Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
[solved] iptables and RELATED,ESTABLISHED rule
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
FoolMonty
n00b
n00b


Joined: 04 Oct 2013
Posts: 12

PostPosted: Mon Oct 07, 2013 6:53 am    Post subject: [solved] iptables and RELATED,ESTABLISHED rule Reply with quote

hello to anyone that may help

Looking at the output from
Quote:
iptables -L -v -n --line-numbers
immediately after booting I notice that the rule
Quote:
iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

shows an ever increasing amount of pkts and bytes, the latter reaching megabytes in size, BEFORE any manual connection to anything or anywhere is made.
Is this normal for a workstation with minimal services running?


Last edited by FoolMonty on Mon Oct 07, 2013 3:08 pm; edited 1 time in total
Back to top
View user's profile Send private message
papahuhn
Guru
Guru


Joined: 06 Sep 2004
Posts: 581

PostPosted: Mon Oct 07, 2013 7:51 am    Post subject: Reply with quote

Probably loopback.
_________________
Death by snoo-snoo!
Back to top
View user's profile Send private message
FoolMonty
n00b
n00b


Joined: 04 Oct 2013
Posts: 12

PostPosted: Mon Oct 07, 2013 10:31 am    Post subject: Reply with quote

Quote:
pkts bytes target prot opt in out source destination
265K 347M ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED
3362 170K ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
huge disparity between the two. 8O

Could it be that the RELATED,ESTABLISHED rule is showing cumulative transfer since the rule was saved to iptables? If so, any way to clear that cache to see what is passing in/out of the workstation after a reboot, short of deleting and adding again the rule?

As far as the loopback rule, is it ok to leave the source and destinations like that or should it be restricted to localhost for both?
Back to top
View user's profile Send private message
netixen
n00b
n00b


Joined: 26 Sep 2013
Posts: 15

PostPosted: Mon Oct 07, 2013 12:41 pm    Post subject: Reply with quote

Hi,
You can zero the counters by doing
Code:
iptables -Z


The loopback rule is fine.
Back to top
View user's profile Send private message
FoolMonty
n00b
n00b


Joined: 04 Oct 2013
Posts: 12

PostPosted: Mon Oct 07, 2013 3:07 pm    Post subject: Reply with quote

Thank you, netixen, on both
8)
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8592

PostPosted: Mon Oct 07, 2013 8:34 pm    Post subject: Reply with quote

I suggest moving the lo rule up to before the state tracking rule. Interface checks should be cheaper, and will then allow you to use the state tracking rule to see what is moving across real NICs.
Back to top
View user's profile Send private message
FoolMonty
n00b
n00b


Joined: 04 Oct 2013
Posts: 12

PostPosted: Tue Oct 08, 2013 12:04 pm    Post subject: Reply with quote

Quote:
I suggest moving the lo rule up


Done. Thanks, Hu. Will keep an eye on it to see how this evolves.

Hu (or anyone else). Seems you know about security issues from your understanding of iptables. I would be interested in your opinion on this: looking at the net-analyzer packages in gentoo is really overwhelming for a beginner... at the time of this post there are about 267 different packages, of which more than half lack any metadata to help make a decision. Do you have some recommendations on which programs to explore to run some security auditing on the workstation and the LAN it is attached to? This would help not only me but many who might read this post in the future.

Thanking you in advance

FM
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8592

PostPosted: Tue Oct 08, 2013 8:32 pm    Post subject: Reply with quote

What kind of security auditing do you want? If you need to see what is listening, you can use ss if you have login access or nmap if you do not. Using nmap to scan a system without the approval of its owner is considered rude, and may prompt the owner to cause trouble, especially if you live in a jurisdiction with badly written "anti-hacking" laws. If you want to know details about a program listening on a particular port, nmap can give you some initial guesses, but you need a more specific tool to explore in detail. Generally, the more detail you try to extract from a system, the greater the chance that its operator may decide to interpret your probes as a precursor to malicious activity.
Back to top
View user's profile Send private message
FoolMonty
n00b
n00b


Joined: 04 Oct 2013
Posts: 12

PostPosted: Wed Oct 09, 2013 5:31 am    Post subject: Reply with quote

Hello Hu

Nothing like that, Hu. I have no interest in using any of these tools on a system outside of my home LAN, other than maybe a ping on www.google.com to check the connectivity of my nic. Of course if I was a wannabe hacker I would probably say the same, but in this case it is true.

