Consulter les log iptables drop-c- :
Pour consulter les logs : journalctl -k | grep drop-c-
Voici ce que cela donne (j'ai juste remplacé le dernier octet du réseau IPv6 par x) :
$ journalctl -k | grep drop-c-
mai 23 07:17:05 lafibre kernel: drop-c-IN=em1.74 OUT= MAC=d4:ae:52:ce:c5:c7:74:8e:f8:63:5f:81:86:dd SRC=2a02:8428:0523:9xx1:0926:cb2a:55eb:aa00 DST=2a01:6e00:0010:0410:0000:0000:0000:0002 LEN=72 TC=0 HOPLIMIT=56 FLOWLBL=38539 PROTO=TCP SPT=57937 DPT=443 WINDOW=64800 RES=0x00 SYN URGP=0
mai 23 16:38:19 lafibre kernel: drop-c-IN=em1.74 OUT= MAC=d4:ae:52:ce:c5:c7:74:8e:f8:63:5f:81:86:dd SRC=2a01:cb10:02a3:fxx0:2c5d:5b4b:0793:e986 DST=2a01:6e00:0010:0410:0000:0000:0000:0002 LEN=72 TC=0 HOPLIMIT=54 FLOWLBL=495480 PROTO=TCP SPT=62926 DPT=443 WINDOW=64800 RES=0x00 SYN URGP=0
Consultation des stats (nombre de paquets) :
Consulter les stats IPv4 : iptables -n -v -L INPUT
# iptables -n -v -L INPUT
Chain INPUT (policy ACCEPT 1685M packets, 3081G bytes)
pkts bytes target prot opt in out source destination
105 5672 LOG tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 #conn src/32 > 50 limit: avg 30/hour burst 1 LOG flags 0 level 4 prefix "drop-c-"
68052 3825K REJECT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02 #conn src/32 > 50 reject-with icmp-port-unreachable
16 512 DROP udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:5200:5209
Consulter les stats IPv6 : ip6tables -n -v -L INPUT
# ip6tables -n -v -L INPUT
Chain INPUT (policy ACCEPT 162M packets, 2140G bytes)
pkts bytes target prot opt in out source destination
1 80 LOG tcp * * ::/0 ::/0 tcp flags:0x17/0x02 #conn src/64 > 50 limit: avg 30/hour burst 1 LOG flags 0 level 4 prefix "drop-c-"
7 560 REJECT tcp * * ::/0 ::/0 tcp flags:0x17/0x02 #conn src/64 > 50 reject-with icmp6-port-unreachable
0 0 DROP udp * * ::/0 ::/0 udp dpts:5200:5209