Linux – ny logs in Linux which tells if some port has been denied

centosfirewalllinuxlogging

Suppose in i have the firewall active or any other security like SE linux etc.

Now suppose user wants to connect to port 21 and Iptables does not allow it.

Now when users gets denied is that message logged any where so that i can see what the partucular used is blocked or why particular port is blocked.

Rather than digging every setting to find out why i am not getting through it.

I have chnaged the default ssh port to 8022 but i am getting conenction refused.

I have checked telnet and its listening on that port. I have empty iptables.

Is there any log where i can check who is refusing connection

Best Answer

First answer

No. There is no log by default, showing this, but

Showing current firewall configuration

Look how your firewall is configured:

iptables -L

Look for Chain [INPUT|OUTPUT] policy first. If there is anything else than ACCEPT, used port may have to be explitely ACCEPTed lather...

iptables -L INPUT | grep `port=2[01]`

To show explicites rules about port 20 and port 21, but care, you may have to read entire firewall configuration, to check about multiport, user-defined chains, etc.. this may become hard if you don't know iptables at all.

An empty opened firewall config could look like:

iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

see:

man iptables

Knowing what could block something in your rules

I use this trick:

touch /tmp/tmp_iptable_stat.txt
getChanges() {
    pushd /tmp >/dev/null
    for table in $(</proc/self/net/ip_tables_names);do
        echo $RANDOM: - $table
        iptables -t $table -nvxL --line-number
      done |
        diff -u tmp_iptable_stat.txt - |
        tee >(patch -p0) |
        sed '
            s/^+[0-9]*: - /TABLE /p;
            s/^+//p;
            d'
    popd >/dev/null
}

Than a first call to getChanges will dump all tables and counters. subsequents calls to same function will print only rules where counter are modified. This could help to find which rule are blocking something.

Showing current network stacks state:

The kernel network stack could be dumped by

netstat -tan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:21              0.0.0.0:*               LISTEN
tcp        0   2364 192.168.1.1:21          192.168.1.35:49179      ESTABLISHED

for TCP sockets or

netstat -uan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State

for UDP sockets.

As my FTP server use TCP sockets, I could see that one exchange is currently established between my server and host ...35, ( the server has currently 2364 packet to send to client. maybe a file, maybe a list... )

Tracking for traffic on specific interface

Instead of using log, you could watch what's happen on your interface:

tcpdump -i ethX

This will dump usefull information about traffic on ethX, but as by default and to be more humain readable, this tool will try to resolve each IP's name. So there may be some delay between the event himself and the dump on terminal. So:

tcpdump -ani ethX

won't try to resolve (opt -n) IPs and services names and will show ALL (-a) packets traversing the interface.

more finely:

tcpdump -ani ethX port 21 or port 20
09:17:58.264453 IP 192.168.1.1.21 > 192.168.24.91.45951: Flags [S.], seq 3593971599, ack 1942867644, win 5792, options [mss 1460,sackOK,TS val 1168768120 ecr 62841986,nop,wscale 7], length 0
09:17:58.299693 IP 192.168.1.35.56485 > 192.168.1.1.21: Flags [S], seq 3334605998, win 5840, options [mss 1368,sackOK,TS val 1936641509 ecr 0,nop,wscale 7], length 0
09:17:58.299728 IP 192.168.1.1.21 > 192.168.1.35.56485: Flags [S.], seq 980554936, ack 3334605999, win 5792, options [mss 1460,sackOK,TS val 1168768129 ecr 1936641509,nop,wscale 7], length 0
...

More detailled: ... use -v or -vv for full protocol decode

tcpdump -anvvi ethX port 21 or port 20
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
09:22:40.047486 IP (tos 0x0, ttl 62, id 31488, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.24.91.46011 > 192.168.1.1.21: Flags [S], cksum 0x5985 (correct), seq 3989081263, win 14600, options [mss 1368,sackOK,TS val 62912431 ecr 0,nop,wscale 6], length 0
09:22:40.047525 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.1.21 > 192.168.24.91.46011: Flags [S.], cksum 0x926d (correct), seq 2283473829, ack 3989081264, win 5792, options [mss 1460,sackOK,TS val 1168838566 ecr 62912431,nop,wscale 7], length 0
09:22:40.817248 IP (tos 0x0, ttl 62, id 31489, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.24.91.46011 > 192.168.1.1.21: Flags [.], cksum 0xd6e9 (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 62912442 ecr 1168838566], length 0
09:22:40.817567 IP (tos 0x0, ttl 62, id 31490, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.24.91.46011 > 192.168.1.1.21: Flags [F.], cksum 0xd6e3 (correct), seq 1, ack 1, win 229, options [nop,nop,TS val 62912447 ecr 1168838566], length 0
...

Where you could follow each operation.

Related Topic