[ale] iptables log entries

Mike Millson mgm at atsga.com
Mon Jan 21 07:46:15 EST 2002 

The following rule is generating a lot of entries in my messages log file:
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix
"New not syn:"
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

What I think this rule is doing is "Drop any packet that is a new connection
that does not have the SYN flag set."

Here as an example of an entry I find in my log file from INCOMING
traffic(with info Xed out to protect the innocent):

Jan 21 06:18:50 XXXXXX kernel: New not syn:IN=eth0 OUT=
MAC=00:20:78:d2:2f:84:00:02:3b:01:44:f8:08:00 SRC=207.25.71.223
DST=216.77.224.94 LEN=41 TOS=0x00 PREC=0x00 TTL=110 ID=20979 PROTO=TCP
SPT=80 DPT=1386 WINDOW=16364 RES=0x00 ACK URGP=0
Jan 21 06:18:51 XXXXXX kernel: New not syn:IN=eth0 OUT=
MAC=00:20:78:d2:2f:84:00:02:3b:01:44:f8:08:00 SRC=207.25.71.223
DST=216.77.224.94 LEN=41 TOS=0x00 PREC=0x00 TTL=110 ID=10510 PROTO=TCP
SPT=80 DPT=1393 WINDOW=11984 RES=0x00 ACK URGP=0
Jan 21 06:19:39 XXXXXX kernel: New not syn:IN=eth0 OUT=
MAC=00:20:78:d2:2f:84:00:02:3b:01:44:f8:08:00 SRC=207.25.71.223
DST=216.77.224.94 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=53366 PROTO=TCP
SPT=80 DPT=1379 WINDOW=0 RES=0x00 ACK RST URGP=0
Jan 21 06:19:53 XXXXXX kernel: New not syn:IN=eth0 OUT=
MAC=00:20:78:d2:2f:84:00:02:3b:01:44:f8:08:00 SRC=207.25.71.223
DST=216.77.224.94 LEN=40 TOS=0x00 PREC=0x00 TTL=110 ID=55006 PROTO=TCP
SPT=80 DPT=1384 WINDOW=0 RES=0x00 ACK RST URGP=0

The 207.25.71.223 IP address is owned by Turner Broadcasting. It looks like
someone is scanning my ports. Why is the scanning taking place with a bogus
packet, one where the SYN flag isn't set on a new connection? Is this just
the standard port scanning technique? If so, w/o the SYN flag, how do they
know the port is open if they don't get an ACK?


Here as an example of an entry I find in my log file from OUGOING
traffic(with info Xed out to protect the innocent):

Jan 21 06:14:08 XXXXXX kernel: New not syn:IN=eth1 OUT=eth0 SRC=192.168.1.11
DST=64.12.180.21 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=36396 DF PROTO=TCP
SPT=1551 DPT=80 WINDOW=7438 RES=0x00 ACK FIN URGP=0
Jan 21 06:14:10 XXXXXX kernel: New not syn:IN=eth1 OUT=eth0 SRC=192.168.1.11
DST=64.12.180.21 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=55596 DF PROTO=TCP
SPT=1553 DPT=80 WINDOW=7537 RES=0x00 ACK FIN URGP=0
Jan 21 06:14:11 XXXXXX kernel: New not syn:IN=eth1 OUT=eth0 SRC=192.168.1.11
DST=64.12.180.21 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=55852 DF PROTO=TCP
SPT=1551 DPT=80 WINDOW=7438 RES=0x00 ACK FIN URGP=0
Jan 21 06:14:15 XXXXXX kernel: New not syn:IN=eth1 OUT=eth0 SRC=192.168.1.11
DST=64.12.180.21 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=4141 DF PROTO=TCP
SPT=1553 DPT=80 WINDOW=7537 RES=0x00 ACK FIN URGP=0

It looks like the W98 machine I have hooked up to my network is sending out
the same sort of packets. Is this a worm on my W98 machine? What sort of
program would be sending out these kinds of packets? I looked up
64.12.180.21 but couldn't find who owns it. Is this one of those reserved
internal routing addresses like 192.168.x.x? If so, what possible use could
a program have for trying to port scan internal machines?

Thank you,
Mike Millson
----------------------------------------
AableTech Solutions, Inc.
770.414.8834
770.414.8206 fax
http://www.atsga.com
----------------------------------------



---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list