192.168 packets from the outside???

josephc at etards.net josephc at etards.net
Thu Jun 26 09:58:16 EDT 2003 

Most ISP's use RFC1918 address space on their networks between you and the 
Internet. Part of IP conservation.

It's not that 192.168 is not routable, it's just not routed over the 
publin Internet.

-joe

On Wed, 25 Jun 2003, David Kramer wrote:

> I was going through my logwatch reports like a good little sysadmin, and I 
> found something very unusual in there.  I saw packets from 192.168.11.85 
> coming in on eth0 (my DSL connection to the outside world).  I thought that 
> was a nonroutable address, so I was wondering how that was even possible.  
> Could it have been source-routed packets?  My ipchains firewall has rules for 
> both nonroutable addresses and source-routed packets, so I don't know.
> 
> I profess that the majority of the tcpdump-like/syslog-like packet reports 
> mystifies me.  I just don't know what all the mnemonics stand for.  I 
> understand the whole syn/ack thing, though.
> 
> messages:Jun 24 23:38:28 uni kernel: Packet log: input DENY eth0 PROTO=6 
> 192.168.11.85:80 66.92.68.235:7878 L=52 S=0x00 I=45012 F=0x4000 T=44 (#20)
> messages:Jun 24 23:38:28 uni kernel: Packet log: input DENY eth0 PROTO=6 
> 192.168.11.85:80 66.92.68.235:7878 L=1492 S=0x00 I=45011 F=0x4000 T=44 (#20)
> messages:Jun 24 23:38:28 uni kernel: Packet log: input DENY eth0 PROTO=6 
> 192.168.11.85:80 66.92.68.235:9247 L=52 S=0x00 I=45014 F=0x4000 T=44 (#20)
>    <snip>
> messages:Jun 24 23:45:38 uni kernel: Packet log: input DENY eth0 PROTO=6 
> 192.168.11.85:80 66.92.68.235:8382 L=425 S=0x00 I=33866 F=0x4000 T=44 (#20)
> messages:Jun 24 23:45:38 uni kernel: Packet log: input DENY eth0 PROTO=6 
> 192.168.11.85:80 66.92.68.235:7878 L=1492 S=0x00 I=33867 F=0x4000 T=44 (#20)
> 
> OK, as I write this email I'm finding out more things because I don't want to 
> be called lazy.  And others might find this useful.  I found
> http://www.linux.org/docs/ldp/howto/IPCHAINS-HOWTO-4.html
> has a guide to the output.  Apparently the (#20) at the end means "ipchains 
> rule #20".
> 
> [root at uni root]# ipchains -L input -n --line-numbers  | grep '^20'
> 20   DENY       all  ----l-  192.168.0.0/16       0.0.0.0/0             n/a
> 
> (this means list IPCHAINS rule for the chain "input", show IP addresses 
> instead of domain names, and show the rule line numbers.)
> 
> So now I know that it was blocked because of the nonrouteable address, but it 
> does not explain how it got to eth0 in the first place.
> 
> Thoughts?
> 
> As a side thought, it seems that it would be a few hours work to write a 
> "tcpdump-to-English" converter and a "ipchains-syslog-to-English" converter.  
> Now that I have found websites to explain it sufficiently, I am tempted to 
> write one, but only if nothing like that already exists.  Has anyone heard of 
> one?
> ----------------------------------------------------------------------------
> DDDD   David Kramer         david at thekramers.net       http://thekramers.net
> DK KD  "Light is meaningful only in relation to darkness, and truth 
> DKK D  presupposes error.  It is these mingled opposites which people our 
> DK KD  life, which make it pungent, intoxicating.  We only exist in terms
> DDDD    of this conflict, in the zone where black and white clash."
>                                                   - Louis Aragon (1897-1982)
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://www.blu.org/mailman/listinfo/discuss
>

More information about the Discuss mailing list