Strange LOG message from iptables. Any ideas?

LinuxGeek · 02-02-2007, 03:06 PM

Hi,
I've set up iptables including some logging. I found logs similar to the one below.

Feb 2 22:59:32 deb kernel: IPT_IN_DROP_ICMP_WLAN0 IN=wlan0 OUT= MAC=00:14:a5:e8:56:a0:00:14:7f:1f:1c:b4:08:00 SRC=87.131.231.80 DST=192.168.165.77 LEN=98 TOS=0x00 PREC=0x00 TTL=244 ID=51624 PROTO=ICMP TYPE=3 CODE=1 [SRC=192.168.165.77 DST=87.131.231.80 LEN=70 TOS=0x00 PREC=0x00 TTL=52 ID=0 DF PROTO=UDP SPT=17236 DPT=16809 LEN=50 ]

As you can see, the IP 87.X.X.X is sending me an ICMP type 3 packet. It then gives me a [] with PROTO=UDP. Is this ICMP tunneling or what? I should note that I am running some P2P applications. Thanks for your help.

gilead · 02-02-2007, 03:24 PM

ICMP type 3 is a destination unreachable message. It looks more like you tried to connect to UDP port 16809 on 87.131.231.80 and weren't allowed.

LinuxGeek · 02-02-2007, 09:09 PM

Thanks. So the content between the [] is the connection tracking information. So it's their machine that's behind a firewall (for example) and is unreachable. Thanks for your help.

gilead · 02-02-2007, 09:24 PM

That's right - it's an ICMP response saying that the UDP connection could not be made. As you say, it may be behind a firewall, or there may be nothing listening on that port. IIRC you can also get that message when a stateful connection times out and the firewall doesn't allow further traffic because it no longer regards it as relating to an existing connection.

LinuxGeek · 02-03-2007, 12:06 AM

Thanks a lot for your help