Firewall Wizards mailing list archives

Re: IPTables logging target: show pid/program name?

From: William Stearns <wstearns () pobox com>
Date: Sat, 15 Nov 2003 15:01:26 -0500 (EST)

Good afternoon, Chris,

On Fri, 14 Nov 2003, Chris de Vidal wrote:

I have several rules like this:
/sbin/iptables --append OUTPUT --jump LOG --log-level DEBUG --log-prefix
"OUTPUT packet died: "
at the bottom of my OUTPUT chain to debug which outgoing packets get
dropped so I can adjust the rules as necessary.  It's been working well
for months.

Trouble is I don't always know which program is producing these packets.

It would be handy to also see the pid and/or program name responsible for
these packets.  Any idea how?


        The "owner" match module could be used to check what 
application/uid created the packet.  This can only be used in the OUTPUT 
and POSTROUTING chains, but that's perfect for what you need.
        To use it, get a list of all applications - clients or servers - 
that might be running at a given time.  Then put in these rules instead of 
the one you listed above:

for App in sshd gabber httpd netscape-communicator named ; do
    /sbin/iptables --append OUTPUT -m owner --cmd-owner "$App" --jump LOG \
     --log-level DEBUG --log-prefix "OUTPUT $App packet died: "
done
/sbin/iptables --append OUTPUT -m owner --cmd-owner $App --jump LOG \
--log-level DEBUG --log-prefix "OUTPUT packet died: "

        To get a quick list of candidate Apps, try:

ls -al  /proc/[0-9]*/exe 2>/dev/null | sed -e 's@.*/@@' | sort | uniq | grep -v 'exe'

        For reference, here's the syntax for the module:

OWNER match v1.2.8-20030601 options:
[!] --uid-owner userid     Match local uid
[!] --gid-owner groupid    Match local gid
[!] --pid-owner processid  Match local pid
[!] --sid-owner sessionid  Match local sid
[!] --cmd-owner name       Match local command name

        Cheers,
        - Bill

---------------------------------------------------------------------------
        "Where do you think you're going today?"
(Courtesy of Matthias Andree <ma () dt e-technik uni-dortmund de>)
--------------------------------------------------------------------------
William Stearns (wstearns () pobox com).  Mason, Buildkernel, freedups, p0f,
rsync-backup, ssh-keyinstall, dns-check, more at:   http://www.stearns.org
Linux articles at:                         http://www.opensourcedigest.com
--------------------------------------------------------------------------

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

IPTables logging target: show pid/program name? Chris de Vidal (Nov 14)
- Re: IPTables logging target: show pid/program name? William Stearns (Nov 16)
  - Re: IPTables logging target: show pid/program name? Chris de Vidal (Nov 16)