[nylug-talk] Help: Under Attack! (SYN flood)
Peter C. Norton
spacey-nylug at lenin.net
Mon Nov 5 17:13:56 EST 2007
On Mon, Nov 05, 2007 at 04:56:23PM -0500, Chris Knadle wrote:
> On Monday 05 November 2007, Peter C. Norton wrote:
> > On Sun, Nov 04, 2007 at 01:19:02AM -0400, Chris Knadle wrote:
> > > On Saturday 03 November 2007, Joachim Stahl wrote:
> > > > I'm just confused as to why tcpdump still shows it.
> > >
> > > You need to run tcpdump with the -p option, otherwise it will put the
> > > ethernet device into permiscuous mode and thus you'll see everything
> > > rather than only what makes it through iptables.
> >
> > To clarify this, tcpdump is trying to show you what the bits on the
> > wire are, and not what your kernel has filtered out vs. what passes
> > through.
>
> I've been running some tests and I think you're right. But if that's
> indeed the case, then how can one watch iptables block packets? Is setting
> iptables to log the only choice?
If you don't want to log, just watch the counters in iptables
(eg. with -v -L).
-Peter
--
The 5 year plan:
In five years we'll make up another plan.
Or just re-use this one.
More information about the nylug-talk
mailing list