How are these packets getting created?
Hi,
I have a router / switch that sits between my Debian machine at
the cable modem. It does NAT. I also have iptables running on my Debian
system, and I noticed that the following packets were being dropped by the
Debian firewall :
Debugging sambaIN= OUT=eth0 SRC=192.168.1.103 DST=65.75.178.249 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=33063 DPT=12345
WINDOW=5808 RES=0x00 SYN URGP=0
Debugging sambaIN= OUT=eth0 SRC=192.168.1.103 DST=65.75.178.249 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=33067 DPT=12345
WINDOW=5808 RES=0x00 SYN URGP=0
Debugging sambaIN= OUT=eth0 SRC=192.168.1.103 DST=65.75.178.249 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=33067 DPT=12345
WINDOW=5808 RES=0x00 SYN URGP=0
Debugging sambaIN= OUT=eth0 SRC=192.168.1.103 DST=65.75.178.249 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=33067 DPT=12345
WINDOW=5808 RES=0x00 SYN URGP=0
Debugging sambaIN= OUT=eth0 SRC=192.168.1.103 DST=69.61.33.146 LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=54529 DF PROTO=TCP SPT=33123 DPT=7777
WINDOW=5808 RES=0x00 SYN URGP=0
Given that I wasnt doing anything to connect to these machines,
the question then is : are these packets really coming from my Debian
machine (ip = 192.168.1.103), or are these forged packets? And if they are
forged, how are they getting across the NAT router?
I do have other machines on my internal network that I dont trust
at all. How would I go about finding where these packets are coming from?
MAC addresses?
Thanks,
Jor-el
Reply to: