Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

iptables firewall Dropped 843 packets on interface eth0


  • Please log in to reply
6 replies to this topic

#1 jamby

jamby

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 27 September 2010 - 10:58 AM

Hi

I have a home network on quest/DSL network with a linux firewall/nat router. Each day iptables reports on the dropped packets received in the last 24 hours. There a 840 + each day but the port addresses are confined to a small group.

these are on the incoming interface

Dropped 843 packets on interface eth0
From 8.26.143.26 - 1 packet to udp(63284)
From 14.195.0.86 - 1 packet to udp(63284)
From 24.6.210.149 - 1 packet to udp(12328)
From 24.83.165.221 - 1 packet to udp(63284)
From 24.87.4.142 - 1 packet to udp(12328)
From 41.92.31.108 - 1 packet to udp(12328)
From 41.133.46.44 - 1 packet to udp(12328)
snip ------

this sample contains 2 address that reappear throughout the list. Does anyone know what uses these ports???

these are on the outgoing interface

Rejected 200 packets on interface eth1
From 192.168.1.2 - 6 packets to udp(53)
From 192.168.1.7 - 24 packets to udp(53)
From 192.168.1.10 - 59 packets to udp(5351)
From 192.168.1.12 - 1 packet to udp(53)
From 192.168.1.14 - 110 packets to udp(5351,47758)

the (53,5351) ports are for DNS but I don't know what the 47758 is, any ideas??

Thanks
Jim

BC AdBot (Login to Remove)

 


#2 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:31 PM

Posted 27 September 2010 - 12:34 PM

DNS is TCP/UDP Port 53 and no other number.

The other ports I do not know what they are for. Can you show us your iptables -L output?

#3 jamby

jamby
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 27 September 2010 - 02:27 PM

Cryptodan

Here's the list. Iptables is controlled by shorewall.

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Chain INPUT (policy DROP)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
net2fw all -- anywhere anywhere
loc2fw all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'
reject all -- anywhere anywhere [goto]

Chain FORWARD (policy DROP)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
net2loc all -- anywhere anywhere
loc2net all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere [goto]

Chain OUTPUT (policy DROP)
target prot opt source destination
fw2net all -- anywhere anywhere
fw2loc all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'
reject all -- anywhere anywhere [goto]

Chain Drop (2 references)
target prot opt source destination
all -- anywhere anywhere
reject tcp -- anywhere anywhere tcp dpt:auth /* Auth */
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
dropInvalid all -- anywhere anywhere
DROP udp -- anywhere anywhere multiport dports epmap,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
DROP tcp -- anywhere anywhere multiport dports epmap,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:ssdp /* UPnP */
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */

Chain Reject (6 references)
target prot opt source destination
all -- anywhere anywhere
reject tcp -- anywhere anywhere tcp dpt:auth /* Auth */
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed /* Needed ICMP types */
ACCEPT icmp -- anywhere anywhere icmp time-exceeded /* Needed ICMP types */
dropInvalid all -- anywhere anywhere
reject udp -- anywhere anywhere multiport dports epmap,microsoft-ds /* SMB */
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn /* SMB */
reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535 /* SMB */
reject tcp -- anywhere anywhere multiport dports epmap,netbios-ssn,microsoft-ds /* SMB */
DROP udp -- anywhere anywhere udp dpt:ssdp /* UPnP */
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain /* Late DNS Replies */

Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match dst-type BROADCAST
DROP all -- anywhere BASE-ADDRESS.MCAST.NET/4

Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID

Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN

Chain dynamic (2 references)
target prot opt source destination

Chain fw2loc (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:ntp /* NTPbi */
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:fw2loc:REJECT:'
reject all -- anywhere anywhere [goto]

Chain fw2net (1 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:domain /* DNS */
ACCEPT tcp -- anywhere anywhere tcp dpt:domain /* DNS */
ACCEPT icmp -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:fw2net:REJECT:'
reject all -- anywhere anywhere [goto]

Chain loc2fw (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh /* SSH */
ACCEPT icmp -- anywhere anywhere icmp echo-request /* Ping */
ACCEPT tcp -- anywhere anywhere tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT udp -- anywhere anywhere udp dpt:ntp /* NTPbi */
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:loc2fw:REJECT:'
reject all -- anywhere anywhere [goto]

Chain loc2net (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere icmp echo-request /* Ping */
ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
DROP all -- anywhere anywhere

Chain logflags (5 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info ip-options prefix `Shorewall:logflags:DROP:'
DROP all -- anywhere anywhere

Chain logreject (0 references)
target prot opt source destination
reject all -- anywhere anywhere

Chain net2fw (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
ACCEPT udp -- anywhere anywhere udp dpts:bootps:bootpc
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
DROP icmp -- anywhere anywhere icmp echo-request /* Ping */
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2fw:DROP:'
DROP all -- anywhere anywhere

Chain net2loc (1 references)
target prot opt source destination
smurfs all -- anywhere anywhere state INVALID,NEW
tcpflags tcp -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2loc:DROP:'
DROP all -- anywhere anywhere

Chain reject (13 references)
target prot opt source destination
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere
DROP igmp -- anywhere anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable

Chain shorewall (0 references)
target prot opt source destination

Chain smurfs (4 references)
target prot opt source destination
RETURN all -- 0.0.0.0 anywhere
LOG all -- anywhere anywhere ADDRTYPE match src-type BROADCAST LOG level info prefix `Shorewall:smurfs:DROP:'
DROP all -- anywhere anywhere ADDRTYPE match src-type BROADCAST
LOG all -- BASE-ADDRESS.MCAST.NET/4 anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
DROP all -- BASE-ADDRESS.MCAST.NET/4 anywhere

Chain tcpflags (4 references)
target prot opt source destination
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
logflags tcp -- anywhere anywhere tcp flags:SYN,RST/SYN,RST
logflags tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
logflags tcp -- anywhere anywhere tcp spt:0 flags:FIN,SYN,RST,ACK/SYN

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

#4 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:31 PM

Posted 27 September 2010 - 02:52 PM

Probably just different network probes I wouldnt be to concerned about it since the packets are dropped. Googling those port numbers are inconclusive since they are high range PORT Numbers.

#5 jamby

jamby
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 27 September 2010 - 05:10 PM

That's what I though. But hoped someone else might know more about these particular ports being used by a threat.

Thanks for your time.
Jim

#6 jamby

jamby
  • Topic Starter

  • Members
  • 24 posts
  • OFFLINE
  •  
  • Local time:08:31 AM

Posted 15 January 2011 - 11:54 AM

Hi

I was running tcpdump on my home network this week and saw the port address 63284 show up. I tracked this back to btdna.exe (bit torrent). So the answer to my question was unsolicited connections from bit torrent were being rejected at my firewall. errrr. Also the 12328 port was a second bit torrent running on a second computer. If the user is logged off then bit torrent stops, but otherwise there is constant traffic (I think too much) from these ports.

Thanks
Jim

#7 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:12:31 PM

Posted 15 January 2011 - 02:25 PM

Well if a user logs off of windows btdna could still produce traffic. btdna.exe runs as a service.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users