LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-27-2005, 12:26 PM   #1
ming0
Member
 
Registered: Jul 2003
Location: Boston
Distribution: Ubuntu: Warty & Hoary
Posts: 113

Rep: Reputation: 16
firewall blocking node that shouldn't be in my LAN!


I'm using firestarter as my firewall, and have blocked all incoming connections except those from 192.168.0.0/24

My IP in my lan is 192.168.0.100

I have a few other computers that are 192.168.0.101-103

My firewall blocked a strange request from 192.168.1.250 to port 60879. (I tried pinging this node, but no reply)

My server has an NFS share, and so I think all my boxes are running rpc.

Is this a sure sign that someone else is on my LAN?

Thanks,
Ming
 
Old 02-27-2005, 01:21 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Are you sure it originated inside your LAN instead of externally. It's possible to see traffic from IANA reserved addresses if you use some type of shared-subscriber connection like cable or from a machine intentionally spoofing or is misconfigured. Did the firestarter log msg give you a MAC address?
 
Old 02-27-2005, 03:36 PM   #3
Mara
Moderator
 
Registered: Feb 2002
Location: Grenoble
Distribution: Debian
Posts: 9,696

Rep: Reputation: 232Reputation: 232Reputation: 232
Look into the log. It should tell you if it was from inside or from outside (interface it came from).
 
Old 02-27-2005, 03:40 PM   #4
ming0
Member
 
Registered: Jul 2003
Location: Boston
Distribution: Ubuntu: Warty & Hoary
Posts: 113

Original Poster
Rep: Reputation: 16
I've got a dsl connection with a static IP address.

It appears that it might be my own nic that is doing this:
Code:
sweetbox:/etc/firestarter# cat /var/log/syslog | grep 192.168.1.250
Feb 27 06:43:15 localhost kernel: Inbound IN=eth0 OUT= MAC=00:09:5b:11:aa:88:00:80:c8:01:ea:a8:08:00 SRC=192.168.1.250 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=26680 PROTO=TCP SPT=6789 DPT=60879 WINDOW=0 RES=0x00 RST URGP=0
Feb 27 09:28:52 localhost kernel: Inbound IN=eth0 OUT= MAC=00:09:5b:11:aa:88:00:80:c8:01:ea:a8:08:00 SRC=192.168.1.250 DST=192.168.0.100 LEN=40 TOS=0x00 PREC=0x00 TTL=127 ID=31884 PROTO=TCP SPT=6789 DPT=43741 WINDOW=0 RES=0x00 RST URGP=0
Code:
sweetbox:/etc/firestarter# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:09:5B:11:AA:88
          inet addr:192.168.0.100  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::209:5bff:fe11:aa88/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7886251 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7722913 errors:1891 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:3514721494 (3.2 GiB)  TX bytes:3789722447 (3.5 GiB)
          Interrupt:10 Base address:0x9000 Memory:ee001000-ee001fff
Thanks for the input. I'm still not sure exactly why my own nic would be doing this?
 
Old 02-27-2005, 07:53 PM   #5
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
MAC=00:09:5b:11:aa:88:00:80:c8:01:ea:a8:08:00

dst MAC --> 00:09:5b:11:aa:88 --> Netgear NIC
src MAC --> 00:80:c8:01:ea:a8 --> D-Link NIC

ethertype --> 08:00 --> IP (as in TCP/IP)

From the log msgs, these don't look to be originating from your machine. Look for the host with MAC address 00:80:c8:01:ea:a8 (you can take a look at current MAC - hostname mappings using arp command). Keep in mind that MAC addresses are part of the link layer, and therefore the MAC you're seeing could just be your gateway machine or upstream hop rather than the actual originating host.
 
Old 03-02-2005, 01:08 PM   #6
ming0
Member
 
Registered: Jul 2003
Location: Boston
Distribution: Ubuntu: Warty & Hoary
Posts: 113

Original Poster
Rep: Reputation: 16
It appears to be the LAN side of my dsl-router (d-link, of course):

LAN
MAC Address
00-80-C8-01-EA-A8
IP Address
192.168.0.1
Subnet Mask
255.255.255.0
DHCP Server
Enabled

Wonder what the deal would have been?
 
