Established and unreplied tcp-connections from/to unknown networks
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Established and unreplied tcp-connections from/to unknown networks
Hi,
Once I've revisioned a connection tracking list on my linux-driven router/nat, an odd thing has been revealed. The list contains large amount of entries with both src's and dst's from networks, which I do not know. I am 100% sure, that these networks are not routed with my devices. All such entries are ESTABLISHED TCP and UNREPLIED.
How could they appear in the connection tracking list?
You did not post much information about your network. I can only assume they are NAT translations for the websites you are visiting. This would also include all the banner ad sites on those web pages. If you did a Google search and looked at 10 results, you would see over 100 unique connections. And those sites do not always close their connections gracefully, so they may be listed for hours.
I can only assume they are NAT translations for the websites you are visiting.
I do NAT only of Private IP addresses
Quote:
Originally Posted by Suncoast
If you did a Google search and looked at 10 results, you would see over 100 unique connections. And those sites do not always close their connections gracefully, so they may be listed for hours.
but either DST or SRC field will be filled with my IP (or IP of my NAT-gateway, if I am behind NAT)
Interesting. The sample you posted is port 25, which is Email. Do you know subnets? Are either of those IP addresses (SRC/DST) on the same subnet as you are? Is the host portion of either of those IP address the same as yours? The only thing I can think of is someone on the same subnet is spoofing addresses.
Do the command "arp -a"
Code:
steve@O:~$ /sbin/arp -a
qbooks.local.loc (192.168.24.126) at 00:04:5a:0f:f4:0a [ether] on eth0
? (192.168.24.65) at 00:11:21:04:4e:e0 [ether] on eth0
? (152.178.14.96) at 00:11:21:04:4e:e0 [ether] on eth0
( IP Addresses fictional )
The output shows IP address and MAC address. In this example, notice the 2nd and 3rd IP address have the same MAC address. That means one of two things. The MAC address is a router or Gateway. Or that person is spoofing another address.
Arp tables do not stay long. You may need to run this command over time to catch a duplicate MAC.
And just to be thorough, do a "route" command. Check to be sure none of those subnets are in your routing table.
I didn't realize you had access to the public side of your NAT device. So yes, nmap would be about the same. It sounds like you are happy with what you've found.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.