Re: Re: debian repository on hit list
The attachment has the iptables output.
Brent
On Thu, 2004-03-04 at 23:49, Mike Mestnik wrote:
> Heh, what we have here is logging of http or ftp data packets. What dose
> the low level(iptables) fierwall show I.E. "iptables -t
> {nat,filter,mangle} -L".
>
> Port maches.
> ny.com.www > l3.net.35109
> in:ppp0 out: port:35109 source:rama.progeny.com
>
> Size also matches.
> 17:25:33.064532 rama.progeny.com.www >
> dialup-171.75.199.82.Dial1.SaintLouis1.Level3.net.35109: P
> 59861:59998(137) ack 180 win 65535 (DF) (ttl 54, id 13486, len 177)
> time:Mar 4 17:25:33 in:ppp0 out: port:35109 source:rama.progeny.com
> dest:171.75.199.82 len:177
> tos:0x00 protocol:tcp service:unknown
>
> And
>
> 17:25:35.734325 rama.progeny.com.www >
> dialup-171.75.199.82.Dial1.SaintLouis1.Level3.net.35109: P
> 69787:70218(431) ack 180 win 65535 (DF) (ttl 54, id 25790, len 471)
> time:Mar 4 17:25:35 in:ppp0 out: port:35109 source:rama.progeny.com
> dest:171.75.199.82 len:471
> tos:0x00 protocol:tcp service:unknown
>
>
> --- Brent Elmer <webe3@myrealbox.com> wrote:
> > I used tcpdump in the following way:
> > $tcpdump -a -vvv -i ppp0 host rama.progeny.com -w tcpdump.out
> >
> > then I did this:
> > tcpdump -vvv -r tcpdump.out > tcpdump.readable
> >
> > I saved the firestarter hits to a file. The hits did contain
> > rama.progeny.com hits. I don't know much about interpreting what is
> > going on but here are the two files. Does this show anything or do I
> > need to do something else?
> >
> > Thanks,
> >
> > Brent
> >
> >
> > On Thu, 2004-03-04 at 16:55, Mike Mestnik wrote:
> > > Use tcpdump to find ought more info about what is going on.
> > >
> > > --- Brent Elmer <webe3@myrealbox.com> wrote:
> > > > I changed my repository from ftp://archive.progeny.com to
> > > > http://archive.progeny.com in Synaptic. I still get a lot of hits
> > for
> > > > rama.progeny.com in firestarter during Synaptic downloading. The
> > > > downloads stall a lot about the same time that firestarter reports
> > the
> > > > blocked hits from rama.progeny.com. Is there something else I can
> > do?
> > > >
> > > > --
> > > > Brent Elmer <webe3@myrealbox.com>
> > > >
> > >
>
>
> __________________________________
> Do you Yahoo!?
> Yahoo! Search - Find what youre looking for faster
> http://search.yahoo.com
/home/brent# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@elmer:/home/brent# iptables -t filter -L
Chain INPUT (policy DROP)
target prot opt source destination
UNCLEAN all -- anywhere anywhere unclean
ACCEPT tcp -- resolver1.level3.net anywhere tcp flags:!SYN,RST,ACK/SYN
ACCEPT udp -- resolver1.level3.net anywhere
ACCEPT tcp -- resolver2.level3.net anywhere tcp flags:!SYN,RST,ACK/SYN
ACCEPT udp -- resolver2.level3.net anywhere
ACCEPT all -- rama.progeny.com anywhere
DROP all -- 66.250.55.119 anywhere
ACCEPT tcp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net tcp dpt:ntp
ACCEPT udp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net udp dpt:ntp
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net limit: avg 10/sec burst 5
LD all -- 0.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 1.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 2.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 5.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 7.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 10.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 23.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 27.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 31.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 36.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 37.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 39.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 41.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 42.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 49.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 50.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 58.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 59.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 70.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 71.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 72.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 73.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 74.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 75.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 76.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 77.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 78.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 79.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 83.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 84.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 85.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 86.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 87.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 88.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 89.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 90.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 91.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 92.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 93.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 94.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 95.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 96.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 97.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 98.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 99.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 100.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 101.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 102.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 103.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 104.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 105.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 106.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 107.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 108.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 109.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 110.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 111.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 112.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 113.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 114.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 115.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 116.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 117.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 118.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 119.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 120.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 121.