NOTE: Thanks for suggesting answers. I'd dispute this is actually a duplicate, but hey. The main issue (as stated below) which the suggested answers don't seem to address is that outbound iptables hide information from tools like netstat and auditd. I need to look at stap though (and I can't open the firewall to experiment, I'm afraid).
I have an Ubuntu 22.04 server on which an iptables firewall is dropping intermittent outbound connections on port 80 to disallowed IP addresses.
How do I tell what process is attempting the connections? I have read iptable block outbound traffic for which binary? and created a script that runs the relevant lookups when blocks occur in the logs.
But as far as I can tell, fuser and netstat aren't showing the connections to the IPs being logged - they only seem to show connections that are not being blocked (I think this may be expected behaviour for outbound iptables rules).
