# [solved] who hammers at my ipv6 if ?

## toralf

AT my server I do observe peaks liek the following :

```
12:00:01 AM     IFACE   rxpck/s   txpck/s    rxkB/s    txkB/s   rxcmp/s   txcmp/s  rxmcst/s   %ifutil

02:03:01 AM    enp3s0   2652.77   1738.83   2804.44   1861.37      0.00      0.00      0.00      2.30

04:07:01 AM    enp3s0   4937.92   1504.53   6254.33   1423.79      0.00      0.00      0.00      5.12

04:08:01 AM    enp3s0  11637.23   2592.90  15777.55   2581.52      0.00      0.00      0.00     12.92

04:09:01 AM    enp3s0   8845.03   2587.22  11699.57   2714.80      0.00      0.00      0.00      9.58

```

which correlates to a high rx input at my ipv6 address (statistics from my provider). Those traffic is usually blocked by my firewall. (straight ip(6)tables script).

Now I was wondering whether it makes sense at all to try to get the originating ip address(es) and independent from that, how could that be achieved w/ an ip6tables rule set ?Last edited by toralf on Thu Jun 02, 2016 7:02 pm; edited 1 time in total

----------

## dataking

 *toraff wrote:*   

> Now I was wondering whether it makes sense at all to try to get the originating ip address(es) and independent from that, how could that be achieved w/ an ip6tables rule set ?

 

IMHO, "most people" will gain little value in collecting IPs (v6 OR v4) that are banging at their (firewall) door.  I personally find it mildly interesting to capture those IPs, then pull "interesting" metrics about those IP: what country they're reporting as, what org they might belong to, etc......basically anything DNS, GeoIP, WhoIs or anything else might tell me about them  YMMV.  

But, as long as they aren't getting past your firewall/perimeter, it probably doesn't matter a whole lot after that.

It just so happens, the FW product I use silently drops IPv6, so I don't even bother tracking who might happen past.  Again, YMMV.

As far as how that could be achieved, you'd have to create a LOG'ging ip6tables (or nftables(???)) rule to log the traffic.  Then you could whip up some scripts to do "interesting" things with that data.

----------

## toralf

Well, yes, I'd need the LOG target, but I do wonder how to get the traffic amount. Maybe this isn't achievable at all for me

 ?

----------

## szatox

You can check firewall's statistics with

iptables -nvL

It can be any rule. You can create a rule with the same target as your policy, so it will be matched and counted separately, without doing anything fancy.

----------

## toralf

indeed - thx.

----------

