Find the answer to your Linux question:
Results 1 to 6 of 6
Hey everyone, I recently upgraded from a lrp firewall to a real computer running debian-stable (woody). I'm using it to masquerade a few boxes, with cable modem service. I set ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2004
    Posts
    3

    Strange packets trying to leave network with ipchains


    Hey everyone, I recently upgraded from a lrp firewall to a real computer running debian-stable (woody). I'm using it to masquerade a few boxes, with cable modem service. I set everything up, it works fine.
    1. I'm getting the following entries in syslog. What's causing it to try to talk to local network ip's on the outside interface (eth1)?

    Mar 3 15:48:01 uknowwhat kernel: Packet log: output REJECT eth1 PROTO=17 68.38.my.ip:64473 192.168.0.112:15755 L=99 S=0x00 I=55901 F=0x0000 T=127 (#2)

    Mar 3 16:04:21 uknowwhat kernel: Packet log: output REJECT eth1 PROTO=17 68.38.my.ip:64526 192.168.0.1:1412 L=133 S=0x00 I=59280 F=0x0000 T=127 (#2)

    Mar 3 17:47:21 uknowwhat kernel: Packet log: output REJECT eth1 PROTO=17 68.38.my.ip:64918 192.168.1.77:25721 L=203 S=0x00 I=30327 F=0x0000 T=127 (#2)

    Mar 3 16:35:13 uknowwhat kernel: Packet log: output REJECT eth1 PROTO=17 68.38.my.ip:64662 192.168.0.2:19055 L=145 S=0x00 I=4531 F=0x0000 T=127 (#2)

    BTW, the destination internal ips don't exist on the internal network, which makes this very strange.

    My forwarding/output firewall rules (ipchains) are below:

    # output rules
    #
    /sbin/ipchains -F output
    /sbin/ipchains -P output REJECT

    # local interface, any source to local net is OK
    /sbin/ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT

    # outgoing to local net on remote interface deny <-- this is catching the packets
    /sbin/ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet $log -j REJECT

    # outgoing from local net on remote interface, stuffed masquerading, deny
    /sbin/ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 $log -j REJECT

    # remote interface, any source, going to external IP, valid
    /sbin/ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT

    # loopback ... valid
    /sbin/ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

    # catch-all, deny and log
    /sbin/ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 $log -j REJECT

    # forwarding
    #
    /sbin/ipchains -F forward
    /sbin/ipchains -P forward DENY

    # Winblows
    ipchains -A forward -p UDP --dport netbios-ns:netbios-ssn -j DENY

    # masquerade
    #
    /sbin/ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ

    # catch-all
    /sbin/ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 $log -j REJECT


    Any ideas?

  2. #2
    Just Joined!
    Join Date
    Feb 2004
    Posts
    4
    let me have a guess. somebody using kazaa?

  3. #3
    Just Joined!
    Join Date
    Mar 2004
    Posts
    3
    Nope. There really aren't many things running that use the internet. Except for some casual websurfing, ftp, ssh. Let me know if you have any more ideas. Thanks.

    What fascinates me the most is that the source ips it's trying to contact don't exist. At this point, I'm not really too worried about this but I'd still like to get to the bottom of it.

  4. #4
    Just Joined!
    Join Date
    Feb 2004
    Posts
    4
    allright...

    proto=17 means it's a udp packet. i have to guess again, might be a worm scanning your net or so.

    if u have the possibility, try switching of your computers one by one and check the log (use "tail -f /var/log/messages" for continous view of your log) if the traffic stops.

    post your results, i'm getting interested.

  5. #5
    Just Joined!
    Join Date
    Mar 2004
    Posts
    3
    Well, I said I wasn't using kazaa, but I was running DC++. I switched it off, and magically the packets disappeared. There were never more than a few packets caught, so I'll keep an eye out.. I also added the following firewalling rule:

    /sbin/ipchains -A forward -s $intnet -d $intnet -j REJECT

    Let me know if that makes sense. Thanks.

  6. #6
    Just Joined!
    Join Date
    Feb 2004
    Posts
    4
    jeah, that's what i do as well. denying incomnig cons to establish. doing so is important to harden your firewall.

    by the way, i forgot: if u do not define any exeptions those apps depending on incoming cons won't work. i don't know, but for dc++ it might usefull to upload, or not?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •