Re: Weird!

From: Charles Heselton (charles.heselton_at_gmail.com)
Date: 07/06/04

  • Next message: Kostas K: "Re: Weird!"
    Date: Tue, 6 Jul 2004 12:13:27 -0700
    To: Kostas K <acezerocool@yahoo.com>
    
    

    On 5 Jul 2004 22:22:22 -0000, Kostas K <acezerocool@yahoo.com> wrote:
    >
    >
    > IN=ppp0 OUT= MAC= SRC=xxx.xx.xxx.xxx DST=aa.aaa.aaa.aaa LEN=76 TOS=0x18 PREC=0x20 TTL=45 ID=56552 PROTO=ICMP TYPE=3 CODE=1 [SRC=aa.aaa.aaa.aaa DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=16249 DF PROTO=TCP SPT=1730 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 ]
    >
    > I get some weird logs from iptables. Someone is trying to ping (using a c class ip) me with no result since it gets the msg. of host unreachable.
    > The weird thing or perhaps the things that i can't understand is why the destination address in the first row is the same with the src in the second row which seems to scan a c class ip which happens to be private, while i am using a 10.0.0.0/24 network.
    >
    > any ideas????
    >
    > Cheers.
    >

    This looks like a combination of a couple log entries. I've never
    seen duplicated fields (DST=, SRC=, etc.) in IPTables logging data.
    But, assuming that it is one log entry, depending on your network
    config, it looks like your IPTables is picking up both sides (pre-NAT
    & post-NAT) of something that is being NAT'd. Possibly bounced....

    -- 
    Charlie Heselton
    Network Security Engineer
    

  • Next message: Kostas K: "Re: Weird!"