How to get metrics about dropped traffic via iptables

firewalliptablesnetworkingpacket

We are using iptables firewall. It is logging and dropping various packages depending on its defined rules.
Iptables log file entries look like:

2017-08-08T19:42:38.237311-07:00 compute-nodeXXXXX kernel: [1291564.163235] drop-message : IN=vlanXXXX OUT=cali95ada065ccc MAC=24:6e:96:37:b9:f0:44:4c:XX:XX:XX:XX:XX:XX SRC=10.50.188.98 DST=10.49.165.68 LEN=60 TOS=0x00 PREC=0x00 TTL=57 ID=14005 DF PROTO=TCP SPT=52862 DPT=50000 WINDOW=29200 RES=0x00 SYN URGP=0

Is there any way to get the count of the dropped packets ?
I want to calculate metrics like the number of dropped packets in the last minute, hour…. so on.

The main purpose is monitoring for configuration mistakes and security breaches. If the firewall rules have a mistake, abruptly bunch of packets start to get dropped. Similarly if an attack is happening we expect variation in the number of denied packets.

Best Answer

There are counters for each rule in iptables which can be shown with the -v option. Add -x to avoid the counters being abbreviated when they are very large (eg 1104K). For example,

$ sudo iptables -L -n -v -x
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source    destination 
   39 22221 ACCEPT udp  --  *  *   0.0.0.0/0  0.0.0.0/0 udp spts:67:68 dpts:67:68
 ...
  182 43862 LOG    all  --  *  *   0.0.0.0/0  0.0.0.0/0 LOG flags 0 level 4 prefix "input_drop: "
  182 43862 REJECT all  --  *  *   0.0.0.0/0  0.0.0.0/0 reject-with icmp-host-prohibited

shows no dropped packets on my local network but 182 rejected with icmp and a log message such as the one you listed. The last two rules in the configuration with a policy of DROP were

  -A INPUT -j LOG --log-prefix "input_drop: "
  -A INPUT -j REJECT --reject-with icmp-host-prohibited

You can zero the counters for all chains with iptables -Z.

These counts are for the packets that iptables itself dropped. However, there may be other filtering software that is also dropping packets due to congestion, for example. You need to look at each one for whatever statistics they provide. The (obsolete) netstat program can easily show the counts of packets that were dropped at the ethernet interface due to congestion before they are even delivered to iptables:

$ netstat -i 
Iface      MTU    RX-OK RX-ERR RX-DRP RX-OVR    TX-OK TX-ERR TX-DRP TX-OVR 
enp5s0    1500  1097107      0     38 0       2049166      0      0      0

and you can also get some statistics on packets dropped elsewhere by the kernel for various reasons:

$ netstat -s | grep -i drop
27 outgoing packets dropped
16 dropped because of missing route
2 ICMP packets dropped because socket was locked

Related Solutions

Iptables: Matching Outgoing Traffic with Conntrack and Owner – Troubleshooting Drops

To cut a long story short, that ACK was sent when the socket didn't belong to anybody. Instead of allowing packets that pertain to a socket that belongs to user x, allow packets that pertain to a connection that was initiated by a socket from user x.

The longer story.

To understand the issue, it helps to understand how wget and HTTP requests work in general.

wget http://cachefly.cachefly.net/10mb.test

wget establishes a TCP connection to cachefly.cachefly.net, and once established sends a request in the HTTP protocol that says: "Please send me the content of /10mb.test (GET /10mb.test HTTP/1.1) and by the way, could you please not close the connection after you're done (Connection: Keep-alive). The reason it does that is because in case the server replies with a redirection for a URL on the same IP address, it can reuse the connection.

Now the server can reply with either, "here comes the data you requested, beware it's 10MB large (Content-Length: 10485760), and yes OK, I'll leave the connection open". Or if it doesn't know the size of the data, "Here's the data, sorry I can't leave the connection open but I'll tell when you can stop downloading the data by closing my end of the connection".

In the URL above, we're in the first case.

So, as soon as wget has obtained the headers for the response, it knows its job is done once it has downloaded 10MB of data.

Basically, what wget does is read the data until 10MB have been received and exit. But at that point, there's more to be done. What about the server? It's been told to leave the connection open.

Before exiting, wget closes (close system call) the file descriptor for the socket. Upon, the close, the system finishes acknowledging the data sent by the server and sends a FIN to say: "I won't be sending any more data". At that point close returns and wget exits. There is no socket associated to the TCP connection anymore (at least not one owned by any user). However it's not finished yet. Upon receiving that FIN, the HTTP server sees end-of-file when reading the next request from the client. In HTTP, that means "no more request, I'll close my end". So it sends its FIN as well, to say, "I won't be sending anything either, that connection is going away".

Upon receiving that FIN, the client sends a "ACK". But, at that point, wget is long gone, so that ACK is not from any user. Which is why it is blocked by your firewall. Because the server doesn't receive the ACK, it's going to send the FIN over and over until it gives up and you'll see more dropped ACKs. That also means that by dropping those ACKs, you're needlessly using resources of the server (which needs to maintain a socket in the LAST-ACK state) for quite some time.

The behavior would have been different if the client had not requested "Keep-alive" or the server had not replied with "Keep-alive".

As already mentioned, if you're using the connection tracker, what you want to do is let every packet in the ESTABLISHED and RELATED states through and only worry about NEW packets.

If you allow NEW packets from user x but not packets from user y, then other packets for established connections by user x will go through, and because there can't be established connections by user y (since we're blocking the NEW packets that would establish the connection), there will not be any packet for user y connections going through.

Why is the computer trying to send ICMP type 3 to OpenDNS

You running Chrome by any chance on the computer with the IP 192.168.1.105? It would appear that Chrome attempts to do a prefetch using ICMP to OpenDNS.

http://productforums.google.com/forum/#!topic/chrome/spzCFoXR7m4

Please see the help reference. It seems turning off DNS pre-fetching is possible.

You can turn it off by following the directions here:

http://www.google.com/support/forum/p/Chrome/thread?tid=7e45d89c67905b20&hl=en

EDIT #1: Follow-up Question

@ProxyNinja asked the following in the comments below:

But ICMP type 3 sounds like a response to a query. How would it be used in a prefetch?

To which I replied:

Doing the ping like this forces the local resolver to do the DNS query, there-by causing it to be resolved ahead of time, would be my guess. The ping is immaterial, it's the DNS resolution that it causes is what they're after.

Best Answer

Related Solutions

Iptables: Matching Outgoing Traffic with Conntrack and Owner – Troubleshooting Drops

Why is the computer trying to send ICMP type 3 to OpenDNS

EDIT #1: Follow-up Question

Related Question