View previous topic :: View next topic |
Author |
Message |
FoolMonty n00b
Joined: 04 Oct 2013 Posts: 12
|
Posted: Mon Oct 07, 2013 6:53 am Post subject: [solved] iptables and RELATED,ESTABLISHED rule |
|
|
hello to anyone that may help
Looking at the output from Quote: | iptables -L -v -n --line-numbers | immediately after booting I notice that the rule
Quote: | iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT |
shows an ever increasing amount of pkts and bytes, the latter reaching megabytes in size, BEFORE any manual connection to anything or anywhere is made.
Is this normal for a workstation with minimal services running?
Last edited by FoolMonty on Mon Oct 07, 2013 3:08 pm; edited 1 time in total |
|
Back to top |
|
|
papahuhn l33t
Joined: 06 Sep 2004 Posts: 626
|
Posted: Mon Oct 07, 2013 7:51 am Post subject: |
|
|
Probably loopback. _________________ Death by snoo-snoo! |
|
Back to top |
|
|
FoolMonty n00b
Joined: 04 Oct 2013 Posts: 12
|
Posted: Mon Oct 07, 2013 10:31 am Post subject: |
|
|
Quote: | pkts bytes target prot opt in out source destination
265K 347M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3362 170K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 | huge disparity between the two.
Could it be that the RELATED,ESTABLISHED rule is showing cumulative transfer since the rule was saved to iptables? If so, any way to clear that cache to see what is passing in/out of the workstation after a reboot, short of deleting and adding again the rule?
As far as the loopback rule, is it ok to leave the source and destinations like that or should it be restricted to localhost for both? |
|
Back to top |
|
|
netixen n00b
Joined: 26 Sep 2013 Posts: 31
|
Posted: Mon Oct 07, 2013 12:41 pm Post subject: |
|
|
Hi,
You can zero the counters by doing
The loopback rule is fine. |
|
Back to top |
|
|
FoolMonty n00b
Joined: 04 Oct 2013 Posts: 12
|
Posted: Mon Oct 07, 2013 3:07 pm Post subject: |
|
|
Thank you, netixen, on both
|
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21586
|
Posted: Mon Oct 07, 2013 8:34 pm Post subject: |
|
|
I suggest moving the lo rule up to before the state tracking rule. Interface checks should be cheaper, and will then allow you to use the state tracking rule to see what is moving across real NICs. |
|
Back to top |
|
|
FoolMonty n00b
Joined: 04 Oct 2013 Posts: 12
|
Posted: Tue Oct 08, 2013 12:04 pm Post subject: |
|
|
Quote: | I suggest moving the lo rule up |
Done. Thanks, Hu. Will keep an eye on it to see how this evolves.
Hu (or anyone else). Seems you know about security issues from your understanding of iptables. I would be interested in your opinion on this: looking at the net-analyzer packages in gentoo is really overwhelming for a beginner... at the time of this post there are about 267 different packages, of which more than half lack any metadata to help make a decision. Do you have some recommendations on which programs to explore to run some security auditing on the workstation and the LAN it is attached to? This would help not only me but many who might read this post in the future.
Thanking you in advance
FM |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21586
|
Posted: Tue Oct 08, 2013 8:32 pm Post subject: |
|
|
What kind of security auditing do you want? If you need to see what is listening, you can use ss if you have login access or nmap if you do not. Using nmap to scan a system without the approval of its owner is considered rude, and may prompt the owner to cause trouble, especially if you live in a jurisdiction with badly written "anti-hacking" laws. If you want to know details about a program listening on a particular port, nmap can give you some initial guesses, but you need a more specific tool to explore in detail. Generally, the more detail you try to extract from a system, the greater the chance that its operator may decide to interpret your probes as a precursor to malicious activity. |
|
Back to top |
|
|
FoolMonty n00b
Joined: 04 Oct 2013 Posts: 12
|
Posted: Wed Oct 09, 2013 5:31 am Post subject: |
|
|
Hello Hu
Nothing like that, Hu. I have no interest in using any of these tools on a system outside of my home LAN, other than maybe a ping on www.google.com to check the connectivity of my nic. Of course if I was a wannabe hacker I would probably say the same, but in this case it is true.
