| View previous topic :: View next topic |
| Author |
Message |
jhon987
Apprentice
Joined: 18 Nov 2013
Posts: 297
|
 Posted: Sun Jul 03, 2016 10:09 pm Post subject: iproute2 (ss tool) shows too much traffic from ipv6?? |
 |
|
Hi,
I've configured my Gentoo server to support ipv6 as I figured it's the unavoidable future.
However, I'm getting some weird results currently (now that it's up and running) and I'd like to temporarily disable ipv6 entirely. Just to examine things further...
A) Is there a way to switch ipv6 on and off without completely removing it from the kernel and use flags?
B) Here's what I'm getting with iproute2:
| Code: | ss -s
Total: 5584 (kernel 5593)
TCP: 13886 (estab 2571, closed 8179, orphaned 52, synrecv 0, timewait 8177/0), ports 128
Transport Total IP IPv6
* 5593 - -
RAW 1 0 1
UDP 1 1 0
TCP 5707 4 5703
INET 5709 5 5704
FRAG 0 0 0 |
As you can see, this make no sense. Furthermore my traffic stats imply that there isn't that much traffic from ipv6 or at all.
BTW, I tried disabling it through ip6tables but iproute2 still shows same stats O.o ?
| Code: | ip6tables -S
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP |
Advice or suggestions would be highly welcome |
|
| Back to top |
|
 |
khayyam
Watchman
Joined: 07 Jun 2012
Posts: 6227
Location: Room 101
|
| Posted: Sun Jul 03, 2016 11:09 pm Post subject: |
|
|
jhon987 ...
one or other of the following should work ...
| /etc/modprobe.d/aliases.conf: | | alias net-pf-10 off |
| /etc/sysctl.conf: | net.ipv6.conf.default.disable_ipv6=1
# or
net.ipv6.conf.<interface_name>.disable_ipv6=1 |
| /etc/conf.d/net: | | enable_ipv6_<interface_name>="false" |
HTH & best ... khay |
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Sun Jul 03, 2016 11:30 pm Post subject: |
|
|
| What does ss -6ntp say? Is it all outgoing or incoming connections? |
|
| Back to top |
|
|
jhon987
Apprentice
Joined: 18 Nov 2013
Posts: 297
|
| Posted: Mon Jul 04, 2016 5:53 am Post subject: |
|
|
| Ant P. wrote: | | What does ss -6ntp say? Is it all outgoing or incoming connections? |
It gives a very long list, here's part of it: (1.1.1.1 = my secret domain  )
| Code: | users:(("apache2",pid=5995,fd=168))
ESTAB 315 0 ::ffff:1.1.1.1:80 ::ffff:71.162.82.54:37545
FIN-WAIT-2 0 0 ::ffff:1.1.1.1:80 ::ffff:99.56.103.118:39921 users:(("apache2",pid=17588,fd=48))
FIN-WAIT-2 0 0 ::ffff:1.1.1.1:80 ::ffff:73.224.162.57:43609 users:(("apache2",pid=11597,fd=131))
FIN-WAIT-2 0 0 ::ffff:1.1.1.1:80 ::ffff:45.51.208.64:44564
FIN-WAIT-2 0 0 ::ffff:1.1.1.1:80 ::ffff:99.245.37.132:46575 users:(("apache2",pid=24001,fd=92))
FIN-WAIT-2 0 0 ::ffff:1.1.1.1:80 ::ffff:45.49.120.237:35576
ESTAB 0 0 ::ffff:1.1.1.1:80 ::ffff:100.33.156.119:44468 users:(("apache2",pid=22816,fd=31))
FIN-WAIT-2 0 0 ::ffff:1.1.1.1:80 ::ffff:172.97.231.89:52838 users:(("apache2",pid=3337,fd=38))
FIN-WAIT-2 0 0 ::ffff:1.1.1.1:80 ::ffff:24.89.110.149:44231
