LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Annoying network card piece of data (https://www.linuxquestions.org/questions/linux-networking-3/annoying-network-card-piece-of-data-206356/)

Musikolo 07-17-2004 04:31 PM
Annoying network card piece of data
 
Hi mates, recently I've updated my linux kernel to the 2.6.7 one and, although I've checked all the kernel options are fine, I get a never ending piece of my network card data on the console when a start in runlevel 3. After the eth0 is activated at boot time, the following piece of data is repeating with no end the whole time:

Quote:
IN=eth0 OUT= MAC=00:c0:26:a0:83:3e:00:0e:83:ca:c4:e0:08:00 SRC=69.145.42.108 DST=w.x.y.z LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=26899 DF PROTO=TCP SPT=3387 DPT=445 WINDOW=64240 RES=0x00 SYN URGP=0
Does any one knows how to get rid of it??

Thanks for your help.


PS: DST=w.x.y.z is, in this case, my IP address.

Athlon 1.2 GHz, 768MB RAM.
RH 9.0. Kernel 2.6.7.

RobertP 07-17-2004 07:54 PM
see http://www.webservertalk.com/message294663.html

It looks like a firewall may be dropping packets. The port 3387 is for something called "Back Room Net". If that network traffic is desired, you could modify the firewall. If it is junk, thank your firewall, but change the logging for dropped packets.

chort 07-18-2004 04:34 AM
Port 3387 is the source port, and it's an ephemeral port. The destination is 445, which is a privileged port and it just so happens to run Microsoft Name Service for Win2K and later. The source IP is from a cable broadband network. The program causing those messages to be written to console is the kernel netfilter logging dropped packets.

Now as to why those packets are constantly hitting you, it's fairly easy to guess based on the above information, that it's either a worm trying to propagate, or someone scanning very aggressively for exploitable Windows boxes. The best course of action would be to put a special drop rule in your firewall configuration for all the MS ports and don't use the logging flag. Make sure this rule goes above your default "drop all" rule. That way MS worm related traffic will be blocked, but not logged. All other dropped traffic will continue to be logged so you can examine it.

ppuru 07-18-2004 04:47 AM
if you do not want to see that message any more, use the rule

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 445 -j DROP

Musikolo 07-18-2004 06:14 AM
Hi again!

I've tried the previous suggestions and certainly it didn't work. I must say that I haven't included NAT into my kernel since I think I don't need it. Should I do it for any reason?? So, I've tried the iptables command above changing

-
Quote:
ptables -t nat -A PREROUTING -i eth0 -p tcp --dport 445 -j DROP
for

Quote:
ptables -t filter -A INPUT -i eth0 -p tcp --dport 445 -j DROP
Additionally, I'm not sure my filter table is properly configured: where is the file where all rules are saved in? I would like to comment some rules to try if they are the reason of my problem.

Is the beggining of this command normal? What about the last ACCEPT statement??

Code:
$ /sbin/iptables -t filter -nL
Chain INPUT (policy DROP)
target    prot opt source              destination
ACCEPT    tcp  --  213.37.2.6          0.0.0.0/0          tcp flags:!0x16/0x02
ACCEPT    udp  --  213.37.2.6          0.0.0.0/0
ACCEPT    tcp  --  213.37.2.5          0.0.0.0/0          tcp flags:!0x16/0x02
ACCEPT    udp  --  213.37.2.5          0.0.0.0/0
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
... etc.
Thanks

ppuru 07-19-2004 01:14 AM
Use

#iptables -t filter -nvL

this will include the interfaces in the output.

that last line ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 relates to your local interface (lo).


All times are GMT -5. The time now is 12:13 AM.