No, it's not at all uncommon to see incoming traffic from well known ports. It's an easy way to bypass weakly configured firewalls.
can this weakness be fixed by having these lines in the iptables rules? ---- EXTERNAL_IF="eth0" # Log and drop incoming TCP connection establishment packets. iptables -A INPUT -i $EXTERNAL_IF -p tcp --syn -j LOG --log-prefix "TCP-SYN: " iptables -A INPUT -i $EXTERNAL_IF -p tcp --syn -j DROP # Allow packets from already established connections (redundant?)iptables -A INPUT -i $EXTERNAL_IF -m state --state ESTABLISHED,RELATED -j ACCEPT
---- jmb