3

I am doing egress logging on my server using IPTABLES with the following line which is supposed to provide UID information on all traffic that is logged:

-A OUTPUT -j LOG --log-prefix "IPTABLES(O): " --log-level info --log-uid

However, once in a while, I would get logs without UID like this:

IPTABLES(O): IN= OUT=eth0 SRC=1.2.3.4 DST=5.6.7.8 LEN=83 TOS=0x00 PREC=0x00 TTL=64 ID=54321 DF PROTO=TCP SPT=50505 DPT=443 WINDOW=342 RES=0x00 ACK PSH FIN URGP=0

What are the reasons for outgoing traffic to not contain any UID information?

Question Overflow
  • 2,023
  • 7
  • 28
  • 44

1 Answers1

4

One of the usual reasons is the terminating FIN ACK sequence. Once a client application calls close() on the TCP socket, an ACK + FIN packet is sent to the server and the client program exits. At this point, there is no process associated with the TCP connection but it is not finished yet.

When applying an owner filter, it is customary to also add a rule to ACCEPT packets with state ESTABLISHED to cover these "residual packets". 

iptables -A OUTPUT -p tcp --dport 443 -m owner --uid-owner foo -j ACCEPT
iptables -A OUTPUT -p tcp --dport 443 -m state --state ESTABLISHED -j ACCEPT
Sankalp Bose
  • 41
  • 3