Logging the TCP Header

The TCP header is defined in RFC 793, and the length of the header for any particular TCP segment2 varies depending on the number of options that are included. The length of the header, excluding the options (which is the only variable-length field), is always 20 bytes. In an iptables log message, each field in the TCP header is prefixed with an identifying string, as shown in Figure 3-1.

01234567890123456789012345678901

Source Port (SPT=)

Destination Port (DPT=)

Sequence Number (SE0=, requires --lo

g-tcp-sequence)

Acknowledgment Number (ACK

=, requires -

-log-tcp-sequence)

Data Offset

Reserved (RES=)

(CWR,...)

Flags (SYN,...)

Window (WINDOW=)

Checksum

Urgent Pointer (URGP=)

Options (OPT=, not decoded,

requires --

Log-tcp-options)

Figure 3-1: The TCP header and iptables log message fields

Figure 3-1: The TCP header and iptables log message fields

All dark gray boxes in Figure 3-1 are always included within an iptables log message of a TCP packet; the fields shaded in lighter gray are included only if the specified command-line argument is given to iptables. The white boxes are never logged by iptables.

The LOG rule in the INPUT, OUTPUT, and FORWARD chains included in the default iptables policy in Chapter 1 are all built with the --log-tcp-options

2 Although the technical term for a unit of TCP information is a TCP segment, many people informally refer to TCP packets instead (packets is technically a term reserved for the network layer), and I use this colloquialism also. The same logic applies to UDP datagrams—it is more convenient to refer to UDP packets.

argument, so each log message contains a blob of hexadecimal codes whenever a TCP segment contains options. This chapter assumes that the default iptables policy implemented by the iptables.sh script from Chapter 1 is running on the iptablesfw system depicted in Figure 3-2. (This diagram is identical to Figure 1-2 and is duplicated here for convenience.)

Figure 3-2: Default network diagram

To illustrate TCP options included within an iptables log message, we attempt to initiate a TCP connection to port 15104 from the ext_scanner system to the iptablesfw system.

Because the default policy does not allow communications with port 15104, the initial SYN packet is intercepted by the default iptables LOG and DROP rules. The tags iptables associates with each field of the TCP header are shown in bold below, starting with the source port (SPT) and ending with the options portion of the header (OPT):

[ext_scanner]$ nc -v 71.157.X.X 15104 [iptablesfw]# tail /var/log/messages | grep 15104 Jul 12 15:10:22 iptablesfw kernel: DROP IN=eth0 OUT=

MAC=00:13:d3:38:b6:e4:00:30:48:80:4e:37:08:00 SRC=144.202.X.X DST=71.157.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=18723 DF PROTO=TCP

SPT=47454 DPT=15104 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A30820 48C0000000001030306)

To have iptables include TCP sequence and acknowledgment values, use the --log-tcp-sequence argument (see the sections in bold below):

[iptablesfw]# iptables -I INPUT 1 -p tcp --dport 15104 -j LOG --log-tcp-options --log-tcp-sequence

[ext_scanner]$ nc -v 71.157.X.X 15104 [iptablesfw]# tail /var/log/messages | grep 15104 Jul 12 15:33:53 iptablesfw kernel: IN=eth0 OUT=

MAC=00:13:d3:38:b6:e4:00:30:48:80:4e:37:08:00 SRC=144.202.X.X DST=71.157.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=62378 DF PROTO=TCP SPT=54133 DPT=15104 SEQ=3180893451 ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A308766A10000000001030306)

Was this article helpful?

0 0

Post a comment