I use nmap -v and netstat -antp and everything on surface looks OK, but nmap states it is probing some 1600 ports and apparently there are 2^16th ports on a system so I keep asking myself if the remaining ~65000 ports are all closed too...and, why the heck are there so many ports!? 8O

In short, what I am looking for is a program that would simulate an attack on my own system to verify that the system is protected from the casual hacker - not a professional one, as apparently there is little one can do to protect from those short of disconnecting the pc from the net, however, there is nothing on the pc that would interest these latter. Are programs like snort or the old open source version of nessus the type of program I should be exploring? How about the open source branch of nessus? of the 267 programs in the net-analyzer tree of gentoo, what do the people in the know use?

I fella like me with less than a handful of posts in the forum probably would be ignored if I tried to open a post about security tools like the "show us your make.conf" that could be made into a sticky in this section of the forum, but it certainly would be nice if there was such a post with recommendations from expert users to help the uninitiated in this long but very worthwhile path. Too many options can be as difficult as a lack of them without some guidance to point people in the right direction. Just thinking out loud...

Anywho, thank you Hu for all the help you have given me these last two week. I owe you.
Back to top
View user's profile Send private message
FoolMonty
n00b
n00b


Joined: 04 Oct 2013
Posts: 12

PostPosted: Tue Oct 15, 2013 5:39 am    Post subject: Reply with quote

Sadly the experts on security of the gentoo community, the members of which are worthy of considerable respect if not outright admiration for their knowledge, do not wish to share much on this issue. For those starting on their linux path who might read this post in the future I offer this link

Quote:
http://sectools.org/


Best to all
Back to top
View user's profile Send private message
PaulBredbury
Watchman
Watchman


Joined: 14 Jul 2005
Posts: 7310

PostPosted: Tue Oct 15, 2013 8:31 am    Post subject: Reply with quote

FoolMonty wrote:
do not wish to share much on this issue

Ahem. To increase the chance of getting helpful replies, ask some intelligent/interesting questions that can't already be answered by a bit of googling ;)
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8592

PostPosted: Tue Oct 15, 2013 8:01 pm    Post subject: Reply with quote

Netstat will tell you which ports are open and which are not. 2^16 made sense for the test protocol, but it would have been nice to see it raised a bit in later revisions. Security analysis is far too broad a topic to address in a single forum post.
Back to top
View user's profile Send private message
FoolMonty
n00b
n00b


Joined: 04 Oct 2013
Posts: 12

PostPosted: Sat Oct 19, 2013 12:00 pm    Post subject: Reply with quote

PaulBredbury, you are partially correct. Your answer assumes information gathered from Google is correct and/or impartial, and both are a huge leap of faith. Your answer is akin to saying, you don't need an university professor to help you get a PhD, as all the information is in the library already. Those with limited knowledge on a subject need some guidance from those with expertise on that subject to point them in the right direction, to prune the bad from the good and avoid heading in the wrong path. You have to trust someone, always, and in this case I trust the opinions of those who frequent this forum. Don't take this comment as an offense, for it is not. I am just explaining why people at my level sometimes need a little more than "read the man page" or "try google". For example, there are many pages which can probe your network looking for security issues, but someone new to the topic would not know which remote site to trust, where someone with experience in these things would likely known which of the available resources are well respected by the community and trustworthy. etc.

Hu, thanks for the reply. I was not sure if Netstat would in fact probe all the ports that have services listening or if it simply was limited to scanning the ~1600 ports it stated in the report, given there are 2^16th total ports. Goes to show how little I still know about these things, as maybe a port without a service listening is by definition "closed" and does not need to be probed at all.

Well, back to the "man pages" and google... :wink:

Best to both
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 8592

PostPosted: Sat Oct 19, 2013 2:52 pm    Post subject: Reply with quote

A port is listening if a service is accepting connections there. A port is in use if there is an open socket associated with it. Netstat can list both types, depending on the exact options. Netstat does not probe the ports, but instead asks the kernel to provide a list of relevant sockets.
Back to top
View user's profile Send private message
FoolMonty
n00b
n00b


Joined: 04 Oct 2013
Posts: 12

PostPosted: Tue Oct 22, 2013 7:39 pm    Post subject: Reply with quote

Thank you, Hu

Learning about sockets now. Now I know a little more about how netstat works, thanks to you.

Best (and thank you, again)
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum