Firewall Wizards mailing list archives
Re: IPTables logging target: show pid/program name?
From: William Stearns <wstearns () pobox com>
Date: Sat, 15 Nov 2003 15:01:26 -0500 (EST)
Good afternoon, Chris, On Fri, 14 Nov 2003, Chris de Vidal wrote:
I have several rules like this: /sbin/iptables --append OUTPUT --jump LOG --log-level DEBUG --log-prefix "OUTPUT packet died: " at the bottom of my OUTPUT chain to debug which outgoing packets get dropped so I can adjust the rules as necessary. It's been working well for months. Trouble is I don't always know which program is producing these packets. It would be handy to also see the pid and/or program name responsible for these packets. Any idea how?
The "owner" match module could be used to check what application/uid created the packet. This can only be used in the OUTPUT and POSTROUTING chains, but that's perfect for what you need. To use it, get a list of all applications - clients or servers - that might be running at a given time. Then put in these rules instead of the one you listed above: for App in sshd gabber httpd netscape-communicator named ; do /sbin/iptables --append OUTPUT -m owner --cmd-owner "$App" --jump LOG \ --log-level DEBUG --log-prefix "OUTPUT $App packet died: " done /sbin/iptables --append OUTPUT -m owner --cmd-owner $App --jump LOG \ --log-level DEBUG --log-prefix "OUTPUT packet died: " To get a quick list of candidate Apps, try: ls -al /proc/[0-9]*/exe 2>/dev/null | sed -e 's@.*/@@' | sort | uniq | grep -v 'exe' For reference, here's the syntax for the module: OWNER match v1.2.8-20030601 options: [!] --uid-owner userid Match local uid [!] --gid-owner groupid Match local gid [!] --pid-owner processid Match local pid [!] --sid-owner sessionid Match local sid [!] --cmd-owner name Match local command name Cheers, - Bill --------------------------------------------------------------------------- "Where do you think you're going today?" (Courtesy of Matthias Andree <ma () dt e-technik uni-dortmund de>) -------------------------------------------------------------------------- William Stearns (wstearns () pobox com). Mason, Buildkernel, freedups, p0f, rsync-backup, ssh-keyinstall, dns-check, more at: http://www.stearns.org Linux articles at: http://www.opensourcedigest.com -------------------------------------------------------------------------- _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IPTables logging target: show pid/program name? Chris de Vidal (Nov 14)
- Re: IPTables logging target: show pid/program name? William Stearns (Nov 16)
- Re: IPTables logging target: show pid/program name? Chris de Vidal (Nov 16)
- Re: IPTables logging target: show pid/program name? William Stearns (Nov 16)