Watching IP Addresses

The CLI option csf -w [ip] and configuration option WATCH_MODE logs TCP connection initiation (SYN) packets from a specified source as they traverse the iptables chains. This can be extremely useful in tracking where that IP address is being dropped or accepted by iptables.

WATCH_MODE should be used when watching IP addresses, although the csf -w [ip] option will still work without it but won't necessarily provide conclusive information on the final destination of the packet.

WATCH_MODE is disabled by default and should be left as such unless actively watching an IP address as it will add an overhead to all accepted iptables traffic and increase overall iptables kernel logging through syslog.

  1. WATCH_MODE disables: DROP_NOLOG, PS_INTERVAL, DROP_ONLYRES
  2. WATCH_MODE enabled: DROP_LOGGING, DROP_IP_LOGGING, DROP_PF_LOGGING
  3. WATCH_MODE also logs iptables ACCEPT for watched IP addresses

• You should only watch a very small number of IP addresses at a time and for a very short period of time, otherwise the kernel log will become flooded with entries.
• Any IP address rules added during the time of the watch will not necessarily be included in the logging rules for the watched IP addresses.
• IP address watches do not survive a CSF restart.
• You can use either an IP address or a CIDR address for csf -w [ip]

To Enable Watch Mode

  1. Enable WATCH_MODE in /etc/csf/csf/conf
  2. Restart CSF
  3. Restart LFD
  4. Use the following to watch an IP: csf -w 11.22.33.44
  5. Watch the kernel iptables log (usually /var/log/messages) for hits from the watched IP address.
  6. Once you have finished watching an IP address you disable watch mode.

To Disable Watch Mode

  1. Disable WATCH_MODE in /etc/csf/csf/conf
  2. Restart CSF (which will also remove the watched ip rules)
  3. Restart LFD

The kernel iptables log lines for watching an IP are usually in /var/log/messages and contain the direction of the packet in the chain and the chain name, e.g. I:INPUT is Incoming to the chain INPUT, O:LOCALINPUT is Outgoing from chain LOCALINPUT.

The following is a short example log watch of 203.0.113.1 connecting to port 22:

Firewall: I:INPUT SRC=203.0.113.1 DST=203.0.113.5 PROTO=TCP DPT=22
Firewall: I:LOCALINPUT SRC=203.0.113.1 DST=203.0.113.5 PROTO=TCP DPT=22
Firewall: I:GDENYIN SRC=203.0.113.1 DST=203.0.113.5 PROTO=TCP DPT=22
Firewall: O:GDENYIN SRC=203.0.113.1 DST=203.0.113.5 PROTO=TCP DPT=22
Firewall: I:DSHIELD SRC=203.0.113.1 DST=203.0.113.5 PROTO=TCP DPT=22
Firewall: O:DSHIELD SRC=203.0.113.1 DST=203.0.113.5 PROTO=TCP DPT=22
Firewall: I:SPAMHAUS SRC=203.0.113.1 DST=203.0.113.5 PROTO=TCP DPT=22
Firewall: O:SPAMHAUS SRC=203.0.113.1 DST=203.0.113.5 PROTO=TCP DPT=22
Firewall: O:LOCALINPUT SRC=203.0.113.1 DST=203.0.113.5 PROTO=TCP DPT=22
Firewall: I:INVALID SRC=203.0.113.1 DST=203.0.113.5 PROTO=TCP DPT=22
Firewall: O:INVALID SRC=203.0.113.1 DST=203.0.113.5 PROTO=TCP DPT=22
Firewall: I:LOGACCEPT SRC=203.0.113.1 DST=203.0.113.5 PROTO=TCP DPT=22