Re: Packets that should have been DNATted appearing in INPUT table

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 


it's also quite possible these connetions his counter catches are not
related to the NAT c0onnections at all, but, are the result of other
systems scanning his or trying to find a way through his FW rulebase. My
cash is on these counters incrementing due to kiddies and others merely
scanning the ethers with new toys and trinkets they have found at various
links and sec websites on the net.  But,this can be confirmed with
comparing these INPUT hits with his FORWARDED NAT hits in the logs, yes?

thanks,

Ron DuFresne

On Tue, 11 Jan 2005, Jason Opperisano wrote:

> On Tue, Jan 11, 2005 at 04:03:11PM +0100, Marius Mertens wrote:
> > Hi again,
> > 
> > I just subscribed to this list in order to save the moderator some work and 
> > minimize the delays in our discussion ;-)
> > So no need to cc anymore.
> 
> we greatly appreciate that.
> 
> > On Tuesday, January 11, 2005 1:27 AM,
> > R. DuFresne wrote:
> > 
> > >[...]
> > >validate your conclusions, adding a LOG rule prior to the drop might
> > >help track down 'why' you are seeing that 'counter' increment.
> > 
> > Below are the packets logged by
> > iptables -A INPUT -i ppp0 -p tcp --dport 4664 -j LOG --log-level 
> > 6 --log-prefix "SUSPICIOUS: "
> > after running some minutes.
> 
> you could easily be creating this situation yourself with your "testing"
> methodology.  if you are:
> 
> 1) starting firewall
> 2) allowing connections to establish
> 3) stopping firewall, which includes removing ip_conntrack
> 4) starting firewall
> 
> all the packets that were part of the established connections in step 2
> will no longer have a conntrack entry that ties them to the DNAT, and
> they will end up in INPUT and get dropped.
> 
> i'm not saying this is what you are doing--but it's an explanation for
> what you're seeing--the DNAT functionality in netfilter works properly
> in my experience.
> 
> -j
> 
> --
> "To alcohol: the cause of, and solution to, all of life's problems."
>         --The Simpsons
> 

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

...Love is the ultimate outlaw.  It just won't adhere to rules.
The most any of us can do is sign on as it's accomplice.  Instead
of vowing to honor and obey, maybe we should swear to aid and abet.
That would mean that security is out of the question.  The words
"make" and "stay" become inappropriate.  My love for you has no
strings attached.  I love you for free...
                        -Tom Robins <Still Life With Woodpecker>
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux