simple rules and unexpected traffic

["christophe barbé" <christophe.barbe.ml@online.fr>]

[-- Attachment #1: Type: text/plain, Size: 2618 bytes --]

Hi,

I use a simple set of iptables rules for my laptop to reject everything
from outside using ip_conntrack (from the howto) :

# Generated by iptables-save v1.2.6a on Thu Jul  4 09:54:11 2002
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [43965:4118502]
:block - [0:0]
-A INPUT -j block 
-A FORWARD -j block 
-A block -m state --state RELATED,ESTABLISHED -j ACCEPT 
-A block -i ! eth0 -m state --state NEW -j ACCEPT 
-A block -i eth0 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from eth0:" 
-A block -i ! eth0 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet not from eth0:" 
-A block -j DROP 
COMMIT
# Completed on Thu Jul  4 09:54:11 2002

I have a ADSL connection and only a hub between my laptop and the
ADSL-modem. Recently something changed, I guess on the router from my
provider and now I see unexpected traffic.

I see it with the eth0 monitor in gkrellm and with iftop but not with
lsof -i.
I was not expecting this traffic and the pattern seems strange : a
constant 20kB incoming traffic during a few seconds. So I started
looking closer. With ethereal I saw that it was a kind of flooding
most of the time a lot of SYN packet but also netbios ....
Each time both IPs are not one of my computer. For example I see during
one of this flooding with 'tcpdump -c 2 -e'

tcpdump: listening on eth0
10:00:39.946940 0:0:c:c3:a:88 ff:ff:ff:ff:0:30 ip 62: 216-203-233-196.customer.algx.net.3574 > adsl-216-158-52-76.cust.oldcity.dca.net.www: S 2011680397:2011680397(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
10:00:39.949401 0:0:c:c3:a:88 ff:ff:ff:ff:0:30 ip 62: 216-203-233-196.customer.algx.net.3574 > adsl-216-158-52-76.cust.oldcity.dca.net.www: S 2011680397:2011680397(0) win 16384 <mss 1460,nop,nop,sackOK> (DF)
 
I am not sure how to interpret 'ff:ff:ff:ff:0:30' is it a kind of
broadcasting at the ethernet level ?

Why can I see these packets that are not for me ?

Why this traffic is not dropped by netfilter ? 

It seems to be a miss-configuration of my ISP router, no ? I believe it's
harmless (except for my bandwidth) but I don't understand why I see
(with gkrellm) this traffic which seems to be rejected before netfilter.
Is gkrellm using packets information before the iptable processing ?

I have tried to set /proc/.../eth0/rp_filter to 0 without any
difference.

Thanks,
Christophe

-- 
Christophe Barbé <christophe.barbe@ufies.org>
GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8  F67A 8F45 2F1E D72C B41E

Dogs come when they're called;
cats take a message and get back to you later. --Mary Bly

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]