From: Stephen Samuel (samuel_at_bcgreen.com)
Date: Wed, 07 Jul 2004 14:40:37 -0700 To: Kostas K <firstname.lastname@example.org>
Kostas K wrote:
> IN=ppp0 OUT= MAC= SRC=xxx.xx.xxx.xxx DST=aa.aaa.aaa.aaa LEN=76 TOS=0x18 PREC=0x20 TTL=45 ID=56552 PROTO=ICMP TYPE=3 CODE=1 [SRC=aa.aaa.aaa.aaa DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=16249 DF PROTO=TCP SPT=1730 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 ]
> I get some weird logs from iptables. Someone is trying to ping (using a c class ip) me with no result since it gets the msg. of host unreachable.
> The weird thing or perhaps the things that i can't understand is why the destination address in the first row is the same with the src in the second row which seems to scan a c class ip which happens to be private, while i am using a 10.0.0.0/24 network.
My reading is that aa.aaa.aaa is probably attempting to send packets
to address 192.168.1.100 OVER THE PPP LINK (i.e. out into the
wider internet). [[ You should be egress filtering against such things ]]
after a couple of hops, the packet hits a (border?) router that filters
against such evils and it sends back the ICMP reject.
-A FORWARD -o PPP0 -d 192.168.0.0/16 -J REJECT
-A OUTPUT -o PPP0 -d 192.168.0.0/16 -J REJECT
(similarly for other non-routable networks).
That should get rid of your wierd messages.
(( The other possibility is that someone else is faking your
source address, but that's rarely of any use with TCP unless they're
in a position to capture any response en-route. ))
-- Stephen Samuel +1(604)876-0426 email@example.com http://www.bcgreen.com/~samuel/ Powerful committed communication. Transformation touching the jewel within each person and bringing it to light.