Re: Weird!

From: Kostas K (acezerocool_at_yahoo.com)
Date: 07/13/04

  • Next message: Louie Miranda: "Re: Visited by a cracker"
    Date: 13 Jul 2004 13:40:12 -0000
    To: focus-linux@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <40EC6DD5.9090407@bcgreen.com>

    Stephen,

    i am using the following rules:

    -iptables -t nat -A PREROUTING -i ppp0 -s 192.168.0.0/16 -j DROP
    -iptables -t nat -A POSTROUTING -o ppp0 -d 192.168.0.0/16 -j DROP

    Do you think that these rules meet the requirements and in case they do not i apply yours.
    I have also disabled RIP in my router since it's not the gateway to Internet.

    Regards,
    Kostas

    >My reading is that aa.aaa.aaa is probably attempting to send packets
    >to address 192.168.1.100 OVER THE PPP LINK (i.e. out into the
    >wider internet). [[ You should be egress filtering against such things ]]
    >after a couple of hops, the packet hits a (border?) router that filters
    >against such evils and it sends back the ICMP reject.
    >
    >Suggested rule:
    >
    >-A FORWARD -o PPP0 -d 192.168.0.0/16 -J REJECT
    >-A OUTPUT -o PPP0 -d 192.168.0.0/16 -J REJECT
    >
    >(similarly for other non-routable networks).
    >
    >That should get rid of your wierd messages.
    >
    >(( The other possibility is that someone else is faking your
    >source address, but that's rarely of any use with TCP unless they're
    >in a position to capture any response en-route. ))
    >
    >--
    >Stephen Samuel +1(604)876-0426 samuel@bcgreen.com
    > http://www.bcgreen.com/~samuel/
    > Powerful committed communication. Transformation touching
    > the jewel within each person and bringing it to light.
    >


  • Next message: Louie Miranda: "Re: Visited by a cracker"