by joke » Thu, 18 Mar 2004 16:18:02
i tried to use iptables to block these.then i view at verbose mode,it
see that these traffic is so large
about 1 minute 1GByte filtered.
i want to know the why and how to solve it.
anyone professional can give me some hints
thank you verh much
by J.O. Ah » Thu, 18 Mar 2004 20:08:48
> i tried to use iptables to block these.then i view at verbose mode,it
> see that these traffic is so large
> about 1 minute 1GByte filtered.
> i want to know the why and how to solve it.
> anyone professional can give me some hints
> thank you verh much
A good tool to have handy for things like this is chkrootkit, you find it at
www.chkrootkit.org, it don't do much more than detect rootkits, but when it's
identified it's easier to get help to know how to remove it and how to patch
the system against it.
If you haven't already, then do unconnect the machine from internet and turn
of log rotations (so the logs won't "disappear" while checking the machine).
//Aho
by joke » Thu, 18 Mar 2004 23:30:39
> > i tried to use iptables to block these.then i view at verbose mode,it
> > see that these traffic is so large
> > about 1 minute 1GByte filtered.
> > i want to know the why and how to solve it.
> > anyone professional can give me some hints
> > thank you verh much
> I would use 'lsof -i' to see what program/application uses the port in
> question and use 'ps -ax' to see if there is some suspecting tasks running,
> compare this to the numbered directorise that you get listed with 'ls -a
> /proc'. Some of those numbered directories will have a dot, '.', infront of
> them, thise may or may not be listed in the ps-output, check those out really
> carefully.
> A good tool to have handy for things like this is chkrootkit, you find it at
> www.chkrootkit.org, it don't do much more than detect rootkits, but when it's
> identified it's easier to get help to know how to remove it and how to patch
> the system against it.
> If you haven't already, then do unconnect the machine from internet and turn
> of log rotations (so the logs won't "disappear" while checking the machine).
> //Aho
by joke » Thu, 18 Mar 2004 23:31:01
> > i tried to use iptables to block these.then i view at verbose mode,it
> > see that these traffic is so large
> > about 1 minute 1GByte filtered.
> > i want to know the why and how to solve it.
> > anyone professional can give me some hints
> > thank you verh much
> I would use 'lsof -i' to see what program/application uses the port in
> question and use 'ps -ax' to see if there is some suspecting tasks running,
> compare this to the numbered directorise that you get listed with 'ls -a
> /proc'. Some of those numbered directories will have a dot, '.', infront of
> them, thise may or may not be listed in the ps-output, check those out really
> carefully.
> A good tool to have handy for things like this is chkrootkit, you find it at
> www.chkrootkit.org, it don't do much more than detect rootkits, but when it's
> identified it's easier to get help to know how to remove it and how to patch
> the system against it.
> If you haven't already, then do unconnect the machine from internet and turn
> of log rotations (so the logs won't "disappear" while checking the machine).
> //Aho
1. port forwarding disables outgoing traffic on same port
Whenever I forward a particular TCP port to a computer on a LAN, I cannot
send outgoing traffic to anywhere on that port from that computer (perhaps
the whole LAN as well, I haven't tried).
For example, there is a webserver running on port 5190 on a LAN computer.
iptables is configured to DNAT incoming 5190 requests to this LAN PC from
the WAN interface. That works fine. Whenever the forwarding is in effect, I
am not able to connect to AIM (which also runs on port 5190). I have
reproduced this problem with different ports, and gets the same effect on
the port being used.
Thank you for any assistance. Below is my iptables configuration.
This is my iptables script:
eth0 is the LAN
eth1 is the cable modem
echo 0 > /proc/sys/net/ipv4/ip_forward
#Flush and create tables
iptables -F
iptables -X TCP
iptables -X ICMP
iptables -t nat -F
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
#default policies
iptables -P INPUT DROP
#special tables for incomoming on each proto
iptables -N UDP
iptables -N TCP
#allow loopback iface to work
iptables -A INPUT -i lo -j ACCEPT
#allow internal net to communicate with us
iptables -A INPUT -i eth0 -j ACCEPT
#allow NATed connections to work
iptables -A INPUT -p tcp -i eth1 -m state --state RELATED,ESTABLISHED -j
ACCEPT
#ICMP doodad
iptables -A INPUT -i eth1 -p icmp -m state --state RELATED,ESTABLISHED -j
ACCEPT
#move incoming traffic to the proper table
iptables -A INPUT -p tcp -i eth1 -j TCP
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
#TCP ports to accept
iptables -A TCP -p tcp --dport 20:22 -j ACCEPT
iptables -A TCP -p tcp --dport 113 -j ACCEPT
iptables -A TCP -p tcp --dport 80 -j ACCEPT
iptables -A TCP -p tcp -s 24.174.94.252 --dport 10000 -j ACCEPT
#Port Forwarding
iptables -t nat -A PREROUTING -p tcp --dport 5190 -j DNAT --to 192.168.0.100
iptables -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to 192.168.0.101
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
3. Huge UDP traffic from port 1058 to port 3000, what is it?
5. Changing source IP of outgoing UDP packets under RedHat 6.0 .
6. Diamond Stealth and X-Windows HELP!!
7. diald/popclient problem, probably VFAQ
8. PPP: Does outgoing traffic slow incoming traffic?
9. Transparent port reassigning of UDP on incoming/outgoing packets?
10. Can portfw masq outgoing traffic to a different port?
11. Ignore all incoming udp/ip and udp/ip on all ports, except open ports?