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 122.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 123.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 124.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 125.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 126.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 127.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 169.254.0.0/16 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 172.16.0.0/12 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 173.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 174.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 175.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 176.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 177.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 178.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 179.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 180.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 181.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 182.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 183.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 184.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 185.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 186.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 187.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 189.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 190.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 192.0.2.0/24 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 192.168.0.0/16 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 197.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 198.18.0.0/15 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- 223.0.0.0/8 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD all -- BASE-ADDRESS.MCAST.NET/3 dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net
LD tcp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net tcp dpt:31337 limit: avg 2/min burst 5
LD udp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net udp dpt:31337 limit: avg 2/min burst 5
LD tcp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net tcp dpt:33270 limit: avg 2/min burst 5
LD udp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net udp dpt:33270 limit: avg 2/min burst 5
LD tcp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net tcp dpt:1234 limit: avg 2/min burst 5
LD tcp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net tcp dpt:6711 limit: avg 2/min burst 5
LD tcp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net tcp dpt:16660 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net tcp dpt:60001 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net tcp dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net udp dpts:12345:12346 limit: avg 2/min burst 5
LD tcp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net tcp dpt:loc-srv limit: avg 2/min burst 5
LD udp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net udp dpt:loc-srv limit: avg 2/min burst 5
LD tcp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net tcp dpt:ingreslock limit: avg 2/min burst 5
LD tcp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net tcp dpt:27665 limit: avg 2/min burst 5
LD udp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net udp dpt:27444 limit: avg 2/min burst 5
LD udp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net udp dpt:31335 limit: avg 2/min burst 5
LD all -- BASE-ADDRESS.MCAST.NET/8 anywhere
LD all -- anywhere BASE-ADDRESS.MCAST.NET/8
LD all -- 255.255.255.255 anywhere
LD all -- anywhere 0.0.0.0
DROP all -- 10.0.0.255 anywhere
DROP all -- 0.0.0.0 anywhere
DROP all -- anywhere 255.255.255.255
DROP all -- anywhere 0.0.0.0
LD all -- anywhere anywhere state INVALID
LD all -f anywhere anywhere limit: avg 10/min burst 5
LD tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
STATE tcp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net tcp dpts:1024:65535
ACCEPT udp -- anywhere dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net udp dpts:1023:65535
LD all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
UNCLEAN all -- anywhere anywhere unclean
ACCEPT all -- anywhere anywhere
LD tcp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere tcp dpt:31337 limit: avg 2/min burst 5
LD udp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere udp dpt:31337 limit: avg 2/min burst 5
LD tcp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere tcp dpt:33270 limit: avg 2/min burst 5
LD udp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere udp dpt:33270 limit: avg 2/min burst 5
LD tcp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere tcp dpt:1234 limit: avg 2/min burst 5
LD tcp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere tcp dpt:6711 limit: avg 2/min burst 5
LD tcp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere tcp dpt:16660 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere tcp dpt:60001 flags:SYN,RST,ACK/SYN limit: avg 2/min burst 5
LD tcp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere tcp dpts:12345:12346 limit: avg 2/min burst 5
LD udp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere udp dpts:12345:12346 limit: avg 2/min burst 5
LD tcp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere tcp dpt:loc-srv limit: avg 2/min burst 5
LD udp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere udp dpt:loc-srv limit: avg 2/min burst 5
LD tcp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere tcp dpt:ingreslock limit: avg 2/min burst 5
LD tcp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere tcp dpt:27665 limit: avg 2/min burst 5
LD udp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere udp dpt:27444 limit: avg 2/min burst 5
LD udp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere udp dpt:31335 limit: avg 2/min burst 5
LD all -- BASE-ADDRESS.MCAST.NET/8 anywhere
LD all -- anywhere BASE-ADDRESS.MCAST.NET/8
LD all -- 255.255.255.255 anywhere
LD all -- anywhere 0.0.0.0
DROP tcp -- anywhere anywhere tcp flags:!SYN,RST,ACK/SYN state NEW
all -- anywhere anywhere TTL match TTL == 64
ACCEPT icmp -- dialup-171.75.244.123.Dial1.SaintLouis1.Level3.net anywhere
ACCEPT all -- anywhere anywhere
Chain LD (146 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning
DROP all -- anywhere anywhere
Chain SANITY (0 references)
target prot opt source destination
LD all -- anywhere anywhere
Chain STATE (1 references)
target prot opt source destination
LD all -- anywhere anywhere state NEW
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LD all -- anywhere anywhere
Chain UNCLEAN (2 references)
target prot opt source destination
LD all -- anywhere anywhere
root@elmer:/home/brent# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
root@elmer:/home/brent#
Reply to: