Re[2]: Weird!

From: Marius Huse Jacobsen (mahuja_at_c2i.net)
Date: 07/09/04

  • Next message: Jeff Davis: "Re: Weird!" 
    Date: Fri, 9 Jul 2004 02:25:10 +0200
To: Charles Heselton <charles.heselton@gmail.com>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Hello Charles,

    >> IN=ppp0 OUT= MAC= SRC=xxx.xx.xxx.xxx DST=aa.aaa.aaa.aaa LEN=76 TOS=0x18 PREC=0x20 TTL=45 ID=56552 PROTO=ICMP TYPE=3 CODE=1 [SRC=aa.aaa.aaa.aaa DST=192.168.1.100 LEN=48 TOS=0x00 PREC=0x00 TTL=109
    >> ID=16249 DF PROTO=TCP SPT=1730 DPT=4662 WINDOW=16384 RES=0x00 SYN URGP=0 ]

    CH> This looks like a combination of a couple log entries. I've never
    CH> seen duplicated fields (DST=, SRC=, etc.) in IPTables logging data.
    CH> But, assuming that it is one log entry, depending on your network
    CH> config, it looks like your IPTables is picking up both sides (pre-NAT
    CH> & post-NAT) of something that is being NAT'd. Possibly bounced....

    Note the [ and the ]surrounding what would have been a log entry of
    its own, and combine with the fact that ICMP error messages often
    bring along the headers of the packet that failed.

    Other than that, I believe the theory of a donkey sending to the
    address 192.168.1.100 is quite likely. If you're using eMule, you
    should use its internal ip filters to deny those addresses.

    - --
    Best regards,
     Marius mailto:mahuja@c2i.net

    -----BEGIN PGP SIGNATURE-----

    iQA/AwUBQO3X15fZ2CSWpu1rEQKYtwCg6c1kZ89M40+OcnHQRG65+ivQimgAoJX8
    ST1WdyHZ7D4j/WZLPC6RlFsz
    =DN6A
    -----END PGP SIGNATURE-----

  • Next message: Jeff Davis: "Re: Weird!"