LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 04-21-2011, 08:02 AM   #16
TonyAR
LQ Newbie
 
Registered: Apr 2010
Posts: 15

Original Poster
Rep: Reputation: 0

Quote:
Originally Posted by unixfool View Post
If you're seeing public IPs on the internal segment, that should prove that no translation is happening...which would mean the activity is benign. Forwarded traffic would be translated, right? Check the logs on the destination system and see if you're seeing any traffic on either port. This is also another reason why I recommended using a packet sniffer.
Yesterday, I setup a filter on iptraf to capture the IP addresses of interest.

I've managed to lose the screen capture that I had however the capture indicating that 192.168.0.168 initiated a connection to 212.x.x.x.

So this suggests to me, that the logs I'm seeing are benign.

Unixfool, you say you don't have a FORWARD rule - I thought a this rule was needed when using NAT?

Thanks.


EDIT: I got a fresh screen capture from iptraf:

Code:
 IPTraf
┌ TCP Connections (Source Host:Port) ────────── Packets ─── Bytes Flags  Iface ┐
│┌192.168.0.168:2877                          =       0         0 ----   eth0  │
│└212.118.226.91:80                           =       1        46 RESET  eth0

Last edited by TonyAR; 04-21-2011 at 10:31 AM.
 
Old 04-21-2011, 08:04 AM   #17
TonyAR
LQ Newbie
 
Registered: Apr 2010
Posts: 15

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Noway2 View Post
Looking part of the entry:
OUTPUT tells me that this is passing through your filter.
SRC=212.118.226.91, says that this did not originate on your network. The IP in question belongs to: js-pd05-eu.revsci.net.
PROTO=TCP SPT=80 DPT=2011 - says that port 80 of that system is connecting to port 2011 of your system.

Assuming you have this port blocked from inbound connections, my interpretation of this is that your machine at 192.168.0.168 made a connection to 212.118.226.91's port 80 (web site) and this was the return traffic to your machine which would be passed by the established, related packet criteria. In your initial post, you stated that you are seeing a lot of packets to inbound high number ports on your system. To me, again these look like possible responses to web browsing. Inbound connections to other ports, like 23, 53, 80, 143 suggest an attempt to access a service, which suggests your NAT setup may be port forwarding them.
Yes, that's what I seem to have learned from sniffing with iptraf.
 
Old 04-21-2011, 08:56 AM   #18
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Three thoughts:

1. You're maybe looking at return traffic. You need to verify that that is indeed the case.
2. Your NAT setup might be busted, misconfigured, or maybe you didn't take bidirectional logging into account (for web traffic, at least). IMO, you want to see both inbound and outbound web traffic. You need to check your NAT setup to ensure it is properly configured.
3. Something is NOT right with that web traffic. If IP 212.118.226.91 is a web server and your 192.168.0.168 is a client, the client's port will be ephemeral. Based on the logs you provided, the client port isn't changing, which is weird. That's why I think this isn't normal web traffic. I think it might be something other that web traffic that just happens to be using port 80 as a conduit simply because port 80 is almost always allowed by a network firewall.

Last edited by unixfool; 04-21-2011 at 10:40 AM.
 
Old 04-21-2011, 09:18 AM   #19
unixfool
Member
 
Registered: May 2005
Location: Northern VA
Distribution: Slackware, Ubuntu, FreeBSD, OpenBSD, OS X
Posts: 781
Blog Entries: 8

Rep: Reputation: 157Reputation: 157
Quote:
Originally Posted by TonyAR View Post
Yes, that's what I seem to have learned from sniffing with iptraf.
If that's the case, disregard my last post.

So, this means the issue can be tagged as solved?
 
Old 04-21-2011, 10:05 AM   #20
Noway2
Senior Member
 
Registered: Jul 2007
Distribution: Ubuntu 10.10, Slackware 64-current
Posts: 2,124

Rep: Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776Reputation: 776
Unixfool raise an excellent point about masquerading on port 80 because it normally passes through firewalls. Before we can rule this one out, we need to be sure that you can tie the traffic back to a process and that the known process is valid and proper. It looks like the destination, 212.118.226.91, DOES NOT have a functional web PAGE, but it does have a web SERVER, Apache Tomcat to be precise. If I recall, attempting to connect to it on port 80 returns a 404 error. Unless this IP is known to you and this makes sense, as in it is some sort of development site for your applications, I would be suspicious of the traffic.
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to Bind External IP address to Internal IP address tdog89 Linux - Networking 2 06-28-2009 06:21 AM
which interface to graph (internal or external) ? hattori.hanzo Linux - Networking 2 04-03-2008 10:48 PM
Internal network connecting to external IP address kamafeu Linux - Networking 2 01-21-2007 01:23 PM
web hosting with an internal and external ip address mindhacker Linux - Newbie 7 11-28-2006 09:38 PM
Detecting the external IP address of an internal network: JohnLocke Linux - Newbie 17 07-22-2004 04:08 PM


All times are GMT -5. The time now is 01:08 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration