Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Originally posted by qwijibow panick averted... i think.....
could this be samba looking for hosts ???
it probably is...
I doubt it. Those are ICMP host unreachable messages leaving the loopback adapter and have your box as the source AND destination addresses. Maybe you have some kind of firewall issue where you're mistakenly blocking internal traffic? If this was Samba looking for hosts, you'd expect it to be on the standard SMB ports. Try using tcpdump to capture some packets on various interfaces (especially lo) and make sure to use the -e option to dump the link level info (what you'd like to get is traffic to/from 192.168.1.2):
tcpdump -e -i <interface> src and dst host 192.168.1.2
Then look at the MAC addresses in the link level info to track down where the initial packets that generate the icmp errors are coming from.
Originally posted by qwijibow hmm....
ive been using
iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
to allow internal traffic...
i assumed that internal traffic addressed by it eth0 address would have been allowed by my
iptables -A INPUT -m state --state ESTABLSIHED,RELATED -j ACCEPT
rule ???
the tcp dump rule you game me picks up rejected pings to my own eth0 address.
i am quite satisfied that my machine is not compromised, would you agree ?
I misread the log messages. If you look at each one, what is generating the msgs is an initial ICMP ping to a host on the 192.168.2.X network probably going out the external interface, which is immediately followed by a subsystem ICMP host unreachable through lo. The subsystem ICMP host unreachable (1st part of log msg) is what is getting logged and the iniitial ping is included in the log message for reference (2nd part of log msg). You can prove this to yourself by having tcpdump listen on lo and then ping a non-existant IP address, you should then see traffic to 192.168.1.2 from 192.168.1.2 over the loopback interface.
So it is LISa incrementally pinging each host on the network and not a compromise or someone trying to spoof IP addresses (as in a smurf attack). For some reason, the router is flagging the internal traffic generated by LISa as smurf, probably the ping to the network broadcast IPi what is getting flagged.
As for your iptables rules, as you can see from this example there are alot more types of traffic on lo addressed to IPs other than 127.0.0.1. I usually use:
iptables -i lo -j ACCEPT
and then just filter invalid IPs like 127.0.01 on the external interfaces.
Last edited by Capt_Caveman; 02-03-2005 at 10:02 AM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.