NOTE: Thanks for suggesting answers. I'm having a look at them but the main issue (as stated below) is that outbound iptables hide information from tools like netstat and auditd. I need to look at stap though (and I can't open the firewall to experiment, I'm afraid).
I have an Ubuntu 22.04 server on which an iptables firewall is dropping intermittent outbound connections on port 80 to disallowed IP addresses.
How do I tell what process is attempting the connections? I have read iptable block outbound traffic for which binary? and created a script that runs the relevant lookups when blocks occur in the logs.
But as far as I can tell, fuser and netstat aren't showing the connections to the IPs being logged - they only seem to show connections that are not being blocked (I think this may be expected behaviour for outbound iptables rules).
iptables -I OUTPUT -p udp --dport 5555.auditctl -a exit,always -F arch=b64 -F a2=1 -S sendto -k SENDTOto trace any sendto having only 1-byte payload. Runecho '' | socat udp4-sendto:192.0.2.2:5554 -(=> success) andecho '' | socat udp4-sendto:192.0.2.2:5555 -(=> EPERM). Useausearch -i -ts today -k SENDTO |grep socatand witness both are captured. One withsuccess=yes exit=1and one withsuccess=no exit=EPERM(Operation not permitted)(if auditd.conf includeslog_format = ENRICHED): so auditd does capture both. – A.B Mar 24 '24 at 19:24