On Thu, 20 Jun 2002, Akom wrote: > Hi all, > > I normally get my share of spoofed ip packets in the logs all the time, which I > ignore, however this time they don't look healthy as they are destined for the > internal IP of my server and it's been happening for a couple of days about > every 3 minutes: > > Jun 20 10:33:31 firewall kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=eth1 > SRC=192.168.0.2 DST=192.168.2.1 LEN=48 TOS=0x00 PREC=0x00 TTL=102 ID=11842 DF > PROTO=TCP SPT=3093 DPT=8888 WINDOW=65535 RES=0x00 SYN URGP=0 > > Note that the incoming packets, even though they are probably spoofed, are > destined for an internal ip of the real server! >
One think that I keep meaning to do but haven't yet is to make it clear which 'rfc1918' chain the message is coming from (yes, there are two): a) One in the mangle table that catches packets whose original destination is reserved by RFC1918. b) One in the filter table that catches packets whose original source is reserved by RFC1918. DNAT occurs between the time that packets traverse a) and the time that they traverse b). So if you are doing NAT or DNAT (for port 8888) then the original IP address for the packet could have been your external IP address. The reason that there are two chains is that not all kernel's are built with mangle support. In that case, only the second chain is available and packets whose original IP address are reserved by RFC 1918 can still get through. > So I tried changing the internal IP of the server (and the port fwd rules to > match)... as soon as I do, I get a dump of DROP net2all logs from seemingly > every client conected to opennap... all destined for the old internal IP, not > external IP!!! Here is the scary part though... after a few minutes the logs > above changed from old internal IP to the new one, even with opennap shut down! > > Services I'm portforwarding: ssh,http,https,81,8888,smtp > Ok -- so DNAT is occuring before the second rfc1918 chain is traversed so the original destination was NOT 192.168.2.1 but rather your external IP address. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ [EMAIL PROTECTED] ------------------------------------------------------- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