Old 03-02-2005, 03:44 PM   #7
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
If the MAC address is the LAN interface of the router, then it's likely that the packet originated outside of your network. When a packet is forwarded into the LAN by the router, it receives the MAC address of the last hop (your router). Without seeing the packet payload it's hard to speculate what the packet was, but I would suspect it originated from your ISP. Many DSL providers will use private IPs (like 192.168.x.x) on their routers and other infrastructure systems and will occasionally poll client IPs with harmless tcp probes. If your DSL router has any packet filtering or an option like "Block WAN Requests", you should make sure it's enabled.
 
Old 03-02-2005, 04:33 PM   #8
ming0
Member
 
Registered: Jul 2003
Location: Boston
Distribution: Ubuntu: Warty & Hoary
Posts: 113

Original Poster
Rep: Reputation: 16
It supposedly has a firewall, but I think it only filters the lower port numbers or something??

I suppose if I see a pattern, and can guess when to expect this packet (it doesn't happen all that often), I'll see if I can grab it and check it out.

Thanks for your advice
 
Old 03-03-2005, 11:23 AM   #9
Kerberus
LQ Newbie
 
Registered: Mar 2005
Posts: 10

Rep: Reputation: 0
It looks like it's from the same physical LAN.

why do I think this.
The TTL is 127
The MAC addresses doesn't match the routers so didn't route at layer 3 but 2.

One of the PC on the lan has an incorrect IP or virtual IP setup. that's my guess.
Why did it send a RST where's the original SYN log?

Your Dlink is NAT then traffic from the ISP would not get into your LAN but logged on the router.

Kerberus
 
Old 03-03-2005, 11:49 AM   #10
ming0
Member
 
Registered: Jul 2003
Location: Boston
Distribution: Ubuntu: Warty & Hoary
Posts: 113

Original Poster
Rep: Reputation: 16
Quote:
Originally posted by Kerberus
The MAC addresses doesn't match the routers
I thought the MAC addresses were the same:

src MAC --> 00:80:c8:01:ea:a8 --> D-Link NIC

And

It appears to be the LAN side of my dsl-router (d-link, of course):
LAN
MAC Address
00-80-C8-01-EA-A8
 
Old 03-04-2005, 05:47 AM   #11
Kerberus
LQ Newbie
 
Registered: Mar 2005
Posts: 10

Rep: Reputation: 0
Your right the MAC does match your routers.
Ok this changes things, also the hop is 1 from a TTL of 128.. doh!

Do you also have the log from the IN chain rather then the OUT reply ?
I assume the other interface on the Dlink is an IANA assiged range ? (as in not internal)

Thanks,
Kerberus
 
Old 03-04-2005, 09:20 AM   #12
ming0
Member
 
Registered: Jul 2003
Location: Boston
Distribution: Ubuntu: Warty & Hoary
Posts: 113

Original Poster
Rep: Reputation: 16
I don't have the log from the IN chain--and yes, it is an IANA IP on the other side...

It's strange tho--I've been checking my logs, and haven't seen any more activity from 192.168.1.250. Which doesn't necessarily seem like a good thing. The only think that might have been different was my laptop being on? I guess I'll need to leave it on for a while and see if I get any more activity from that address.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
vpn blocking my local lan, how to get around it? browny_amiga Linux - Networking 1 02-20-2006 02:58 AM
Blocking p2p to the users on my lan tomazN Linux - Networking 4 11-30-2005 06:28 AM
firewall blocking internet k4zau Linux - Networking 1 09-24-2004 02:18 PM
Slackware blocking websites to lan? Astro Linux - Networking 14 07-20-2003 02:44 PM
firewall traffic blocking help jaylee Linux - Security 8 06-30-2003 10:44 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration