Linux – How to make netstat on Linux only show OUTBOUND tcp connections

linuxnetstatUbuntuufw

My ubuntu server is infected and there is a process making a bunch of HTTP requests to a bunch of websites (sucks!). I have added the following to my firewall (UFW):

sudo ufw deny out proto tcp to any port 1:65535

To                         Action      From
--                         ------      ----
1:65535/tcp                DENY OUT    Anywhere

Now I would like to use netstat to list only OUTBOUND tcp connections, not inbound. How can I do that?

Best Answer

If you only want outbound tcp connections, I think you can use

netstat -atn | tr -s ' '| cut -f5 -d ' ' | grep -v '127.0.0.1'

That will show all connections whose destination is not your localhost. You can add your internal ip, say

netstat -atn | tr -s ' '| cut -f5 -d ' ' | grep -v '127.0.0.1\|192.168.0.15'

Related Solutions

Linux – Unable to make outbound SNMP connections when IPTables is enabled

You must put

ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED

before RH-Firewall-1-INPUT because of on RH-Firewall-1-INPUT rules there is REJECT on the end of line, the iptables read from top to down.

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 1 RH-Firewall-1-INPUT  all  --  anywhere             anywhere
 2 ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED

If you want to add using command line, you can use:

 iptables -I OUTPUT 1 -p udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 161:162 -m state --state NEW,ESTABLISHED -j ACCEPT
 iptables -I INPUT 1 -p udp -s 0/0 --sport 161:162 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT

It should be like:

 Chain INPUT (policy ACCEPT)
 target     prot opt source               destination
 1 ACCEPT     udp  --  anywhere             anywhere            udp spts:snmp:snmptrap dpts:1024:65535 state ESTABLISHED
 2 RH-Firewall-1-INPUT  all  --  anywhere             anywhere

UFW Logging – Why Are Blocked Requests Logged on Open Port?

Notice that your packet has both the FIN and ACK bits set. This is the last packet that the remote host sends in the TCP tear down (end of connection) procedure.

What happens is, when your host has finished sending it sets the FIN and ACK flags on the last packet. The remote hosts sends a packet with ACK set followed by a packet with FIN and ACK set.

Local          remote
FIN ACK ---->
        <----  ACK
        <----  FIN ACK (?optional?)
ACK     ----->

In practice, the remotes FIN ACK is considered optional so the netfilter firewall will flush it's connection table when it sees the ACK so when the FIN ACK packet arrives it has no associated connection and is dropped.

Best Answer

Related Solutions

Linux – Unable to make outbound SNMP connections when IPTables is enabled

UFW Logging – Why Are Blocked Requests Logged on Open Port?

Related Topic