Hi,
I have a strange issue with iptables on my server. It was getting loaded automatically even if i stopped it. I set auditing but couldn't find what REALLY triggers iptables.
Here's snip from ausearch output
----
time->Thu Sep 8 20:12:35 2011
type=PATH msg=audit(1315492955.754:891146): item=1 name=(null) inode=17465407 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1315492955.754:891146): item=0 name="/sbin/iptables" inode=32210958 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1315492955.754:891146): cwd="/root"
type=EXECVE msg=audit(1315492955.754:891146): argc=2 a0="iptables" a1="-L"
type=SYSCALL msg=audit(1315492955.754:891146): arch=c000003e syscall=59 success=yes exit=0 a0=1c70fbc0 a1=1c6ff6f0 a2=1c6effe0 a3=8 items=2 ppid=11061 pid=11622 auid=11001 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=92491 comm="iptables" exe="/sbin/iptables" key="iptable_load_audit"
----
time->Thu Sep 8 20:23:28 2011
type=PATH msg=audit(1315493608.196:891434): item=1 name=(null) inode=17465407 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1315493608.196:891434): item=0 name="/sbin/iptables" inode=32210958 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1315493608.196:891434): cwd="/"
type=EXECVE msg=audit(1315493608.196:891434): argc=9 a0="/sbin/iptables" a1="--table" a2="nat" a3="--delete" a4="POSTROUTING" a5="--source" a6="192.168.122.0/255.255.255.0" a7="--jump" a8="MASQUERADE"
type=SYSCALL msg=audit(1315493608.196:891434): arch=c000003e syscall=59 success=yes exit=0 a0=5527080 a1=5530840 a2=7fffcda0bf60 a3=3ce1e16220 items=2 ppid=5564 pid=17660 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/iptables" key="iptable_load_audit"
Notable difference between two entries are of tty. In second, it says tty=none. based on this,It can be concluded that some application is accessing iptables. I believe that if i can get name of PPID, it can help me in tracing this further.
Any advice?
Regards,
Nehal Dattani