Re: newbie iptables question
What those lines is saying is that on your ppp0 interface (your dialup)
you got a SYN packet from 188.8.131.52 (SRC) to 184.108.40.206 (DST) sent
from port 4346 (SPT) to port 445 (DPT).
SYN packages is sent to establish a connection.
Port 445 is listed as microsoft-ds (Microsoft Naked CIFS) so I would
guess it was some search for windows machines for some exploit ...
But what you need to know to learn how to read the logs is:
SRC = reported sending IP for the package.
DST = reported target IP for the package.
SPT = reported sending port for the package.
DPT = reported target port for the package.
For the target port you can often find it in /etc/services if its a standard
port for a known service.
Hope this cleared this up a little, I'm not that much of a teacher ... :)
13 Aug 2004, Wanda Round wrote:
> After reading that I should look through /var/log/messages, I did
> and found many lines like these:
> Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC=
> SRC=220.127.116.11 DST=18.104.22.168 LEN=48 TOS=0x00 PREC=0x00 TTL=115
> ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
> Aug 12 04:40:59 towern kernel: |iptables -- IN=ppp0 OUT= MAC=
> SRC=22.214.171.124 DST=126.96.36.199 LEN=52 TOS=0x00 PREC=0x00 TTL=46
> ID=19155 DF PROTO=TCP SPT=4845 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
> The 188.8.131.52 was my dialup connection. The 201.129.etc and 83.36.etc
> were from Mexico and Spain.
> MAN iptables didn't help me at all!
> What are these lines telling me? Where can I find a simpler explanation
> of iptables logs?
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact firstname.lastname@example.org
Network and System Admin
Trema Laboratories SARL
Email : Martin.Grape@trema.com | 1300 route des Cretes
Phone : +33-4-92384149 | Parc de Sophia-Antipolis
GSM : +33-6-30655938 | F-06560 Valbonne, France