LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-01-2015, 05:28 AM   #1
grallagh
LQ Newbie
 
Registered: Dec 2015
Posts: 2

Rep: Reputation: Disabled
Firewall Log Files


Hi all,

I have a log file here form my router. I believe it's like iptables or some form of stateful firewall. Would love some help in breaking down the data below. What does it all mean.


Dec 01 17:36:06
Allowed CONN=lan SRC=192.168.1.107 DST=52.69.98.219 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=55600 PROTO=TCP SPT=56223 DPT=8080 WINDOW=2048 RES=0x00 SYN URGP=0 MARK=0x4
Dec 01 17:35:56
Allowed CONN=lan SRC=192.168.1.107 DST=52.69.98.219 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=55589 PROTO=TCP SPT=56222 DPT=8080 WINDOW=2048 RES=0x00 SYN URGP=0 MARK=0x4
Dec 01 17:35:46
Allowed CONN=lan SRC=192.168.1.107 DST=52.69.98.219 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=55578 PROTO=TCP SPT=56221 DPT=8080 WINDOW=2048 RES=0x00 SYN URGP=0 MARK=0x4
Dec 01 17:35:36
Allowed CONN=lan SRC=192.168.1.107 DST=52.69.98.219 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=55566 PROTO=TCP SPT=60797 DPT=8080 WINDOW=2048 RES=0x00 SYN URGP=0 MARK=0x4
Dec 01 17:35:26
Allowed CONN=lan SRC=192.168.1.107 DST=52.69.98.219 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=55555 PROTO=TCP SPT=60796 DPT=8080 WINDOW=2048 RES=0x00 SYN URGP=0 MARK=0x4
Dec 01 17:35:16
Allowed CONN=lan SRC=192.168.1.107 DST=52.69.98.219 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=55544 PROTO=TCP SPT=60795 DPT=8080 WINDOW=2048 RES=0x00 SYN URGP=0 MARK=0x4
Dec 01 17:35:06
Allowed CONN=lan SRC=192.168.1.107 DST=52.69.98.219 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=55533 PROTO=TCP SPT=60794 DPT=8080 WINDOW=2048 RES=0x00 SYN URGP=0 MARK=0x4
Dec 01 17:34:56
Allowed CONN=lan SRC=192.168.1.107 DST=52.69.98.219 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=55522 PROTO=TCP SPT=60793 DPT=8080 WINDOW=2048 RES=0x00 SYN URGP=0 MARK=0x4
 
Old 12-01-2015, 01:01 PM   #2
designator
Member
 
Registered: Jun 2003
Location: California, USA
Distribution: OpenSUSE Tumbleweed
Posts: 214

Rep: Reputation: 37
Last line:
Allowed - Pretty obvious. Connection was allowed.
CONN=lan - Name of the network where connection was recorded.
SRC=192.168.1.107 - Source IP address.
DST=52.69.98.219 - Destination IP address.
LEN=48 - Amount of data transferred in this packet.
TOS=0x00 - Type of service.
PREC=0x00
TTL=63 - Time to live. Max amount of time this connection would be attempted before timeout.
ID=55522 - Internal ID for the firewall.
PROTO=TCP - Protocol. (TCP/UDP/ICMP etc.)
SPT=60793 - Source port. (Usually random port used to establish connection.)
DPT=8080 - Destination port (Usually defined by protocol)
WINDOW=2048 - TCP window size.
RES=0x00
SYN - Existing connection.
URGP=0
MARK=0x4 - Marked by a firewall rule.

This looks like an outgoing connection to a web server (aka you opening a web page.)
I missed a few that I don't remember of the top of my head :-)
 
Old 12-01-2015, 05:05 PM   #3
berndbausch
Senior Member
 
Registered: Nov 2013
Location: Tokyo
Distribution: Redhat/Centos, Ubuntu, Raspbian, Fedora, Alpine, Cirros, OpenSuse/SLES
Posts: 3,444

Rep: Reputation: 902Reputation: 902Reputation: 902Reputation: 902Reputation: 902Reputation: 902Reputation: 902Reputation: 902
This looks very much like the output of the -j LOG target in iptables. Each line is the description of a packet. You would get similar information from the tcpdump command.
 
Old 12-01-2015, 05:31 PM   #4
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.10, Centos 7.5
Posts: 17,670

Rep: Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487Reputation: 2487
If you want to know the TCP header fields https://en.wikipedia.org/wiki/Transm...ment_structure
 
Old 12-02-2015, 01:02 AM   #5
grallagh
LQ Newbie
 
Registered: Dec 2015
Posts: 2

Original Poster
Rep: Reputation: Disabled
Outstanding guys. Thanks for the quick comeback, especially the link https://en.wikipedia.org/wiki/Transm...ment_structure

Good stuff, some reading to do, have a great day.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
convert screen.log and putty.log files into linux readable files aksharb Linux - Software 1 03-20-2011 07:16 AM
Firewall log file, how to make several different log files with IPTables? newtovanilla Linux - Newbie 5 11-28-2008 12:39 PM
Log files for Firewall 2.4 DaemonWrightis Linux - Networking 1 02-26-2004 06:22 AM
Huge Firewall Log Files seanfitz Linux - Networking 1 01-29-2004 10:23 AM
Can log files be time stamped? (such as FTP login and transfer log files) bripage Linux - Networking 6 08-08-2002 10:55 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:07 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration