|
"INPUT Packet died" Messages Keep Appearing?
Hi,
I've set up a firewall on my Fedora Box using IPTables. The script performs various functions such as IPMasq and Port forwarding. I've edited the /etc/inittab file to boot in a CLI. However, it seems whenever a bad packet is receieved on eth01 (Internet IP) information is displayed on screen. These messages start with either "INPUT Packet Died" or "Invalid Packet", with more information (ie. source/destination) How can I stop these messages appearing, as it's preventing me from doing anything.... someone please help!!!! Cheers! |
Check your /etc/syslog.conf file and see where kernel messages are being sent (look for kern.*). You can modify the setting and send them to /var/log/secure or /var/log/messages instead. Just make sure to read through your logs on a regular basis.
-- It's also a good idea to track down the source of the logged packets. Could you post a few (make sure to remove any public IP addresses). Also what firewall script are you using? |
Thanks for the response Caveman...
Quote:
http://easyfwgen.morizot.net/gen/ The messages that keep appearing are from the following rules... Code:
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \ --log-prefix "Invalid packet: "Code:
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ --log-prefix "INPUT packet died: " |
The -m switch just allows you to match certain parameters (like "state" matching or "limit" matching) that are included as netfilter extensions/modules. So by invoking -m you can then tell iptables to match packet states like "INVALID" or "ESTABLISHED". Checkout the iptables man pages for more info...
The "INPUT packet died" message is usually due to the "catch-all" rule at the end of the firewall that alerts you that the packet didn't match any rules in the firewall and was about to get dropped. Whether that is a good thing or a bad thing depends what that particular packet was. I can't tell what the packet was without see an example of one that was logged. The "Invalid packet" message is telling you that a packet was received that had a connection tracking state of "INVALID". Normally connections fall primarily into one of 2 states, either "NEW" if it is just being established (e.g. the first incoming SYN packet of a connection attempt) or "ESTABLISHED" for the remainder of the connection until it's closed. There are other states, but they aren't really important here. However the "INVALID" state is kind of an oddball one in that it refers to packets that don't belong to any known connection. So if I sent an "ICMP host unreachable" message to your system and you didn't have any connection with me in your state table, that would be "INVALID". If you did have a connection with me in your state table then it would have been "RELATED" state. A number of things can generate packets that are "INVALID" and not all of them are malicious in nature. In particular things like NATed FTP connections can create them. So again, I'd need to see a sample message from you logs in order to make a guess. |
Caveman, a typical message which keeps appearing in the console is as follows,
Code:
INPUT packet died: IN=eth01 OUT= MAC=00:04:5b:85:f2:a3:00:03:I checked the /etc/syslog.conf file and the line kern.* line is commented out, it looks like the following, Code:
#kern.* /dev/consoleCheers! |
That packet looks like part of a scan/probe so it's a good thing that it's getting dropped. In general that iptables script generates a lot of log messages. So you can either modify the script so that it's not logging dropped packets or you can send the log messages to a file. Personally I believe logging dropped packets is a good idea, so I would recommend the second option. To do so, edit the syslog.conf file and have the kern.* messages go to a file rather than to /dev/console (just replace the /dev/console with the full path to your destination log file). If you restart syslog (service syslog restart) you should see your log messages appearing there. However you'll still get them sent to the console by klogd as well. So you need to adjust the default klogd logging level using:
echo "3 4 1 7" > /proc/sys/kernel/printk You can add that to /etc/rc.local to make it persistant over reboots. Make sure to review your logs on a regular basis so that you aren't missing important messages. If you want a more elegant solution, syslog-ng would probably be the way to go. Also could you post an example of a packet getting logged as "INVALID" as identifying the source of those is a good idea. |
Right, so let me just clarify....
The kern.* line is currently commented out, so at the moment kernel messages aren't being logged at all... the reason i'm getting these console messages is by klogd? Are all logs generated by IPTables kernel messages? If so, how can i filter out IPTABLE log messages. Won't editing the syslog.conf file forward all kernel messages to the kern.* destination. Cheers! |
The kern.* line is currently commented out, so at the moment kernel messages aren't being logged at all... the reason i'm getting these console messages is by klogd?
Yes. However if you simply increase the klogd console level, then you won't receive any log messages at all, which is a bad thing. That's why having syslog send them to a file is necessary. Are all logs generated by IPTables kernel messages? yes. If so, how can i filter out IPTABLE log messages. Won't editing the syslog.conf file forward all kernel messages to the kern.* destination. That's why it isn't a very elegent solution. There are ways around that, such as changing each of the iptables log rules so that they are logging at a specific level like "debug" so that you can simply pull those out by using "kern.debug" instead of kern.* in the /etc/syslog.conf file. Syslog-ng helps here cause it can do string based routing of log messages. You can also use a log parsing tool like swatch. |
| All times are GMT -5. The time now is 07:01 PM. |