Monitoring traffic by port under 2.4/iptables

Monitoring traffic by port under 2.4/iptables

Post by Matthew Bernstei » Sat, 11 Jan 2003 20:34:40



Hi,

We currently have a firewall which allows outgoing connections to be
established on any port (only incoming traffic is filtered).

It would be nice to obtain data showing the breakdown of TCP traffic by port
from a given time period, to help identify unusal activity possible
indicating spyware, trojans, etc.

Does anybody know of such a program (or a mechanism for hooking into
iptables which doesn't require me to understand the entire kernel networking
layer!)?

Thanks,
Matthew.

 
 
 

Monitoring traffic by port under 2.4/iptables

Post by Thomas Klettk » Sun, 12 Jan 2003 01:04:54



> Hi,

> We currently have a firewall which allows outgoing connections to be
> established on any port (only incoming traffic is filtered).

> It would be nice to obtain data showing the breakdown of TCP traffic by port
> from a given time period, to help identify unusal activity possible
> indicating spyware, trojans, etc.

> Does anybody know of such a program (or a mechanism for hooking into
> iptables which doesn't require me to understand the entire kernel networking
> layer!)?

> Thanks,
> Matthew.

Check out NTOP (http://www.ntop.org)

Thomas

 
 
 

Monitoring traffic by port under 2.4/iptables

Post by Matthew Bernstei » Sun, 12 Jan 2003 01:25:34




> > Hi,

> > We currently have a firewall which allows outgoing connections to be
> > established on any port (only incoming traffic is filtered).

> > It would be nice to obtain data showing the breakdown of TCP traffic by
port
> > from a given time period, to help identify unusal activity possible
> > indicating spyware, trojans, etc.

> > Does anybody know of such a program (or a mechanism for hooking into
> > iptables which doesn't require me to understand the entire kernel
networking
> > layer!)?

> > Thanks,
> > Matthew.

> Check out NTOP (http://www.ntop.org)

> Thomas

Just had a quick look at the overview - didn't see anything specific to
breakdown by port, but it looks very useful regardless, so I'll give it a
try and find out.

Many thanks Thomas.

 
 
 

1. About port Forwarding in Kernel 2.4.x using "iptables"

Hi there..

I use RH 7.1(kernel 2.4.2) as a router...
My LAN structure is

ISP ---- ADSL Modem ----- RH 7.1(192.168.1.1) ---- HUB ------ Windows
2k(192.168.1.2)

+----  Windows ME(192.168.1.3)

Now my Windows clients can use Internet through The Linux box...
I want use MSN Messenger Voice chatting..... but I can't....
MS says MSN Voice chatting uses port 6901 TCP for all of voice communication
and uses port 6901 UDP for all of voice trafic....
And user's computer sends and receives UDP packet on port 6901...

so, I tried like this...
iptables -t nat -A PREROUTING -p tcp -d [my ip here] --dport 6901 -j
DNAT --to 192.168.1.2:6901
iptables -t nat -A PREROUTING -p udp -d [my ip here] --dport 6901 -j
DNAT --to 192.168.1.2:6901

But It didn't work...
Plz.. Help me....

ps. when I typed 'iptables -L' linux shows like this...

# iptables -L

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ftp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:telnet
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:pop3
ACCEPT     udp  --  anywhere             anywhere           udp dpt:ftp
ACCEPT     udp  --  anywhere             anywhere           udp dpt:smtp
ACCEPT     udp  --  anywhere             anywhere           udp dpt:http
ACCEPT     udp  --  anywhere             anywhere           udp dpt:pop3
REJECT     tcp  --  anywhere             anywhere           tcp
flags:SYN,RST,ACK/SYN reject-with icmp-port-unreachable
DROP       tcp  --  anywhere             anywhere           tcp
dpts:tcpmux:1023
DROP       udp  --  anywhere             anywhere           udp
dpts:tcpmux:1023

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

2. make test failed for Perl4.036 on Solaris2.4

3. iptables, firewall and port forwarding questions (kernel 2.4)

4. Is INed working on AIX 4.1

5. NAT/iptables Network traffic monitoring

6. Curious message (2.5 Solaris /SPARC)

7. monitor traffic in a iptables box

8. Context switch time

9. iptables and traffic monitoring

10. Port Forwarding iptables internal traffic

11. limit port-80-traffic with tc/iptables

12. iptables + port traffic

13. monitoring traffic on a port?