Iptables – How to block packets after capturing

iptablespacket-capturetcpdump

I use tcpdump to capture output packets for one server, but I also need to block these packets.

If I use iptables to block them, then I also can not capture anything.

Can I block packets with iptables and still capture the packets before they are dropped?

Best Answer

I'd use a passive (un-addressed) interface to capture, and a second interface (addressed) to block.

To setup an interface for capture, without an address, you do: ifconfig eth0 up

You may need to hack on your switch to make this all fly, but the essence is: mirror all traffic to both interfaces (i.e. switch ports), and then capture on the one, and filter on the other.

Related Solutions

Security – Incoming packets to server

Those are packets that come in as a response to TCP connections initiated by your host - the TCP source port is 80, so they are probably HTTP connections.

The reason being why you don't see them in your tcpdump output is because tcpdump takes the first available interface as the default and would capture packets on eth0, while the packets you see logged by iptables come in at eth1.

TCPDUMP – Capturing Packets on Multiple IP Address (FIlter)

the basic syntax in your case would be

tcpdump -i <interface to capture on> <filters>

The <filters> would expand to something like

'(host 192.168.1.2 or host 192.168.1.3 or host 192.168.1.4) and (port 80 or port 443)'

if your eCommerce application would use ports 80 and 443 for communications. The single quotes are important, otherwise your shell might see the brackets () which are important for grouping parameters as special characters.

adding -v and -n parameters at the beginning (tcpdump -v -n -i ...)would add verbosity to the output and disable name resolution (speeds up output)

Best Answer

Related Solutions

Security – Incoming packets to server

TCPDUMP – Capturing Packets on Multiple IP Address (FIlter)

Related Topic