Guarddog Iptables help reading logs please

Chris1989 · 08-15-2010, 04:55 PM

Hey guys, please can you tell me what the following means?

Code:

ABORTED IN=eth0 OUT= MAC=00:1b:24:af:dc:a4:00:30:bd:6d:58:aa:08:00 SRC=91.198.174.234 DST=myip LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=TCP SPT=80 DPT=1094 SEQ=3428159326 ACK=0 WINDOW=0 RES=0x00$
Aug 15 22:18:59 ppp-laptop kernel: [ 5571.426293] ABORTED IN=eth0 OUT= MAC=00:1b:24:af:dc:a4:00:30:bd:6d:58:aa:08:00 SRC=91.198.174.234 DST=myip LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=TCP SPT=80 DPT=1093 SEQ=2180674655 ACK=0 WINDOW=0 RES=0x00$
Aug 15 22:18:59 ppp-laptop kernel: [ 5571.427177] ABORTED IN=eth0 OUT= MAC=00:1b:24:af:dc:a4:00:30:bd:6d:58:aa:08:00 SRC=91.198.174.232 DST=myip LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=0 DF PROTO=TCP SPT=80 DPT=3960 SEQ=784388191 ACK=0 WINDOW=0 RES=0x00 $
Aug 15 22:20:44 ppp-laptop kernel: [ 5676.598012] ABORTED IN=eth0 OUT= MAC=00:1b:24:af:dc:a4:00:30:bd:6d:58:aa:08:00 SRC=72.51.46.230 DST=myip LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=0 DF PROTO=TCP SPT=80 DPT=2187 SEQ=1019080214 ACK=0 WINDOW=0 RES=0x00 R$
Aug 15 22:21:17 ppp-laptop kernel: [ 5709.587830] ABORTED IN=eth0 OUT= MAC=00:1b:24:af:dc:a4:00:30:bd:6d:58:aa:08:00 SRC=64.4.22.46 DST=myip LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=23319 DF PROTO=TCP SPT=80 DPT=1709 SEQ=2155892735 ACK=2273092797 WINDOW=$
Aug 15 22:21:17 ppp-laptop kernel: [ 5710.072010] ABORTED IN=eth0 OUT= MAC=00:1b:24:af:dc:a4:00:30:bd:6d:58:aa:08:00 SRC=64.4.22.46 DST=myip LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=42758 DF PROTO=TCP SPT=80 DPT=1707 SEQ=3338803707 ACK=2273279073 WINDOW=$
Aug 15 22:21:18 ppp-laptop kernel: [ 5710.943115] ABORTED IN=eth0 OUT= MAC=00:1b:24:af:dc:a4:00:30:bd:6d:58:aa:08:00 SRC=64.4.22.46 DST=myip LEN=40 TOS=0x00 PREC=0x00 TTL=241 ID=13364 DF PROTO=TCP SPT=80 DPT=1708 SEQ=3344265012 ACK=2270214697 WINDOW=$

Does this mean that connections from those IP's have been blocked or what?

Thanks.

unSpawn · 08-16-2010, 06:07 PM

As root review your firewall configuration for any lines containing "LOG.*ABORTED" and note that chains name. See in which chain the logging chain is referenced and with what arguments as filter.

Chris1989 · 08-17-2010, 10:32 AM

Quote:

Originally Posted by unSpawn

As root review your firewall configuration for any lines containing "LOG.*ABORTED" and not that chains name. See in which chain the logging chain is referenced and with what arguments as filter.

Sorry thats confused me. I am a bit of a noob sorry. I am using Guarddog to configure iptables through its GUI.

That log i posted is from /var/log/syslog.

What do I have to look out for then? And is that what I posted normal or does it look like someone keeps trying to gain access to my computer?

Thanks.

unSpawn · 08-17-2010, 07:05 PM

I don't use Guarddog (so maybe check the documentation?) but it may use /etc/sysconfig/iptables to save firewall rules. If it does not then you can, as root, execute '/sbin/iptables-save > /tmp/iptables.txt' to have a text file with rules anyway. Now you can 'grep ABORTED /etc/sysconfig/iptables' or 'grep ABORTED /tmp/iptables.txt'. Else just attach your "/tmp/iptables.txt" plain text file to your reply.