My firewall script runs as follows:

iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 6881:6999 -j ACCEPT #for bittorrent
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "

iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

My "/var/log/syslog" is steadily filling up with the log from the inbound traffic. I typed "whois those_ipaddresses" and some are in China, in the Czesh Republic, in Spain... but most of the ip addresses are from my isp. I phoned my isp and they told me the ip addresses belong to other users. Now, is it normal behavior of the internet to have inbound traffic coming from all over the place ?

Thanks in advance for any help,
-Danodare

It's normal. Most of what you get are probably worms scanning IPs to find a machine they can use. You can probably also find scan attempts. If you don't have experience reading the logs, there's software that can produce stats for you. Don't remember names at the moment, sorry.

Thanks

Actually by looking a little more closely, I found that mostly they were sending to port 137 and port 445. Googling told me those ports are netbios ports from windows machines and that a recent worm used them.

Besides the firewall, I removed all services in inetd by editing "/etc/inetd.conf" and "kill -HUP id_of_the_inetd_process". By default, it was running a ftp, time, finger, and in.identd.

"nmap -vv localhost" now gives all ports closed.

I have 32k upload and my machine is online 24/7, so I didn't want to leave it unprotected.

Thanks to everyone who helped

-Danodare