View previous topic :: View next topic |
Author |
Message |
toralf Developer
Joined: 01 Feb 2004 Posts: 3919 Location: Hamburg
|
Posted: Sat May 28, 2016 3:51 pm Post subject: [solved] who hammers at my ipv6 if ? |
|
|
AT my server I do observe peaks liek the following : Code: | 12:00:01 AM IFACE rxpck/s txpck/s rxkB/s txkB/s rxcmp/s txcmp/s rxmcst/s %ifutil
02:03:01 AM enp3s0 2652.77 1738.83 2804.44 1861.37 0.00 0.00 0.00 2.30
04:07:01 AM enp3s0 4937.92 1504.53 6254.33 1423.79 0.00 0.00 0.00 5.12
04:08:01 AM enp3s0 11637.23 2592.90 15777.55 2581.52 0.00 0.00 0.00 12.92
04:09:01 AM enp3s0 8845.03 2587.22 11699.57 2714.80 0.00 0.00 0.00 9.58
| which correlates to a high rx input at my ipv6 address (statistics from my provider). Those traffic is usually blocked by my firewall. (straight ip(6)tables script).
Now I was wondering whether it makes sense at all to try to get the originating ip address(es) and independent from that, how could that be achieved w/ an ip6tables rule set ?
Last edited by toralf on Thu Jun 02, 2016 7:02 pm; edited 1 time in total |
|
Back to top |
|
|
dataking Apprentice
Joined: 20 Apr 2005 Posts: 251
|
Posted: Wed Jun 01, 2016 10:52 pm Post subject: |
|
|
toraff wrote: | Now I was wondering whether it makes sense at all to try to get the originating ip address(es) and independent from that, how could that be achieved w/ an ip6tables rule set ? |
IMHO, "most people" will gain little value in collecting IPs (v6 OR v4) that are banging at their (firewall) door. I personally find it mildly interesting to capture those IPs, then pull "interesting" metrics about those IP: what country they're reporting as, what org they might belong to, etc......basically anything DNS, GeoIP, WhoIs or anything else might tell me about them YMMV.
But, as long as they aren't getting past your firewall/perimeter, it probably doesn't matter a whole lot after that.
It just so happens, the FW product I use silently drops IPv6, so I don't even bother tracking who might happen past. Again, YMMV.
As far as how that could be achieved, you'd have to create a LOG'ging ip6tables (or nftables(???)) rule to log the traffic. Then you could whip up some scripts to do "interesting" things with that data. _________________ -= the D@7@k|n& =- |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3919 Location: Hamburg
|
Posted: Thu Jun 02, 2016 12:35 pm Post subject: |
|
|
Well, yes, I'd need the LOG target, but I do wonder how to get the traffic amount. Maybe this isn't achievable at all for me
? |
|
Back to top |
|
|
szatox Advocate
Joined: 27 Aug 2013 Posts: 3095
|
Posted: Thu Jun 02, 2016 4:16 pm Post subject: |
|
|
You can check firewall's statistics with
iptables -nvL
It can be any rule. You can create a rule with the same target as your policy, so it will be matched and counted separately, without doing anything fancy. |
|
Back to top |
|
|
toralf Developer
Joined: 01 Feb 2004 Posts: 3919 Location: Hamburg
|
Posted: Thu Jun 02, 2016 7:01 pm Post subject: |
|
|
indeed - thx. |
|
Back to top |
|
|
|