How to track a connection?

Security
1

In the IPFire log I see e.g.:

Screenshot_3
Screenshot_3820×76 17.7 KB

How I can determine where and why this packet is allowed or dropped? I am pretty sure that this port on the IPFire is not open:
# ss -tul | grep 192.168.251.2 udp UNCONN 0 0 192.168.251.2:123 0.0.0.0:*

There are no open TCP-Ports onthe RED-Interface. So I assume that this packed is not harmful.

In the log I see the chain who loggt this entry is DNAT. But I do not found a chain with this name in “Firewall/iptables”. In none of them.

I would prefer to have a trace with a filter where I see all incoming packets. How can I archive this? In the log I only see the packet from the target LOG, isn’t it?

2
3

AFAIK tcpdump shows the incoming and outgoing packet of an interface. But I want to see the flow thought ipfilter.

4

I guess this connection is an answer in a stateful connection with a dynamically opened port.

Do you see the connection in the connection tracking?

5

Look in the section with the heading IPTable Network Address Translation:

In the drop down box are the chains
NAT_DESTINATION
NAT_SOURCE.

6

A DNAT entry is usually associated with a port forward rule where you are allowing access from outside into a specific server etc on your lan.

Look at the entry in the log immediately before that DNAT one.

Here are the two log entries from a Port Forward rule that I have on my system.

Screenshot_2023-10-04_10-31-13
Screenshot_2023-10-04_10-31-13786×59 17.6 KB

Also if the rule has been used recently then you will also find a connection in the connection tracking table under the WUI menu Status - Connections.

7

Yes, this is the correct direction. Source is a high port, Dest. is 443 at a web-server.
But if you do a closer look to my screenshot the connection is TO a high port at the FW. (Source is 443; Dest. was 53458)

8

I would check my firewall rule if i saw that.

DNAT means that the port translation is being done by IPFire based on some rule.

9

Good idea … this was why I opened this thread … :wink:

But … maybe … 192.168.251.2 is the IP of the RED-Interface of the IPFire. And there are no listening high ports. I did not see any FORWARD around this entry in the log.
And there where only 12 attemps during a 3 seconds phase … mayby I should lay down and watch out if these occur again …

10

As 192.168.251.2 is your red connection, which is a private address then I am presuming that you have an ISP modem/router that is also doing NAT and you have any port forwards in IPFire also in that router.

Look in the logs of that router to see what was received and what was passed on or not.

2 Likes
11

To identify DNAT rules that port forward from the RED interface to an internal LAN IP, use the following command:

iptables -t nat -L -n -v | grep "DNAT.*to:"

Command breakdown:

  • iptables: The command-line utility for configuring the Linux kernel firewall.

    • -t nat: Specifies the table to use. In this case, the “nat” (Network Address Translation) table is selected.

    • -L: Lists the rules in the selected chain (or all chains if none is specified).

    • -n: Numeric output. Shows IP addresses and port numbers in numeric format rather than resolving hostnames.

    • -v: Verbose output. Provides additional details.

  • |: Pipe operator. Takes the output from the first command (iptables) and uses it as input for the second command (grep).

  • grep: Command-line utility for searching plain-text data.

    • "DNAT.*to:": The pattern to search for. Finds lines that contain “DNAT” followed by “to:”. The .* means any characters can be between “DNAT” and “to:”.

To list DNAT rules originating from the LAN (also known as “redirect” rules), use:

iptables -t nat -L -n -v | grep "REDIRECT.*"

This command isolates rules that redirect LAN traffic, such as redirecting UDP port 53 traffic to Unbound.

12

Hi cfusco,

thank you very much! Very helpful - after I learn to read this :wink: