Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

192.168 packets from the outside???



I was going through my logwatch reports like a good little sysadmin, and I 
found something very unusual in there.  I saw packets from 192.168.11.85 
coming in on eth0 (my DSL connection to the outside world).  I thought that 
was a nonroutable address, so I was wondering how that was even possible.  
Could it have been source-routed packets?  My ipchains firewall has rules for 
both nonroutable addresses and source-routed packets, so I don't know.

I profess that the majority of the tcpdump-like/syslog-like packet reports 
mystifies me.  I just don't know what all the mnemonics stand for.  I 
understand the whole syn/ack thing, though.

messages:Jun 24 23:38:28 uni kernel: Packet log: input DENY eth0 PROTO=6 
192.168.11.85:80 66.92.68.235:7878 L=52 S=0x00 I=45012 F=0x4000 T=44 (#20)
messages:Jun 24 23:38:28 uni kernel: Packet log: input DENY eth0 PROTO=6 
192.168.11.85:80 66.92.68.235:7878 L=1492 S=0x00 I=45011 F=0x4000 T=44 (#20)
messages:Jun 24 23:38:28 uni kernel: Packet log: input DENY eth0 PROTO=6 
192.168.11.85:80 66.92.68.235:9247 L=52 S=0x00 I=45014 F=0x4000 T=44 (#20)
   <snip>
messages:Jun 24 23:45:38 uni kernel: Packet log: input DENY eth0 PROTO=6 
192.168.11.85:80 66.92.68.235:8382 L=425 S=0x00 I=33866 F=0x4000 T=44 (#20)
messages:Jun 24 23:45:38 uni kernel: Packet log: input DENY eth0 PROTO=6 
192.168.11.85:80 66.92.68.235:7878 L=1492 S=0x00 I=33867 F=0x4000 T=44 (#20)

OK, as I write this email I'm finding out more things because I don't want to 
be called lazy.  And others might find this useful.  I found
http://www.linux.org/docs/ldp/howto/IPCHAINS-HOWTO-4.html
has a guide to the output.  Apparently the (#20) at the end means "ipchains 
rule #20".

[root at uni root]# ipchains -L input -n --line-numbers  | grep '^20'
20   DENY       all  ----l-  192.168.0.0/16       0.0.0.0/0             n/a

(this means list IPCHAINS rule for the chain "input", show IP addresses 
instead of domain names, and show the rule line numbers.)

So now I know that it was blocked because of the nonrouteable address, but it 
does not explain how it got to eth0 in the first place.

Thoughts?

As a side thought, it seems that it would be a few hours work to write a 
"tcpdump-to-English" converter and a "ipchains-syslog-to-English" converter.  
Now that I have found websites to explain it sufficiently, I am tempted to 
write one, but only if nothing like that already exists.  Has anyone heard of 
one?
----------------------------------------------------------------------------
DDDD   David Kramer         david at thekramers.net       http://thekramers.net
DK KD  "Light is meaningful only in relation to darkness, and truth 
DKK D  presupposes error.  It is these mingled opposites which people our 
DK KD  life, which make it pungent, intoxicating.  We only exist in terms
DDDD    of this conflict, in the zone where black and white clash."
                                                  - Louis Aragon (1897-1982)




BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org