From mboxrd@z Thu Jan 1 00:00:00 1970 From: christophe =?iso-8859-15?Q?barb=E9?= Subject: Re: simple rules and unexpected traffic Date: Thu, 4 Jul 2002 17:01:53 -0400 Sender: netfilter-admin@lists.samba.org Message-ID: <20020704210152.GD19446@localhost> References: <20020704141048.GB19446@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Xm/fll+QQv+hsKip" Return-path: Content-Disposition: inline In-Reply-To: <20020704141048.GB19446@localhost> Errors-To: netfilter-admin@lists.samba.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.samba.org --Xm/fll+QQv+hsKip Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I have found at http://www.cavebear.com/CaveBear/Ethernet/multicast.html that ff:ff:ff:ff:0:30 could be a multicast ethernet address (03-00-FF-FF-FF-FF) for 'All Stations Address'. Is it something commonly used by script kiddies ? If I undersatnd correctly, nothing has changed at the router, but somebody connected at the same router is doing bad stuff. Is it right ? What I still don't understand is why I can see this traffic with my iptables rules. Is the traffic exposed (to user-space tools) before entering the iptables processing ? Christophe On Thu, Jul 04, 2002 at 10:10:48AM -0400, christophe barb=E9 wrote: > Hi, >=20 > I use a simple set of iptables rules for my laptop to reject everything > from outside using ip_conntrack (from the howto) : >=20 > # Generated by iptables-save v1.2.6a on Thu Jul 4 09:54:11 2002 > *filter > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [43965:4118502] > :block - [0:0] > -A INPUT -j block=20 > -A FORWARD -j block=20 > -A block -m state --state RELATED,ESTABLISHED -j ACCEPT=20 > -A block -i ! eth0 -m state --state NEW -j ACCEPT=20 > -A block -i eth0 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet = from eth0:"=20 > -A block -i ! eth0 -m limit --limit 3/hour -j LOG --log-prefix "Bad packe= t not from eth0:"=20 > -A block -j DROP=20 > COMMIT > # Completed on Thu Jul 4 09:54:11 2002 >=20 > I have a ADSL connection and only a hub between my laptop and the > ADSL-modem. Recently something changed, I guess on the router from my > provider and now I see unexpected traffic. >=20 > I see it with the eth0 monitor in gkrellm and with iftop but not with > lsof -i. > I was not expecting this traffic and the pattern seems strange : a > constant 20kB incoming traffic during a few seconds. So I started > looking closer. With ethereal I saw that it was a kind of flooding > most of the time a lot of SYN packet but also netbios .... > Each time both IPs are not one of my computer. For example I see during > one of this flooding with 'tcpdump -c 2 -e' >=20 > tcpdump: listening on eth0 > 10:00:39.946940 0:0:c:c3:a:88 ff:ff:ff:ff:0:30 ip 62: 216-203-233-196.cus= tomer.algx.net.3574 > adsl-216-158-52-76.cust.oldcity.dca.net.www: S 201168= 0397:2011680397(0) win 16384 (DF) > 10:00:39.949401 0:0:c:c3:a:88 ff:ff:ff:ff:0:30 ip 62: 216-203-233-196.cus= tomer.algx.net.3574 > adsl-216-158-52-76.cust.oldcity.dca.net.www: S 201168= 0397:2011680397(0) win 16384 (DF) > =20 > I am not sure how to interpret 'ff:ff:ff:ff:0:30' is it a kind of > broadcasting at the ethernet level ? >=20 > Why can I see these packets that are not for me ? >=20 > Why this traffic is not dropped by netfilter ?=20 >=20 > It seems to be a miss-configuration of my ISP router, no ? I believe it's > harmless (except for my bandwidth) but I don't understand why I see > (with gkrellm) this traffic which seems to be rejected before netfilter. > Is gkrellm using packets information before the iptable processing ? >=20 > I have tried to set /proc/.../eth0/rp_filter to 0 without any > difference. >=20 > Thanks, > Christophe >=20 > --=20 > Christophe Barb=E9 > GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E >=20 > Dogs come when they're called; > cats take a message and get back to you later. --Mary Bly --=20 Christophe Barb=E9 GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Dogs believe they are human. Cats believe they are God. --Xm/fll+QQv+hsKip Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE9JLfAj0UvHtcstB4RAqSFAJ9KH2Jka+BywrU3JicGyWCQNYr+DQCfbZrC eXVvNXnOgpZNtrKDaIv5/F8= =drFI -----END PGP SIGNATURE----- --Xm/fll+QQv+hsKip--