FIN-WAIT-2 0 0 ::ffff:1.1.1.1:80 ::ffff:49.194.3.221:56124 users:(("apache2",pid=4442,fd=142))
ESTAB 0 0 ::ffff:1.1.1.1:80 ::ffff:24.54.87.237:37129 users:(("apache2",pid=11597,fd=163))
ESTAB 0 0 ::ffff:1.1.1.1:80 ::ffff:67.83.114.84:49638 users:(("apache2",pid=13726,fd=33))
ESTAB 0 0 ::ffff:1.1.1.1:80 ::ffff:99.240.125.44:38150 users:(("apache2",pid=3386,fd=54))
ESTAB 0 0 ::ffff:1.1.1.1:80 ::ffff:209.195.124.121:54165 users:(("apache2",pid=5995,fd=88))
ESTAB 0 0 ::ffff:1.1.1.1:80 ::ffff:68.116.199.184:45026 users:(("apache2",pid=27532,fd=71))
ESTAB 0 0 ::ffff:1.1.1.1:80 ::ffff:99.129.45.65:49747 users:(("apache2",pid=17588,fd=133))
ESTAB 0 0 ::ffff:1.1.1.1:80 ::ffff:184.144.117.168:54283 users:(("apache2",pid=25864,fd=71))
ESTAB 0 0 ::ffff:1.1.1.1:80 ::ffff:73.229.9.107:47902 users:(("apache2",pid=2915,fd=18))
ESTAB 0 0 ::ffff:1.1.1.1:80 ::ffff:100.4.193.29:56417 users:(("apache2",pid=2708,fd=32))
ESTAB 0 0 ::ffff:1.1.1.1:80 ::ffff:174.75.117.60:35691 users:(("apache2",pid=4442,fd=120))
FIN-WAIT-2 0 0 ::ffff:1.1.1.1:80 ::ffff:68.187.204.190:48204 users:(("apache2",pid=1450,fd=75))
FIN-WAIT-2 0 0 ::ffff:1.1.1.1:80 ::ffff:86.30.210.122:44600 |
| khayyam wrote: | /etc/sysctl.conf:
| Code: | net.ipv6.conf.default.disable_ipv6=1
# or
net.ipv6.conf.<interface_name>.disable_ipv6=1 |
|
Well, that's weird again. I used the above, rebooted - since sysctl -p /etc/sysctl.conf nor sysctl net.ipv6.conf.default.disable_ipv6=1 / net.ipv6.conf.all.disable_ipv6 = 1 seemed to cause any change.
Then, upon reboot, here's what I get:
| Code: | ss -s
Total: 5904 (kernel 5927)
TCP: 14206 (estab 2930, closed 8191, orphaned 25, synrecv 0, timewait 8191/0), ports 128
Transport Total IP IPv6
* 5927 - -
RAW 1 0 1
UDP 1 1 0
TCP 6015 6014 1
INET 6017 6015 2
FRAG 0 0 0 |
All the "pseudo" traffic appears to have gone into ipv4 !?
Can someone explain this? |
|
| Back to top |
|
|
jhon987
Apprentice
Joined: 18 Nov 2013
Posts: 297
|
| Posted: Mon Jul 04, 2016 7:14 am Post subject: |
|
|
Good news! I found the cause of the seemingly high numbers thanks to your help guys.
It was caused by a bad apache redirection I've created -> shame on me 
However, one thing still isn't clear to me - how did all these legit visitors appeared to be using ipv6 with iproute2 tool, but then, once blocked, all have transformed into ipv4 ?
BTW, here's how the normal accesses status looks like with iproute2 now:
| Code: | ss -s
Total: 196 (kernel 282)
TCP: 601 (estab 94, closed 355, orphaned 93, synrecv 0, timewait 355/0), ports 128
Transport Total IP IPv6
* 282 - -
RAW 1 0 1
UDP 1 1 0
TCP 246 245 1
INET 248 246 2
FRAG 0 0 0 |
|
|
| Back to top |
|
|
Ant P.
Watchman
Joined: 18 Apr 2009
Posts: 6920
|
| Posted: Mon Jul 04, 2016 1:16 pm Post subject: |
|
|
| Browsers are designed to retry over IPv4 if an IPv6 connection goes flaky for any reason. That seems consistent with what happened there. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
