How do I trace and resolve TCP_OUT Blocked messages?

DigitalEssence

Well-Known Member
May 21, 2014
49
5
8
cPanel Access Level
Root Administrator
Hi,

I'm seeing a lot of TCP_OUT Blocked messages in /var/log/messages to one IP address and want to trace and resolve if possible but I am struggling to find how to do this despite searching on this forum and in Google.

The message I am seeing is:

Jun 11 13:08:10 squirrel kernel: [59327.411526] Firewall: *TCP_OUT Blocked* IN= OUT=eth0 SRC=MY.SERVER.IP.ADDRESS DST=AN.EXTERNAL.IP.ADDRESS LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1837 DF PROTO=TCP SPT=52852 DPT=4506 WINDOW=14600 RES=0x00 SYN URGP=0 UID=0 GID=0
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,250
313
Houston
You could use netstat while it's occurring to see if you can see which service is connecting:

For example if I wanted to see what was connected to port 587 I'd run:

Code:
[[email protected] etc]# netstat -plan |grep 587
tcp        0      0 0.0.0.0:587             0.0.0.0:*               LISTEN      11429/exim
tcp6       0      0 :::587                  :::*                    LISTEN      11429/exim
 

DigitalEssence

Well-Known Member
May 21, 2014
49
5
8
cPanel Access Level
Root Administrator
You could use netstat while it's occurring to see if you can see which service is connecting:

For example if I wanted to see what was connected to port 587 I'd run:

Code:
netstat -plan |grep 587
Thanks Lauren.

I ran

Code:
netstat -plan | grep 178.79.140.52

And that gives me:


Code:
tcp        0      1 MY.SERVER.IP.ADDRESS:47600         178.79.140.52:4506          SYN_SENT    7800/python2.7
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,250
313
Houston
Hi @DigitalEssence

So that tells us that python is the service and the PID is 7800 (or was at the time)

You'd have to look further into the PID if you're not sure what's using python:

lsof will give you files opened by the process:

Code:
lsof -p PID
ps will get you a snapshot of the process:
Code:
ps faux |grep PID