On Tuesday 04 February 2003 04:38 am, SB CH wrote: > Hello, all. > > When I see my iptables log, I found curious log like this. > What's the meaning and how can I understand ? > > Thanks in advance. > > Feb 4 18:20:22 server kernel: [DROP] : IN=eth0 OUT= > MAC=00:07:e8:03:a2:19:01:00:fd:08:c4:a0:08:00 SRC=144.59.12.19 > DST=192.168.0.3 LEN=56 TOS=0x00 PREC=0x00 TTL=126 ID=61588 PROTO=ICMP > TYPE=3 CODE=13 [SRC=192.168.0.3 DST=144.59.26.61 LEN=48 TOS=0x00 > PREC=0x00 TTL=61 ID=12004 PROTO=TCP INCOMPLETE [8 bytes] ] > > ps : TYPE 3 CODE=13 menas "Communication Administratively Prohibited" The source of this ICMP message is 144.59.12.19, in reference to a TCP packet it apparently received from 192.168.0.3. Since the source of the original TCP packet, and the destination of the ICMP msg, are a private IP, I have to assume that the scenario is this: 192.168.0.3 tried to communicate with 144.59.12.19, and that dest received an incomplete TCP packet, only 40 bits long. If netfilter performed a reverseSNAT on the communication to send it to 192.168.0.3 then there must have been an established connection in place. (unless you DNAT to 192.168.0.3? Even then I don't think it would NAT the source IP referenced in the message) If you have a lot of these, see if the source IP (144.59.12.19) of the messages is the same. If so, and this is ongoing, try logging connections _TO_ that IP in postrouting. If your box is performing SNAT (and not DNATting to 192.168.0.3) see if they all reference 192.168.0.3. If so, try logging connections _FROM_ that IP in prerouting, and check the box itself. (maybe look for a worm...) j