I use nmap -v and netstat -antp and everything on surface looks OK, but nmap states it is probing some 1600 ports and apparently there are 2^16th ports on a system so I keep asking myself if the remaining ~65000 ports are all closed too...and, why the heck are there so many ports!?
In short, what I am looking for is a program that would simulate an attack on my own system to verify that the system is protected from the casual hacker - not a professional one, as apparently there is little one can do to protect from those short of disconnecting the pc from the net, however, there is nothing on the pc that would interest these latter. Are programs like snort or the old open source version of nessus the type of program I should be exploring? How about the open source branch of nessus? of the 267 programs in the net-analyzer tree of gentoo, what do the people in the know use?
I fella like me with less than a handful of posts in the forum probably would be ignored if I tried to open a post about security tools like the "show us your make.conf" that could be made into a sticky in this section of the forum, but it certainly would be nice if there was such a post with recommendations from expert users to help the uninitiated in this long but very worthwhile path. Too many options can be as difficult as a lack of them without some guidance to point people in the right direction. Just thinking out loud...
Anywho, thank you Hu for all the help you have given me these last two week. I owe you. |
|
Back to top |
|
|
FoolMonty n00b
Joined: 04 Oct 2013 Posts: 12
|
Posted: Tue Oct 15, 2013 5:39 am Post subject: |
|
|
Sadly the experts on security of the gentoo community, the members of which are worthy of considerable respect if not outright admiration for their knowledge, do not wish to share much on this issue. For those starting on their linux path who might read this post in the future I offer this link
Quote: | http://sectools.org/ |
Best to all |
|
Back to top |
|
|
PaulBredbury Watchman
Joined: 14 Jul 2005 Posts: 7310
|
Posted: Tue Oct 15, 2013 8:31 am Post subject: |
|
|
FoolMonty wrote: | do not wish to share much on this issue |
Ahem. To increase the chance of getting helpful replies, ask some intelligent/interesting questions that can't already be answered by a bit of googling |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21586
|
Posted: Tue Oct 15, 2013 8:01 pm Post subject: |
|
|
Netstat will tell you which ports are open and which are not. 2^16 made sense for the test protocol, but it would have been nice to see it raised a bit in later revisions. Security analysis is far too broad a topic to address in a single forum post. |
|
Back to top |
|
|
FoolMonty n00b
Joined: 04 Oct 2013 Posts: 12
|
Posted: Sat Oct 19, 2013 12:00 pm Post subject: |
|
|
PaulBredbury, you are partially correct. Your answer assumes information gathered from Google is correct and/or impartial, and both are a huge leap of faith. Your answer is akin to saying, you don't need an university professor to help you get a PhD, as all the information is in the library already. Those with limited knowledge on a subject need some guidance from those with expertise on that subject to point them in the right direction, to prune the bad from the good and avoid heading in the wrong path. You have to trust someone, always, and in this case I trust the opinions of those who frequent this forum. Don't take this comment as an offense, for it is not. I am just explaining why people at my level sometimes need a little more than "read the man page" or "try google". For example, there are many pages which can probe your network looking for security issues, but someone new to the topic would not know which remote site to trust, where someone with experience in these things would likely known which of the available resources are well respected by the community and trustworthy. etc.
Hu, thanks for the reply. I was not sure if Netstat would in fact probe all the ports that have services listening or if it simply was limited to scanning the ~1600 ports it stated in the report, given there are 2^16th total ports. Goes to show how little I still know about these things, as maybe a port without a service listening is by definition "closed" and does not need to be probed at all.
Well, back to the "man pages" and google...
Best to both |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21586
|
Posted: Sat Oct 19, 2013 2:52 pm Post subject: |
|
|
A port is listening if a service is accepting connections there. A port is in use if there is an open socket associated with it. Netstat can list both types, depending on the exact options. Netstat does not probe the ports, but instead asks the kernel to provide a list of relevant sockets. |
|
Back to top |
|
|
FoolMonty n00b
Joined: 04 Oct 2013 Posts: 12
|
Posted: Tue Oct 22, 2013 7:39 pm Post subject: |
|
|
Thank you, Hu
Learning about sockets now. Now I know a little more about how netstat works, thanks to you.
Best (and thank you, again) |
|
Back to top |
|
|
|