LinuxQuestions.org

LinuxQuestions.org (http://www.linuxquestions.org/questions/index.php)
-   Linux - Security (http://www.linuxquestions.org/questions/forumdisplay.php?f=4)
-   -   Strange IPTables logs (http://www.linuxquestions.org/questions/showthread.php?t=753377)

Leonid.I 09-07-2009 01:49 PM

[SOLVED] Strange IPTables logs
 
Hi,

Since recently, I noticed that strange logs are produced by iptables. This happens on my workstation and laptop; both run Arch Linux with kernel 2.6.30.5 and iptables 1.4.4. The logs look like:

Sep 5 19:36:21 svibor >OFGN_TAC: sdpeae n ilb eoe on laeue<>fcntakac= enlprmtrct1n_onrc oueoto r<>yclntntitrn_onrc_ct1t nbei.<4>firewall: IN=eth0 OUT= MAC=00:0f:1f:d4:6e:93:00:d0:05:56:a8:00:08:00 SRC=213.175.204.14 DST=129.79.159.99 LEN=44 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=80 DPT=27237 WINDOW=5840 RES=0x00 ACK SYN URGP=0

or

Aug 1 16:10:49 bluemoon 6>firewall: IN=wlan0 OUT= MAC=00:14:a5:75:28:a6:00:1f:90:56:dd:52:08:00 SRC=129.79.1.88 DST=192.168.1.9 LEN=40 TOS=0x00 PREC=0x00 TTL=5
0 ID=64972 PROTO=TCP SPT=993 DPT=33671 WINDOW=1095 RES=0x00 RST URGP=0

(svibor/bluemoon=hostname, notice strange symbols after hostname) while the normal one is:

Sep 5 19:48:38 svibor kernel: firewall: IN=eth0 OUT= MAC=00:0f:1f:d4:6e:93:00:d0:05:56:a8:00:08:00 SRC=219.150.172.245 DST=129.79.159.99 LEN=40 TOS=0x00 PREC=0x00 TTL=107 ID=256 PROTO=TCP SPT=6000 DPT=90 WINDOW=16384 RES=0x00 SYN URGP=0

Otherwise, firewall works. Has anyone seen something like that? I wonder is it a bug in iptables, or I did something wrong...

edit: there are matching entries (same date/time) in /var/log/user.log, which look exactly the same.

Thanks.

unSpawn 09-07-2009 08:16 PM

Quote:

Originally Posted by Leonid.I (Post 3673354)
Has anyone seen something like that? I wonder is it a bug in iptables, or I did something wrong...

I've seen log corruption before when Syslog is under considerable strain to write everything to file. Could you attach lines from logfiles with corruption for review (just in case)?

Leonid.I 09-08-2009 08:21 AM

2 Attachment(s)
Quote:

Originally Posted by unSpawn (Post 3673681)
I've seen log corruption before when Syslog is under considerable strain to write everything to file. Could you attach lines from logfiles with corruption for review (just in case)?

@unSpawn, thanks for a quick reply.

Here are the iptables.log and user.log (I actually renamed them as .txt). Please notice lines 1 and 14 in iptables.log and lines 10 and 11 in user.log. It seems strange to me that kernel-related logs got mixed up with the userland...

BTW, forgot to mention: I am using syslog-ng 3.0.4-1 and iptables logs with level info (6).

L.

unSpawn 09-08-2009 05:56 PM

Thanks for the logs. I've encountered the same using "standard" syslog on a "true" SMP box under considerable load. It would be interesting to see if this happens again. Running any SAR (dstat, collectl, atop) might help determine if it's load related or not.

Leonid.I 09-09-2009 08:41 AM

Quote:

Originally Posted by unSpawn (Post 3674975)
Thanks for the logs. I've encountered the same using "standard" syslog on a "true" SMP box under considerable load. It would be interesting to see if this happens again. Running any SAR (dstat, collectl, atop) might help determine if it's load related or not.

Well, my system is SMP:

Linux svibor 2.6.30-ARCH #1 SMP PREEMPT Mon Aug 17 18:04:53 CEST 2009 i686 Intel(R) Pentium(R) 4 CPU 3.20GHz GenuineIntel GNU/Linux

But it's a workstation, so the load is not that high... I hve also seen this on my laptop, with the same distro.

Actually, you are right, it did happen again, this time with the usb device, so I guess, it is an issue of syslog-ng:

messages.log:

Sep 8 09:47:51 svibor i: f
Sep 8 09:47:51 svibor 7s: ::::[d]Md es:0 00 0<>d5000 sb suigdiecce rt hog

user.log:

Sep 8 09:47:51 svibor i: f
Sep 8 09:47:51 svibor 7s: ::::[d]Md es:0 00 0<>d5000 sb suigdiecce rt hog

kernel.log:

Sep 8 09:47:51 svibor kernel: sd 5:0:0:0: Attached scsi generic sg2 type 0
Sep 8 09:47:51 svibor kernel: usb-storage: device scan complete

This behavior (when messages.log is corrupt, but kernel.log isn't) is similar to the one described in http://serverfault.com/questions/561...yslog-messages, but with syslogd/klogd. On the other hand, I have been running syslog on a RHEL 5 system for over 2 years and never saw these things.

One of comments in the above website suggested that installing rsyslog can help. I know it is shipped with fedora, but do people have actually have experience with it?

L.

Leonid.I 09-22-2009 04:55 PM

It seems that this issue was related to a conflict between syslog-ng and klogd. Indeed, since removing the latter, I am not seeing these messages anymore.

I'm closing the thread

unSpawn 09-22-2009 05:50 PM

Thanks for posting your feedback.


All times are GMT -5. The time now is 01:34 PM.