Re: How are these packets getting created?
On 5 Jul 2004, Jor-el wrote:
> I have a router / switch that sits between my Debian machine at the
> cable modem. It does NAT. I also have iptables running on my Debian
> system, and I noticed that the following packets were being dropped by
> the Debian firewall :
Just to be clear, the firewall you refer to here is running on
192.168.1.103, right? That is my reading of that statement, but not a
very certain one...
> Debugging sambaIN= OUT=eth0 SRC=192.168.1.103 DST=65.75.178.249 LEN=60
> TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=33063 DPT=12345
> WINDOW=5808 RES=0x00 SYN URGP=0
> Debugging sambaIN= OUT=eth0 SRC=192.168.1.103 DST=65.75.178.249 LEN=60
> TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=33067 DPT=12345
> WINDOW=5808 RES=0x00 SYN URGP=0
> Debugging sambaIN= OUT=eth0 SRC=192.168.1.103 DST=65.75.178.249 LEN=60
> TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=33067 DPT=12345
> WINDOW=5808 RES=0x00 SYN URGP=0
> Debugging sambaIN= OUT=eth0 SRC=192.168.1.103 DST=65.75.178.249 LEN=60
> TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=33067 DPT=12345
> WINDOW=5808 RES=0x00 SYN URGP=0
> Debugging sambaIN= OUT=eth0 SRC=192.168.1.103 DST=69.61.33.146 LEN=60
> TOS=0x00 PREC=0x00 TTL=64 ID=54529 DF PROTO=TCP SPT=33123 DPT=7777
> WINDOW=5808 RES=0x00 SYN URGP=0
>
> Given that I wasnt doing anything to connect to these machines, the
> question then is : are these packets really coming from my Debian
> machine (ip = 192.168.1.103), or are these forged packets?
Well, they are originating on the machine 192.168.1.103, and heading out
via the first Ethernet card, so they look likely to have originated on
that machine, yes. :)
It looks to me like some process running on your Debian system is trying
to connect to an Internet site, and that your firewall rules block that
access.
Regards,
Daniel
--
There is no female mind. The brain is not an organ of sex.
As well to speak of a female liver.
-- Charlette Perkins
Reply to: