалось
iptables_flud: IN= OUT=eth0 SRC=193.106.xx.131 DST=85.202.242.13 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=22828 DF PROTO=TCP SPT=59956 DPT=80
WINDOW=5840 RES=0x00 SYN URGP=0 UID=1563 GID=10002
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2014-01-22 9:26 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-01-22 9:26 [Sysadmins] странное поведение iptables log Anton Gorlov
ALT Linux sysadmins discussion
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/sysadmins/0 sysadmins/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 sysadmins sysadmins/ http://lore.altlinux.org/sysadmins \
sysadmins@lists.altlinux.org sysadmins@lists.altlinux.ru sysadmins@lists.altlinux.com
public-inbox-index sysadmins
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.sysadmins
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git