iptables help needed

Simon Slater pyevet at aapt.net.au
Wed Jun 4 23:33:25 UTC 2008


On Wed, 2008-06-04 at 19:31 +0200, François Patte wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Le 04.06.2008 14:05, Simon Slater a écrit :
> | On Wed, 2008-06-04 at 10:05 +0200, François Patte wrote:
> |> -----BEGIN PGP SIGNED MESSAGE-----
> |> Hash: SHA1
> |>
> |> Le 04.06.2008 01:03, Simon Slater a écrit :
> |>
> |
> 
> |>
> | These are the type of logs now.  None of these are appearing in timeing
> | with requests to the Internet from the laptop:
> |
> | [root at ipex ~]# tail  /var/log/messages
> | Jun  4 21:41:35 ipex kernel: [IPTABLES DROP] : IN=ppp0 OUT= MAC=
> | SRC=203.185.178.251 DST=59.101.218.205 LEN=48 TOS=0x00 PREC=0x00 TTL=104
> | ID=5893 DF PROTO=TCP SPT=63507 DPT=26958 WINDOW=8192 RES=0x00 SYN URGP=0
> | Jun  4 21:41:38 ipex kernel: [IPTABLES DROP] : IN=ppp0 OUT= MAC=
> | SRC=203.185.178.251 DST=59.101.218.205 LEN=48 TOS=0x00 PREC=0x00 TTL=104
> | ID=5938 DF PROTO=TCP SPT=63507 DPT=26958 WINDOW=8192 RES=0x00 SYN URGP=0
> 
> Someone in Tahiti is scanning your computer.... No danger though!
I need to learn more about regular security checks and firewalling
before we get a  DSL line. I spotted that IP, didn't know where it came
from, but at the moment I don't know what is dangerous & what isn't.
Any pointers to good reading?
> 
> | [root at ipex ~]#
> |
> | However, when request to the Internet from the desktop:
> |
> | Jun  4 21:59:31 ipex kernel: [IPTABLES MASQ]IN= OUT=ppp0
> | SRC=59.101.218.205 DST=203.63.53.112 LEN=60 TOS=0x00 PREC=0x00 TTL=64
> | ID=3672 DF PROTO=TCP SPT=48673 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
> 
> no problem here: evry packet excaping from your desktop uses the
> "postrouting" chain.... And is logged by the rule.
> 
> What is strange: we never see any request from the laptop: we should see
> some logged packets with SRC=laptop IP (192.168.0.6 as you said). What
> is the IP of eth0 on yor desktop? (ifconfig -a)
[root at ipex ~]# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:10:5A:62:2A:A5
          inet addr:192.168.0.3  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::210:5aff:fe62:2aa5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:656494 errors:0 dropped:0 overruns:0 frame:0
          TX packets:643373 errors:0 dropped:0 overruns:0 carrier:0
          collisions:170 txqueuelen:1000
          RX bytes:742986447 (708.5 MiB)  TX bytes:58456211 (55.7 MiB)
          Interrupt:10 Base address:0xa000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:172887 errors:0 dropped:0 overruns:0 frame:0
          TX packets:172887 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:13734343 (13.0 MiB)  TX bytes:13734343 (13.0 MiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:59.101.168.194  P-t-P:210.8.1.253
Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:2495 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2785 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:745377 (727.9 KiB)  TX bytes:231918 (226.4 KiB)

sit0      Link encap:IPv6-in-IPv4
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

[root at ipex ~]#  

	The fact that no http requests appear on the desktop is the funny
thing.  That's why I started looking on the laptop side with Wireshark.
Here's a tcpdump  from the desktop side when the laptop makes an
Internet request:

[root at ipex ~]# tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol
decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
09:27:07.948798 IP ipex.local.ipp > 192.168.0.255.ipp: UDP, length 180
09:27:10.858982 arp who-has ipex.local tell acer.local
09:27:10.859174 arp reply ipex.local is-at 00:10:5a:62:2a:a5 (oui
Unknown)
09:27:10.859317 IP acer.local.47327 > ipex.local.http: S
2804202937:2804202937(0) win 5840 <mss 1460,sackOK,timestamp 281565
0,nop,wscale 5>
09:27:10.859702 IP ipex.local.http > acer.local.47327: R 0:0(0) ack
2804202938 win 0
09:27:15.858221 arp who-has acer.local tell ipex.local
09:27:15.858400 arp reply acer.local is-at 00:16:d3:e3:69:30 (oui
Unknown)
09:27:38.949941 IP ipex.local.ipp > 192.168.0.255.ipp: UDP, length 180

8 packets captured
16 packets received by filter
0 packets dropped by kernel
[root at ipex ~]# tail  /var/log/messages
Jun  5 09:16:35 ipex kernel: [IPTABLES DROP] : IN=ppp0 OUT= MAC=
SRC=125.211.218.58 DST=59.101.168.194 LEN=404 TOS=0x00 PREC=0x00 TTL=109
ID=28197 PROTO=UDP SPT=1216 DPT=1434 LEN=384
Jun  5 09:19:04 ipex kernel: [IPTABLES MASQ]IN= OUT=ppp0
SRC=59.101.168.194 DST=203.8.183.1 LEN=62 TOS=0x00 PREC=0x00 TTL=64
ID=45556 DF PROTO=UDP SPT=34144 DPT=53 LEN=42
Jun  5 09:19:05 ipex kernel: [IPTABLES MASQ]IN= OUT=ppp0
SRC=59.101.168.194 DST=210.10.73.252 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=13005 DF PROTO=TCP SPT=55113 DPT=110 WINDOW=5840 RES=0x00 SYN URGP=0
Jun  5 09:27:01 ipex kernel: eth0: Setting promiscuous mode.
Jun  5 09:27:01 ipex kernel: device eth0 entered promiscuous mode
Jun  5 09:27:01 ipex kernel: audit(1212622021.463:47): dev=eth0 prom=256
old_prom=0 auid=4294967295
Jun  5 09:27:07 ipex kernel: [IPTABLES MASQ]IN= OUT=ppp0
SRC=59.101.168.194 DST=203.8.183.1 LEN=72 TOS=0x00 PREC=0x00 TTL=64
ID=4560 DF PROTO=UDP SPT=34144 DPT=53 LEN=52
Jun  5 09:27:12 ipex kernel: [IPTABLES DROP] : IN=ppp0 OUT= MAC=
SRC=166.111.86.250 DST=59.101.168.194 LEN=404 TOS=0x00 PREC=0x00 TTL=105
ID=26754 PROTO=UDP SPT=3650 DPT=1434 LEN=384
Jun  5 09:27:41 ipex kernel: device eth0 left promiscuous mode
Jun  5 09:27:41 ipex kernel: audit(1212622061.185:48): dev=eth0 prom=0
old_prom=256 auid=4294967295
[root at ipex ~]#  

I closed down the browsers on the desktop to remove any extra traffic.
This is typical of what happens when requesting the Internet from the
laptop.  Looks like someone else is scanning this box.  Hope this helps.


-- 
Regards,
Simon





More information about the fedora-list mailing list