source port 80 hits my iptables and fills my log dir

gabsik · 09-15-2006, 05:45 AM

Code:

Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13348 DF PROTO=TCP SPT=80 DPT=12971 SEQ=2765356488 ACK=1949227637 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13347 DF PROTO=TCP SPT=80 DPT=12982 SEQ=117068163 ACK=1002994963 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13346 DF PROTO=TCP SPT=80 DPT=12970 SEQ=3425689590 ACK=925052953 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13345 DF PROTO=TCP SPT=80 DPT=12985 SEQ=1614575110 ACK=1593592475 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13343 DF PROTO=TCP SPT=80 DPT=12972 SEQ=2515422567 ACK=1242495854 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13342 DF PROTO=TCP SPT=80 DPT=12990 SEQ=1783217778 ACK=768027605 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13341 DF PROTO=TCP SPT=80 DPT=12984 SEQ=2330446581 ACK=60706365 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13340 DF PROTO=TCP SPT=80 DPT=12986 SEQ=2466621319 ACK=92341939 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13339 DF PROTO=TCP SPT=80 DPT=12974 SEQ=214979759 ACK=246135416 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13338 DF PROTO=TCP SPT=80 DPT=12980 SEQ=3094063307 ACK=1733429009 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13369 DF PROTO=TCP SPT=80 DPT=12992 SEQ=202180988 ACK=458846818 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13371 DF PROTO=TCP SPT=80 DPT=12993 SEQ=2372780055 ACK=1673513368 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13372 DF PROTO=TCP SPT=80 DPT=12991 SEQ=1322503841 ACK=824885277 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13429 DF PROTO=TCP SPT=80 DPT=13084 SEQ=4069911222 ACK=1349544616 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13433 DF PROTO=TCP SPT=80 DPT=16144 SEQ=1658902793 ACK=1197889954 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13452 DF PROTO=TCP SPT=80 DPT=17663 SEQ=19722934 ACK=345639476 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13461 DF PROTO=TCP SPT=80 DPT=13356 SEQ=2583304338 ACK=303940658 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13462 DF PROTO=TCP SPT=80 DPT=13097 SEQ=1919126686 ACK=2020777536 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:56 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13463 DF PROTO=TCP SPT=80 DPT=13092 SEQ=263521307 ACK=2024921705 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:57 argo NO_PASSARAN:  IN=eth0 OUT= MAC=00:40:f4:7a:58:25:00:09:5b:b0:3c:a2:08:00  SRC=64.179.93.196 DST=192.168.0.2 LEN=44 TOS=00 PREC=0x00 TTL=107 ID=13543 DF PROTO=TCP SPT=80 DPT=16363 SEQ=1769710793 ACK=514301826 WINDOW=16560 ACK SYN URGP=0
Sep 15 09:43:58 argo kernel: ip_conntrack: table full, dropping packet.
Sep 15 09:43:58 argo kernel: ip_conntrack: table full, dropping packet.
Sep 15 09:43:58 argo kernel: ip_conntrack: table full, dropping packet.

It really looks to me like a DOS.I have much more than this in my logs same source ip, same source port, privileged one 80 (???).
I have a tor server running on this host.It does happen people connect to me by a privileged port like 80,443 and in my iptables script i accept connections starting from http ports 80,443 going to my or e dir tor ports 9090,9091 and accepting only them two dropping the rest !

Code:

$IPT -A INPUT -i eth0 -p tcp -d 192.168.0.2/32 --sport 80 --dport 9090:9091 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp -d 192.168.0.2/32 --sport 443 --dport 9090:9091 -j ACCEPT
$ipt -A INPUT -i eth0 -j ULOG --ulog-prefix "NO_PASSARAN: "
$ipt -A INPUT -i eth0 -j DROP

What makes me worry is this:

Code:

Sep 15 09:43:58 argo kernel: ip_conntrack: table full, dropping packet.
Sep 15 09:43:58 argo kernel: ip_conntrack: table full, dropping packet.
Sep 15 09:43:58 argo kernel: ip_conntrack: table full, dropping packet.

win32sux · 09-15-2006, 06:08 AM

Quote:

Originally Posted by gabsik

Code:

Sep 15 09:43:58 argo kernel: ip_conntrack: table full, dropping packet.

check the output of:

Code:

cat /proc/sys/net/ipv4/ip_conntrack_max

maybe try increasing the value...

just my

...