From: Charles Heselton (charles.heselton_at_gmail.com)
Date: Tue, 6 Jul 2004 12:13:27 -0700 To: Kostas K <firstname.lastname@example.org>
On 5 Jul 2004 22:22:22 -0000, Kostas K <email@example.com> wrote:
> IN=ppp0 OUT= MAC= SRC=xxx.xx.xxx.xxx DST=aa.aaa.aaa.aaa LEN=76 TOS=0x18 PREC=0x20 TTL=45 ID=56552 PROTO=ICMP TYPE=3 CODE=1 [SRC=aa.aaa.aaa.aaa DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=16249 DF PROTO=TCP SPT=1730 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 ]
> I get some weird logs from iptables. Someone is trying to ping (using a c class ip) me with no result since it gets the msg. of host unreachable.
> The weird thing or perhaps the things that i can't understand is why the destination address in the first row is the same with the src in the second row which seems to scan a c class ip which happens to be private, while i am using a 10.0.0.0/24 network.
> any ideas????
This looks like a combination of a couple log entries. I've never
seen duplicated fields (DST=, SRC=, etc.) in IPTables logging data.
But, assuming that it is one log entry, depending on your network
config, it looks like your IPTables is picking up both sides (pre-NAT
& post-NAT) of something that is being NAT'd. Possibly bounced....
-- Charlie Heselton Network Security Engineer