Re: newbie iptables question
Hi
What those lines is saying is that on your ppp0 interface (your dialup)
you got a SYN packet from 201.129.122.85 (SRC) to 12.65.24.43 (DST) sent
from port 4346 (SPT) to port 445 (DPT).
SYN packages is sent to establish a connection.
Port 445 is listed as microsoft-ds (Microsoft Naked CIFS) so I would
guess it was some search for windows machines for some exploit ...
But what you need to know to learn how to read the logs is:
SRC = reported sending IP for the package.
DST = reported target IP for the package.
SPT = reported sending port for the package.
DPT = reported target port for the package.
For the target port you can often find it in /etc/services if its a standard
port for a known service.
Hope this cleared this up a little, I'm not that much of a teacher ... :)
/Martin
13 Aug 2004, Wanda Round wrote:
> After reading that I should look through /var/log/messages, I did
> and found many lines like these:
>
> Aug 12 04:36:53 towern kernel: |iptables -- IN=ppp0 OUT= MAC=
> SRC=201.129.122.85 DST=12.65.24.43 LEN=48 TOS=0x00 PREC=0x00 TTL=115
> ID=40023 DF PROTO=TCP SPT=4346 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
>
> Aug 12 04:40:59 towern kernel: |iptables -- IN=ppp0 OUT= MAC=
> SRC=83.36.139.197 DST=12.65.24.43 LEN=52 TOS=0x00 PREC=0x00 TTL=46
> ID=19155 DF PROTO=TCP SPT=4845 DPT=445 WINDOW=16384 RES=0x00 SYN URGP=0
>
> The 12.65.24.43 was my dialup connection. The 201.129.etc and 83.36.etc
> were from Mexico and Spain.
>
> MAN iptables didn't help me at all!
>
> What are these lines telling me? Where can I find a simpler explanation
> of iptables logs?
>
> --
> Wanda
>
>
> --
> To UNSUBSCRIBE, email to debian-security-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
--
/Martin Grape
Network and System Admin
Trema Laboratories SARL
Email : Martin.Grape@trema.com | 1300 route des Cretes
Phone : +33-4-92384149 | Parc de Sophia-Antipolis
GSM : +33-6-30655938 | F-06560 Valbonne, France
Reply to: