Boston Linux & Unix (BLU) Home | Calendar | Mail Lists | List Archives | Desktop SIG | Hardware Hacking SIG
Wiki | Flickr | PicasaWeb | Video | Maps & Directions | Installfests | Keysignings
Linux Cafe | Meeting Notes | Blog | Linux Links | Bling | About BLU

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

192.168 packets from the outside???



Most ISP's use RFC1918 address space on their networks between you and the 
Internet. Part of IP conservation.

It's not that 192.168 is not routable, it's just not routed over the 
publin Internet.

-joe

On Wed, 25 Jun 2003, David Kramer wrote:

> I was going through my logwatch reports like a good little sysadmin, and I 
> found something very unusual in there.  I saw packets from 192.168.11.85 
> coming in on eth0 (my DSL connection to the outside world).  I thought that 
> was a nonroutable address, so I was wondering how that was even possible.  
> Could it have been source-routed packets?  My ipchains firewall has rules for 
> both nonroutable addresses and source-routed packets, so I don't know.
> 
> I profess that the majority of the tcpdump-like/syslog-like packet reports 
> mystifies me.  I just don't know what all the mnemonics stand for.  I 
> understand the whole syn/ack thing, though.
> 
> messages:Jun 24 23:38:28 uni kernel: Packet log: input DENY eth0 PROTO=6 
> 192.168.11.85:80 66.92.68.235:7878 L=52 S=0x00 I=45012 F=0x4000 T=44 (#20)
> messages:Jun 24 23:38:28 uni kernel: Packet log: input DENY eth0 PROTO=6 
> 192.168.11.85:80 66.92.68.235:7878 L=1492 S=0x00 I=45011 F=0x4000 T=44 (#20)
> messages:Jun 24 23:38:28 uni kernel: Packet log: input DENY eth0 PROTO=6 
> 192.168.11.85:80 66.92.68.235:9247 L=52 S=0x00 I=45014 F=0x4000 T=44 (#20)
>    <snip>
> messages:Jun 24 23:45:38 uni kernel: Packet log: input DENY eth0 PROTO=6 
> 192.168.11.85:80 66.92.68.235:8382 L=425 S=0x00 I=33866 F=0x4000 T=44 (#20)
> messages:Jun 24 23:45:38 uni kernel: Packet log: input DENY eth0 PROTO=6 
> 192.168.11.85:80 66.92.68.235:7878 L=1492 S=0x00 I=33867 F=0x4000 T=44 (#20)
> 
> OK, as I write this email I'm finding out more things because I don't want to 
> be called lazy.  And others might find this useful.  I found
> http://www.linux.org/docs/ldp/howto/IPCHAINS-HOWTO-4.html
> has a guide to the output.  Apparently the (#20) at the end means "ipchains 
> rule #20".
> 
> [root at uni root]# ipchains -L input -n --line-numbers  | grep '^20'
> 20   DENY       all  ----l-  192.168.0.0/16       0.0.0.0/0             n/a
> 
> (this means list IPCHAINS rule for the chain "input", show IP addresses 
> instead of domain names, and show the rule line numbers.)
> 
> So now I know that it was blocked because of the nonrouteable address, but it 
> does not explain how it got to eth0 in the first place.
> 
> Thoughts?
> 
> As a side thought, it seems that it would be a few hours work to write a 
> "tcpdump-to-English" converter and a "ipchains-syslog-to-English" converter.  
> Now that I have found websites to explain it sufficiently, I am tempted to 
> write one, but only if nothing like that already exists.  Has anyone heard of 
> one?
> ----------------------------------------------------------------------------
> DDDD   David Kramer         david at thekramers.net       http://thekramers.net
> DK KD  "Light is meaningful only in relation to darkness, and truth 
> DKK D  presupposes error.  It is these mingled opposites which people our 
> DK KD  life, which make it pungent, intoxicating.  We only exist in terms
> DDDD    of this conflict, in the zone where black and white clash."
>                                                   - Louis Aragon (1897-1982)
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
> 





BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org