Re: outgoing 10.x.x.x packets being logged

From: H. S. (g_reate_xcalibur_at_yahoo.com)
Date: 05/19/04


Date: Tue, 18 May 2004 22:01:06 GMT

jack wrote:

> First of all, how do You connect to Your ADSL? - If it's via pppoe, the
> IP settings for Your eth0 will never be used (and, as I was told only
> recently, You needn't have them at all. - Before that, I thought that
> You'd need to have such parameters defined in order to get that NIC set
> up, at least. But, please, read on.).

I am using pppoe. My IP is a new one each time I connect. And just like
you, I also recently learned that I need not have any IP assigned to
eth0 at all. I just haven't changed my settings yet.

> It would be helpful to either tell us about the rules You have, or,
> even better, give a brief summary of what You think they are.

I will post a summary when I go home tonight.

> First question: In my iptables logs there's a MAC field, which does
> not show here (but would be very helpful in finding where those packets
> come from).

I noticed that too. I looked for the mac address to see which computer
in my internal lan was initiating these packets. But since SRC=10.0.0.1,
I was thinking maybe it was being generated by eth0.

>
> You say that all Your LAN clients are on 192.168/16, so we may assume
> that all this is locally generated traffic.
>
> TCP port 2500 is also known as "rtsserv", Resource Tracking System
> server. - Try to find what is creating this, and how come that this
> process in question wants to reach destinations inside the 10/8 sub-
> net (randomly, as it seems).

BTW, one of the rules in my firewall says that if anything targetted to
192.168.x.x is being sent towards ppp0, it should be dropped and logged.
Since I started using the 10.0.0.1 as the IP of eth0, I haven't yet
inserted a rule that says to do the same for 10.x.x.x destination packets.

>
> Again, perhaps You want to try what will happen if You assign no IP
> address to eth0 at all, or one of 192.168/16 that will not collide
> with Your LAN(s). - You could also try to find the owners of those
> TCP dport 2500 packets to find what's going on.

Yup, changing the IP of eht0 is one option that I was already thinking
about. I am not sure though how to find the owner of the packets. When I
go home, I will try to google and perhaps I will see how to do that.

> col.security is, IMHO, frequent enough, but what You write here is
> not yet specific enough to treat it as a security issue. You will have
> to find the basic context for this first, and then decide where to go.

Fair enough.

> col.networking is exactly the place to do that, good. - Although I am
> sorry not to be able to give a "Hey, that's this and that"-answer,
> I "HTH", a bit, at least.

Yes, of course that helps. At least I am getting started on how to get
to the bottom of this if possible.

Many thanks,
->HS

-- 
(Remove all underscores,if any, from my email address to get the correct 
one. Apologies for the inconvenience but this is to reduce spam.)


Relevant Pages

  • Re: Networking problem (addl info)
    ... tcpdump: listening on eth0 ... minutes hit control C and just saw 0 packets captured ... would be the syntax for eth0. ... name server - the delay on an individual server starts as 5 seconds, ...
    (comp.os.linux.setup)
  • Re: Networking problem
    ... tcpdump: listening on eth0 ... minutes hit control C and just saw 0 packets captured ... would be the syntax for eth0. ... name server - the delay on an individual server starts as 5 seconds, ...
    (comp.os.linux.setup)
  • Failing to use Linux PC as router
    ... I can ping from one computer to the other and from the ... INTERFACES eth0 (?Firewire? ... iface lo inet loopback ... packets transmitted, 5 packets received, 0% packet loss ...
    (Debian-User)
  • Re: Networking problem
    ... tcpdump: listening on eth0 ... minutes hit control C and just saw 0 packets captured ... would be the syntax for eth0. ... name server - the delay on an individual server starts as 5 seconds, ...
    (comp.os.linux.setup)
  • RE: Re: [fw-wiz] Wayyy too many spoofed packets
    ... > eth0 interface OUTBOUND, meaning from your box to the network. ... Yeah I was using the wrong phrase; I meant out on the network. ... Packets coming from the network in through eth0 should NOT claim to have ...
    (Firewall-Wizards)