Strange outgoing packet ...

Linux Netfilter discussions
 help / color / mirror / Atom feed

* Strange outgoing packet ...
@ 2004-01-16  9:15 Rakotomandimby Mihamina
  2004-01-16 15:09 ` Unknown, Alistair Tonner
                   ` (2 more replies)
  0 siblings, 3 replies; 5+ messages in thread
From: Rakotomandimby Mihamina @ 2004-01-16  9:15 UTC (permalink / raw)
  To: netfilter

Hi all,
Im' running 2.4.24 and iptables 1.2.9 on slackware .

I made these rules on my single box connected to internet via the ppp0 
interface ( i only show OUTPUT related entries )

iptables -P OUTPUT DROP
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#To allow me surfing :
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
# My ISP DNS :
iptables -A OUTPUT -d 193.252.19.4 -p ALL -j ACCEPT ;
iptables -A OUTPUT -d 193.252.19.3 -p ALL -j ACCEPT ;
iptables -A OUTPUT -d 80.10.246.1 -p ALL -j ACCEPT
iptables -A OUTPUT -d 80.10.246.132 -p ALL -j ACCEPT
#Logging everything else :
iptables -A OUTPUT -j LOG --log-level info --log-prefix "dropped_output_: "

and i get many lines like this in my log file :

Jan 16 06:54:40 milina kernel: dropped_output_: IN= OUT=ppp0 SRC=81.248.95.208 
DST=81.56.193.129 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
SPT=39332 DPT=113 WINDOW=18276 RES=0x00 SYN URGP=0

What would be this stuff on 113 port ??

Though when i sleep ( i kill X by switching to runlevel 3 , so there is 
neither "messenger" nor any stuff that should be connected but my web server 
and FTP server ... ) , it logs that .

Would you hel me ?
-- 
Rakotomandimby Mihamina Andrianifaharana
Tel : +33 2 38 76 43 65
http://stko.dyndns.info/site_principal/Members/mihamina



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Strange outgoing packet ...
  2004-01-16  9:15 Strange outgoing packet Rakotomandimby Mihamina
@ 2004-01-16 15:09 ` Unknown, Alistair Tonner
  2004-01-16 15:35 ` Bob Weber
       [not found] ` <200401161009.03957.Alistair Tonner <>
  2 siblings, 0 replies; 5+ messages in thread
From: Unknown, Alistair Tonner @ 2004-01-16 15:09 UTC (permalink / raw)
  To: Rakotomandimby Mihamina, netfilter

On January 16, 2004 04:15 am, Rakotomandimby Mihamina wrote:
> Hi all,
> Im' running 2.4.24 and iptables 1.2.9 on slackware .
>
> I made these rules on my single box connected to internet via the ppp0
> interface ( i only show OUTPUT related entries )
>
> iptables -P OUTPUT DROP
> iptables -A OUTPUT -o lo -j ACCEPT
> iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> #To allow me surfing :
> iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
> # My ISP DNS :
> iptables -A OUTPUT -d 193.252.19.4 -p ALL -j ACCEPT ;
> iptables -A OUTPUT -d 193.252.19.3 -p ALL -j ACCEPT ;
> iptables -A OUTPUT -d 80.10.246.1 -p ALL -j ACCEPT
> iptables -A OUTPUT -d 80.10.246.132 -p ALL -j ACCEPT
> #Logging everything else :
> iptables -A OUTPUT -j LOG --log-level info --log-prefix "dropped_output_: "
>
> and i get many lines like this in my log file :
>
> Jan 16 06:54:40 milina kernel: dropped_output_: IN= OUT=ppp0
> SRC=81.248.95.208 DST=81.56.193.129 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0
> DF PROTO=TCP SPT=39332 DPT=113 WINDOW=18276 RES=0x00 SYN URGP=0
>
> What would be this stuff on 113 port ??
>

	That would be Identd -- its your FTP server trying to get ident
	info from connecting clients.   You can turn this off in *some* ftp 
	configs.

	Alistair

> Though when i sleep ( i kill X by switching to runlevel 3 , so there is
> neither "messenger" nor any stuff that should be connected but my web
> server and FTP server ... ) , it logs that .
>
> Would you hel me ?


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Strange outgoing packet ...
  2004-01-16  9:15 Strange outgoing packet Rakotomandimby Mihamina
  2004-01-16 15:09 ` Unknown, Alistair Tonner
@ 2004-01-16 15:35 ` Bob Weber
  2004-01-16 15:58   ` Rakotomandimby Mihamina
       [not found] ` <200401161009.03957.Alistair Tonner <>
  2 siblings, 1 reply; 5+ messages in thread
From: Bob Weber @ 2004-01-16 15:35 UTC (permalink / raw)
  To: netfilter

On 01/16/04, Rakotomandimby Mihamina wrote:
> Hi all,
> Im' running 2.4.24 and iptables 1.2.9 on slackware .

> and i get many lines like this in my log file :
> 
> Jan 16 06:54:40 milina kernel: dropped_output_: IN= OUT=ppp0 SRC=81.248.95.208 
> DST=81.56.193.129 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=TCP 
> SPT=39332 DPT=113 WINDOW=18276 RES=0x00 SYN URGP=0
> 
> What would be this stuff on 113 port ??

Port 113 is the auth port.  Mail servers will attempt to connect to this
port to determine if you are at the ip address your name resolves to.  If
your mail server has to wait for this connection to timeout pop3 and smtp
connections will be slow

Bob


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Strange outgoing packet ...
  2004-01-16 15:35 ` Bob Weber
@ 2004-01-16 15:58   ` Rakotomandimby Mihamina
  0 siblings, 0 replies; 5+ messages in thread
From: Rakotomandimby Mihamina @ 2004-01-16 15:58 UTC (permalink / raw)
  To: netfilter

On Friday 16 January 2004 16:35, Bob Weber wrote:

> Port 113 is the auth port.  Mail servers will attempt to connect to this
> port to determine if you are at the ip address your name resolves to.  If
> your mail server has to wait for this connection to timeout pop3 and smtp
> connections will be slow

OK . 
Thanks 
Nothing to worry about . 
-- 
Rakotomandimby Mihamina Andrianifaharana
Tel : +33 2 38 76 43 65
http://stko.dyndns.info/site_principal/Members/mihamina



^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Strange outgoing packet ...
       [not found] ` <200401161009.03957.Alistair Tonner <>
@ 2004-01-16 15:59   ` Rakotomandimby Mihamina
  0 siblings, 0 replies; 5+ messages in thread
From: Rakotomandimby Mihamina @ 2004-01-16 15:59 UTC (permalink / raw)
  To: netfilter

On Friday 16 January 2004 16:09, you wrote:
> 	That would be Identd -- its your FTP server trying to get ident
> 	info from connecting clients.   You can turn this off in *some* ftp
> 	configs.

OK . 
Thanks 
Nothing to worry about . 
-- 
Rakotomandimby Mihamina Andrianifaharana
Tel : +33 2 38 76 43 65
http://stko.dyndns.info/site_principal/Members/mihamina



^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2004-01-16 15:59 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2004-01-16  9:15 Strange outgoing packet Rakotomandimby Mihamina
2004-01-16 15:09 ` Unknown, Alistair Tonner
2004-01-16 15:35 ` Bob Weber
2004-01-16 15:58   ` Rakotomandimby Mihamina
     [not found] ` <200401161009.03957.Alistair Tonner <>
2004-01-16 15:59   ` Rakotomandimby Mihamina

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox