LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-02-2005, 12:52 PM   #1
Nickj
LQ Newbie
 
Registered: Sep 2004
Distribution: Fedora 4
Posts: 27

Rep: Reputation: 15
"INPUT Packet died" Messages Keep Appearing?


Hi,

I've set up a firewall on my Fedora Box using IPTables. The script performs various functions such as IPMasq and Port forwarding.

I've edited the /etc/inittab file to boot in a CLI.

However, it seems whenever a bad packet is receieved on eth01 (Internet IP) information is displayed on screen. These messages start with either "INPUT Packet Died" or "Invalid Packet", with more information (ie. source/destination)

How can I stop these messages appearing, as it's preventing me from doing anything.... someone please help!!!!

Cheers!
 
Old 08-02-2005, 04:42 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Check your /etc/syslog.conf file and see where kernel messages are being sent (look for kern.*). You can modify the setting and send them to /var/log/secure or /var/log/messages instead. Just make sure to read through your logs on a regular basis.

--

It's also a good idea to track down the source of the logged packets. Could you post a few (make sure to remove any public IP addresses). Also what firewall script are you using?

Last edited by Capt_Caveman; 08-02-2005 at 04:44 PM.
 
Old 08-03-2005, 08:28 AM   #3
Nickj
LQ Newbie
 
Registered: Sep 2004
Distribution: Fedora 4
Posts: 27

Original Poster
Rep: Reputation: 15
Thanks for the response Caveman...

Quote:
Also what firewall script are you using?
I'm using a script generated from the following website. It's seems a pretty standard script. Is there anything in there that'll cause these messages to be displayed?

http://easyfwgen.morizot.net/gen/

The messages that keep appearing are from the following rules...

Code:
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \      --log-prefix "Invalid packet: "
Code:
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \      --log-prefix "INPUT packet died: "
A bit confused as to what the '-m' parameters does, but the above rules seem to be the only rules with these system messages?
 
Old 08-03-2005, 02:35 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The -m switch just allows you to match certain parameters (like "state" matching or "limit" matching) that are included as netfilter extensions/modules. So by invoking -m you can then tell iptables to match packet states like "INVALID" or "ESTABLISHED". Checkout the iptables man pages for more info...

The "INPUT packet died" message is usually due to the "catch-all" rule at the end of the firewall that alerts you that the packet didn't match any rules in the firewall and was about to get dropped. Whether that is a good thing or a bad thing depends what that particular packet was. I can't tell what the packet was without see an example of one that was logged.

The "Invalid packet" message is telling you that a packet was received that had a connection tracking state of "INVALID". Normally connections fall primarily into one of 2 states, either "NEW" if it is just being established (e.g. the first incoming SYN packet of a connection attempt) or "ESTABLISHED" for the remainder of the connection until it's closed. There are other states, but they aren't really important here. However the "INVALID" state is kind of an oddball one in that it refers to packets that don't belong to any known connection. So if I sent an "ICMP host unreachable" message to your system and you didn't have any connection with me in your state table, that would be "INVALID". If you did have a connection with me in your state table then it would have been "RELATED" state. A number of things can generate packets that are "INVALID" and not all of them are malicious in nature. In particular things like NATed FTP connections can create them. So again, I'd need to see a sample message from you logs in order to make a guess.
 
Old 08-04-2005, 01:59 PM   #5
Nickj
LQ Newbie
 
Registered: Sep 2004
Distribution: Fedora 4
Posts: 27

Original Poster
Rep: Reputation: 15
Caveman, a typical message which keeps appearing in the console is as follows,

Code:
INPUT packet died: IN=eth01 OUT= MAC=00:04:5b:85:f2:a3:00:03:
9a:ed:a0:a8:00 SRC=218.92.11.34 DST=82.13.171.172
 LEN=322 TOS=0x00 PREC=0x00 TTL=43ID=0 DF PROTO=UDP SPT=55423 DPT=1027 LEN=302
This messages only seem to occur when I boot up into a CLI, i.e. by setting the line id:3:initdefault: in /etc/inittab

I checked the /etc/syslog.conf file and the line kern.* line is commented out, it looks like the following,

Code:
#kern.*      /dev/console
Any ideas?

Cheers!
 
Old 08-04-2005, 09:20 PM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
That packet looks like part of a scan/probe so it's a good thing that it's getting dropped. In general that iptables script generates a lot of log messages. So you can either modify the script so that it's not logging dropped packets or you can send the log messages to a file. Personally I believe logging dropped packets is a good idea, so I would recommend the second option. To do so, edit the syslog.conf file and have the kern.* messages go to a file rather than to /dev/console (just replace the /dev/console with the full path to your destination log file). If you restart syslog (service syslog restart) you should see your log messages appearing there. However you'll still get them sent to the console by klogd as well. So you need to adjust the default klogd logging level using:

echo "3 4 1 7" > /proc/sys/kernel/printk

You can add that to /etc/rc.local to make it persistant over reboots. Make sure to review your logs on a regular basis so that you aren't missing important messages. If you want a more elegant solution, syslog-ng would probably be the way to go.

Also could you post an example of a packet getting logged as "INVALID" as identifying the source of those is a good idea.

Last edited by Capt_Caveman; 08-04-2005 at 09:22 PM.
 
Old 08-05-2005, 02:42 AM   #7
Nickj
LQ Newbie
 
Registered: Sep 2004
Distribution: Fedora 4
Posts: 27

Original Poster
Rep: Reputation: 15
Right, so let me just clarify....

The kern.* line is currently commented out, so at the moment kernel messages aren't being logged at all... the reason i'm getting these console messages is by klogd?

Are all logs generated by IPTables kernel messages? If so, how can i filter out IPTABLE log messages. Won't editing the syslog.conf file forward all kernel messages to the kern.* destination.

Cheers!
 
Old 08-05-2005, 08:48 AM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
The kern.* line is currently commented out, so at the moment kernel messages aren't being logged at all... the reason i'm getting these console messages is by klogd?
Yes. However if you simply increase the klogd console level, then you won't receive any log messages at all, which is a bad thing. That's why having syslog send them to a file is necessary.

Are all logs generated by IPTables kernel messages?
yes.

If so, how can i filter out IPTABLE log messages. Won't editing the syslog.conf file forward all kernel messages to the kern.* destination.
That's why it isn't a very elegent solution. There are ways around that, such as changing each of the iptables log rules so that they are logging at a specific level like "debug" so that you can simply pull those out by using "kern.debug" instead of kern.* in the /etc/syslog.conf file. Syslog-ng helps here cause it can do string based routing of log messages. You can also use a log parsing tool like swatch.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Multiple "eth0: interrupt(s) dropped" messages appearing CaptainRandom Debian 1 05-16-2004 03:39 PM
Boot messages not the same as "dmesg" or "/var/log/messages"? massai Linux - General 5 03-10-2004 12:18 AM
<input type="button" disabled="true" > does not work in ns4.7 or 4.9 cybercop12us Programming 2 11-29-2002 08:31 AM
"PPP demon died unexpectedly" ..? kitch Linux - Networking 3 10-31-2002 05:48 PM
Error: "pppd daemon died unexpectedly" taz.devil Linux - General 3 11-24-2001 11:07 PM


All times are GMT -5. The time now is 01:24 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration