Strange packets trying to leave network with ipchains

[heelNtoin]

Hey everyone, I recently upgraded from a lrp firewall to a real computer running debian-stable (woody). I'm using it to masquerade a few boxes, with cable modem service. I set everything up, it works fine.
1. I'm getting the following entries in syslog. What's causing it to try to talk to local network ip's on the outside interface (eth1)?

Mar 3 15:48:01 uknowwhat kernel: Packet log: output REJECT eth1 PROTO=17 68.38.my.ip:64473 192.168.0.112:15755 L=99 S=0x00 I=55901 F=0x0000 T=127 (#2)

Mar 3 16:04:21 uknowwhat kernel: Packet log: output REJECT eth1 PROTO=17 68.38.my.ip:64526 192.168.0.1:1412 L=133 S=0x00 I=59280 F=0x0000 T=127 (#2)

Mar 3 17:47:21 uknowwhat kernel: Packet log: output REJECT eth1 PROTO=17 68.38.my.ip:64918 192.168.1.77:25721 L=203 S=0x00 I=30327 F=0x0000 T=127 (#2)

Mar 3 16:35:13 uknowwhat kernel: Packet log: output REJECT eth1 PROTO=17 68.38.my.ip:64662 192.168.0.2:19055 L=145 S=0x00 I=4531 F=0x0000 T=127 (#2)

BTW, the destination internal ips don't exist on the internal network, which makes this very strange.

My forwarding/output firewall rules (ipchains) are below:

# output rules
#
/sbin/ipchains -F output
/sbin/ipchains -P output REJECT

# local interface, any source to local net is OK
/sbin/ipchains -A output -i $intint -s 0.0.0.0/0 -d $intnet -j ACCEPT

# outgoing to local net on remote interface deny <-- this is catching the packets
/sbin/ipchains -A output -i $extint -s 0.0.0.0/0 -d $intnet $log -j REJECT

# outgoing from local net on remote interface, stuffed masquerading, deny
/sbin/ipchains -A output -i $extint -s $intnet -d 0.0.0.0/0 $log -j REJECT

# remote interface, any source, going to external IP, valid
/sbin/ipchains -A output -i $extint -s $extip/32 -d 0.0.0.0/0 -j ACCEPT

# loopback ... valid
/sbin/ipchains -A output -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

# catch-all, deny and log
/sbin/ipchains -A output -s 0.0.0.0/0 -d 0.0.0.0/0 $log -j REJECT

# forwarding
#
/sbin/ipchains -F forward
/sbin/ipchains -P forward DENY

# Winblows
ipchains -A forward -p UDP --dport netbios-ns:netbios-ssn -j DENY

# masquerade
#
/sbin/ipchains -A forward -i $extint -s $intnet -d 0.0.0.0/0 -j MASQ

# catch-all
/sbin/ipchains -A forward -s 0.0.0.0/0 -d 0.0.0.0/0 $log -j REJECT


Any ideas?

[agav]

let me have a guess. somebody using kazaa?

[heelNtoin]

Nope. There really aren't many things running that use the internet. Except for some casual websurfing, ftp, ssh. Let me know if you have any more ideas. Thanks.

What fascinates me the most is that the source ips it's trying to contact don't exist. At this point, I'm not really too worried about this but I'd still like to get to the bottom of it.

[agav]

allright...

proto=17 means it's a udp packet. i have to guess again, might be a worm scanning your net or so.

if u have the possibility, try switching of your computers one by one and check the log (use "tail -f /var/log/messages" for continous view of your log) if the traffic stops.

post your results, i'm getting interested.

[heelNtoin]

Well, I said I wasn't using kazaa, but I was running DC++. I switched it off, and magically the packets disappeared. There were never more than a few packets caught, so I'll keep an eye out.. I also added the following firewalling rule:

/sbin/ipchains -A forward -s $intnet -d $intnet -j REJECT

Let me know if that makes sense. Thanks.

[agav]

jeah, that's what i do as well. denying incomnig cons to establish. doing so is important to harden your firewall.

by the way, i forgot: if u do not define any exeptions those apps depending on incoming cons won't work. i don't know, but for dc++ it might usefull to upload, or not?