[SOLVED] Strange IPTables logs
 

Hi,

Since recently, I noticed that strange logs are produced by iptables. This happens on my workstation and laptop; both run Arch Linux with kernel 2.6.30.5 and iptables 1.4.4. The logs look like:

Sep 5 19:36:21 svibor >OFGN_TAC: sdpeae n ilb eoe on laeue<>fcntakac= enlprmtrct1n_onrc oueoto r<>yclntntitrn_onrc_ct1t nbei.<4>firewall: IN=eth0 OUT= MAC=00:0f:1f:d4:6e:93:00:d0:05:56:a8:00:08:00 SRC=213.175.204.14 DST=129.79.159.99 LEN=44 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=80 DPT=27237 WINDOW=5840 RES=0x00 ACK SYN URGP=0

or

Aug 1 16:10:49 bluemoon 6>firewall: IN=wlan0 OUT= MAC=00:14:a5:75:28:a6:00:1f:90:56:dd:52:08:00 SRC=129.79.1.88 DST=192.168.1.9 LEN=40 TOS=0x00 PREC=0x00 TTL=5
0 ID=64972 PROTO=TCP SPT=993 DPT=33671 WINDOW=1095 RES=0x00 RST URGP=0

(svibor/bluemoon=hostname, notice strange symbols after hostname) while the normal one is:

Sep 5 19:48:38 svibor kernel: firewall: IN=eth0 OUT= MAC=00:0f:1f:d4:6e:93:00:d0:05:56:a8:00:08:00 SRC=219.150.172.245 DST=129.79.159.99 LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=256 PROTO=TCP SPT=6000 DPT=90 WINDOW=16384 RES=0x00 SYN URGP=0

Otherwise, firewall works. Has anyone seen something like that? I wonder is it a bug in iptables, or I did something wrong...

edit: there are matching entries (same date/time) in /var/log/user.log, which look exactly the same.

Thanks.

I've seen log corruption before when Syslog is under considerable strain to write everything to file. Could you attach lines from logfiles with corruption for review (just in case)?

@unSpawn, thanks for a quick reply.

Here are the iptables.log and user.log (I actually renamed them as .txt). Please notice lines 1 and 14 in iptables.log and lines 10 and 11 in user.log. It seems strange to me that kernel-related logs got mixed up with the userland...

BTW, forgot to mention: I am using syslog-ng 3.0.4-1 and iptables logs with level info (6).

L.

Thanks for the logs. I've encountered the same using "standard" syslog on a "true" SMP box under considerable load. It would be interesting to see if this happens again. Running any SAR (dstat, collectl, atop) might help determine if it's load related or not.

Well, my system is SMP:

Linux svibor 2.6.30-ARCH #1 SMP PREEMPT Mon Aug 17 18:04:53 CEST 2009 i686 Intel(R) Pentium(R) 4 CPU 3.20GHz GenuineIntel GNU/Linux

But it's a workstation, so the load is not that high... I hve also seen this on my laptop, with the same distro.

Actually, you are right, it did happen again, this time with the usb device, so I guess, it is an issue of syslog-ng:

messages.log:

Sep 8 09:47:51 svibor i: f
Sep 8 09:47:51 svibor 7s: ::::[d]Md es:0 00 0<>d5000 sb suigdiecce rt hog

user.log:

Sep 8 09:47:51 svibor i: f
Sep 8 09:47:51 svibor 7s: ::::[d]Md es:0 00 0<>d5000 sb suigdiecce rt hog

kernel.log:

Sep 8 09:47:51 svibor kernel: sd 5:0:0:0: Attached scsi generic sg2 type 0
Sep 8 09:47:51 svibor kernel: usb-storage: device scan complete

This behavior (when messages.log is corrupt, but kernel.log isn't) is similar to the one described in http://serverfault.com/questions/561...yslog-messages, but with syslogd/klogd. On the other hand, I have been running syslog on a RHEL 5 system for over 2 years and never saw these things.

One of comments in the above website suggested that installing rsyslog can help. I know it is shipped with fedora, but do people have actually have experience with it?

L.

It seems that this issue was related to a conflict between syslog-ng and klogd. Indeed, since removing the latter, I am not seeing these messages anymore.

I'm closing the thread

Thanks for posting your feedback.