From mboxrd@z Thu Jan 1 00:00:00 1970 From: christophe =?iso-8859-15?Q?barb=E9?= Subject: simple rules and unexpected traffic Date: Thu, 4 Jul 2002 10:10:48 -0400 Sender: netfilter-admin@lists.samba.org Message-ID: <20020704141048.GB19446@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ADZbWkCsHQ7r3kzd" Return-path: Content-Disposition: inline Errors-To: netfilter-admin@lists.samba.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.samba.org --ADZbWkCsHQ7r3kzd Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, I use a simple set of iptables rules for my laptop to reject everything from outside using ip_conntrack (from the howto) : # Generated by iptables-save v1.2.6a on Thu Jul 4 09:54:11 2002 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [43965:4118502] :block - [0:0] -A INPUT -j block=20 -A FORWARD -j block=20 -A block -m state --state RELATED,ESTABLISHED -j ACCEPT=20 -A block -i ! eth0 -m state --state NEW -j ACCEPT=20 -A block -i eth0 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet fr= om eth0:"=20 -A block -i ! eth0 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet = not from eth0:"=20 -A block -j DROP=20 COMMIT # Completed on Thu Jul 4 09:54:11 2002 I have a ADSL connection and only a hub between my laptop and the ADSL-modem. Recently something changed, I guess on the router from my provider and now I see unexpected traffic. I see it with the eth0 monitor in gkrellm and with iftop but not with lsof -i. I was not expecting this traffic and the pattern seems strange : a constant 20kB incoming traffic during a few seconds. So I started looking closer. With ethereal I saw that it was a kind of flooding most of the time a lot of SYN packet but also netbios .... Each time both IPs are not one of my computer. For example I see during one of this flooding with 'tcpdump -c 2 -e' tcpdump: listening on eth0 10:00:39.946940 0:0:c:c3:a:88 ff:ff:ff:ff:0:30 ip 62: 216-203-233-196.custo= mer.algx.net.3574 > adsl-216-158-52-76.cust.oldcity.dca.net.www: S 20116803= 97:2011680397(0) win 16384 (DF) 10:00:39.949401 0:0:c:c3:a:88 ff:ff:ff:ff:0:30 ip 62: 216-203-233-196.custo= mer.algx.net.3574 > adsl-216-158-52-76.cust.oldcity.dca.net.www: S 20116803= 97:2011680397(0) win 16384 (DF) =20 I am not sure how to interpret 'ff:ff:ff:ff:0:30' is it a kind of broadcasting at the ethernet level ? Why can I see these packets that are not for me ? Why this traffic is not dropped by netfilter ?=20 It seems to be a miss-configuration of my ISP router, no ? I believe it's harmless (except for my bandwidth) but I don't understand why I see (with gkrellm) this traffic which seems to be rejected before netfilter. Is gkrellm using packets information before the iptable processing ? I have tried to set /proc/.../eth0/rp_filter to 0 without any difference. Thanks, Christophe --=20 Christophe Barb=E9 GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Dogs come when they're called; cats take a message and get back to you later. --Mary Bly --ADZbWkCsHQ7r3kzd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9JFdoj0UvHtcstB4RAvYwAKCHQnxiESv/XgkxzW2isw6GzQuKgQCfZaK9 DVW5aJvxwYmEX3MljiOn4vQ= =quJb -----END PGP SIGNATURE----- --ADZbWkCsHQ7r3kzd--