Find the answer to your Linux question:
Results 1 to 5 of 5
Beefing up my firewall after reading some articles, I placed a rule to log and drop any packet coming in on my external interface with my IP as a destination. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Aug 2011
    Posts
    3

    Help with a logged packet


    Beefing up my firewall after reading some articles, I placed a rule to log and drop any packet coming in on my external interface with my IP as a destination. I did not think anything would show up (at least not from the external world) but I got multiple packets logged from 146.82.202.176 and68.142.213.143 of the following form:
    Code:
    Firewalled: 192.168.1.7 IN=wlan0 OUT= MAC=a0:88:b4:9e:68:58:00:21:29:a5:86:4d:08:00 SRC=68.142.213.143 DST=192.168.1.7 LEN=40 TOS=0x00 PREC=0x20 TTL=189 ID=65206 DF PROTO=TCP SPT=80 DPT=46521 WINDOW=0 RES=0x00 RST URGP=1
    What I cannot figure out is how these packets were routed. I am behind a NAT and the private IP (my address) that was used as the destination should not be reachable. How would one craft a packet to do this? And should I be concerned?

    Also, the rule that drops packets with my IP as the destination comes after the rule allowing all established packets through

    Thanks
    Last edited by dpatte; 08-07-2011 at 03:31 PM.

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Do you provide services to the internet? If so then that is how they get to your firewall. As a packet for your public IP reaches the NAT box it is being NATted to your private address space. Thus your firewall is on 192.168.1.7 and traffic that needs to get to your network must be NATted and then passed onto your firewall.

    I would also check your wireless and see who all is connected to it too.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Aug 2011
    Posts
    3
    Thanks for the reply. That makes sense being NATed. I am going to put a hub up in front of my router and see if I can catch a packet coming in before its NATed. I looked at the time of the packets and it is generally when I am on a webpage and of course the source port is always 80 or 443. However, as I mentioned above, I allows packets related to already created sessions on my part so these appear to be packets that originate at the server - I did not think web servers would try and initiated connections. Just got one from 66.220.151.88, whois reports it is owned by Facebook. I tried browsing to the IP and got a 403 forbidden - but did get that the server is nginx which I thought was a russian server. Any ideas.

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    If you are not providing any services to the internet then you just need to shut off forwarding on your NAT router. This would stop new connection from the internet.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  5. #5
    Just Joined!
    Join Date
    Aug 2011
    Posts
    3
    Thanks will do

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •