[ale] iptables problems

[Joe Steele]

Rick Huebner said:
>
> In Messages, I had this error once:
> Dec 27 22:29:09 linuxserver modprobe: modprobe: Can't locate module
> iptable_FORWARD

?? I don't know.

>
> Also, the common error that I get in my log file is like this, where
> 1.2.3.78 is my external IP:
> Dec 27 22:30:09 linuxserver kernel: IN=eth0 OUT= MAC= SRC=1.2.3.4
> DST=1.2.4.255 LEN=241 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=138
> DPT=138 LEN=221
> Dec 27 22:30:09 linuxserver kernel: IN=eth0 OUT= MAC= SRC=1.2.3.78
> DST=1.2.4.255 LEN=240 TOS=0x00 PREC=x00 TTL=64 ID=0 DF PROTO=UDP SPT=138
> DPT=138 LEN=220
>
> The DST address seems to have a problem.  Why is it being sent to the
> broadcast address of 1.2.4.255 instead of 1.2.3.255?
>

You refer to these log messages as 'errors', but they aren't errors.  
They're just packets that were dropped and logged by your firewall 
setup.  In the case above, the udp packets have their source and 
dest. port = 138, which is netbios-dgm.  Likely just some 
misconfigured Windows box saying 'hack me' to the users on your cable 
network.

> This is another error that I get in messages where the MAC and DST
> correspond to eth0:
> Dec 27 23:08:47 linuxserver kernel: IN=eth0 OUT= MAC=THE_MAC_ADDR_OF_ETH0
> SRC=24.181.208.4 DST=IPADDR_OF_eth0 LEN=
> 48 TOS=0x00 PREC=0x00 TTL=113 ID=40796 DF PROTO=TCP SPT=3749 DPT=27374
> WINDOW=16384 RES=0x00 SYN URGP=0
>

Here again, your firewall is just logging the fact that it dropped 
the packet.  In this case, the dest. port is 27374 and the syn flag 
is set, meaning someone is attempting to connect to your computer on 
that port.  This port is a commonly probed port because the subseven 
back-door trojan uses it.  For more info, see:

http://advice.networkice.com/advice/Exploits/Ports/27374/default.htm

--Joe

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.