Results 1 to 4 of 4

Thread: iptalbes logging DPT and SPT?

  1. #1
    Join Date
    Mar 2007
    Beans
    807

    iptalbes logging DPT and SPT?

    Basically, on my firewall I log some connections via iptables connections on port 80. Port 80 is NATed to a webserver inside my network. It is not PATed in that the web server answers on port 80 like a good webserver should.

    Code:
    iptables -A INPUT -i $_ethOUT -p tcp -m multiport --sport 80 -j LOG --log-prefix "[IPTABLES PORT 80 " --log-level info
    And here is an example of an entry
    Code:
    Jan 28 23:01:29 fw kernel: [6342113.924061] [IPTABLES PORT 80 IN=eth1 OUT= MAC=00:e0:66:6a:c5:12:00:21:a0:fa:fa:d9:08:00 SRC=91.189.91.13 DST={MYIP} LEN=1500 TOS=0x00 PREC=0x00 TTL=50 ID=52913 DF PROTO=TCP SPT=80 DPT=55661 WINDOW=204 RES=0x00 ACK URGP=0
    What is confusing me is the SPT=80 and the DPT=55661. I assume that SPT is Source Port and DPT is Destination port. The webserver is answering on port 80. So how can the DPT and SPT not be the same? What is this strange DPT that shouldn't be doing anything. I understand if maybe I PATed the DPT to something else but I haven't.

    I've tried goodling "iptalbes logging" and I don't find a good explanation of the logs that are generated. Just how to setup the logging.
    Last edited by ant2ne; January 29th, 2014 at 10:42 PM.
    Registered Linux User: 450747 Registered Ubuntu User: 16269

  2. #2
    Join Date
    Jul 2013
    Location
    Wisconsin
    Beans
    4,951

    Re: iptalbes logging DPT and SPT?

    Your web server receives requests and replies to them on your server's port 80.

    My browser does not use port 80 to make the requests nor to receive the responses. That would block my webserver, and would limit me to a single http connection at a time. So my browser opens a port for every request/response, and some of those many open ports can easily be in the 55661 range.

    You can test this by opening a browser, then use netstat to see what ports the browser uses.

  3. #3
    Join Date
    Feb 2011
    Location
    Coquitlam, B.C. Canada
    Beans
    3,510
    Distro
    Ubuntu Development Release

    Re: iptalbes logging DPT and SPT?

    I log new external connections to my web server, via:
    Code:
    $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j LOG --log-prefix "NEW80:" --log-level info
    $IPTABLES -A INPUT -i $EXTIF -m state --state NEW -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
    However, and as you can see from my second line, I am not forwarding the packet. Your case might require such a rule in the FORWARD chain, similar to what I (temporarily) do for another server (but port 80 in your case):
    Code:
    $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -d 192.168.111.112 -m state --state NEW -j LOG --log-prefix "PFNEW80:" --log-level info
    Where this is the corresponding PREROUTING rule (dport would be 80 for your case):
    Code:
    $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 8083 -j DNAT --to 192.168.111.112:80
    Any follow-up information on your issue would be appreciated. Please have the courtesy to report back.

  4. #4
    Join Date
    Mar 2007
    Beans
    807

    Re: iptalbes logging DPT and SPT?

    Thanks guys. That explains it. And I will test out that FORWARDING firewall rule.
    Registered Linux User: 450747 Registered Ubuntu User: 16269

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •