[Nottingham] iptables log analysis
Duncan John Fyfe
nottingham at mailman.lug.org.uk
Thu Sep 18 15:48:00 2003
Hello folks,
Sorry if this is a bit of a ramble but I'm hoping someone can help me undestand what is going on with my ntl cable modem
connection and my iptable logs.
My set up is:
eth0 eth1
[NTL]-----[Cable modem]-----[Firewall box ]-----[hub]-----[Everything else]
[Debian testing ]
[Homebrew 2.4.19 kernel ]
[+ iptables ]
When the firewall machine is switched off the cable modem U/L and D/L lights indicate no traffic.
When the firewall is switched on my iptable rules fill my logs from traffic
arriving at eth0 and the cable modem lights indicate traffic.
* Q1:
Which side of the cable modem, NTL side or my side, do the flashing lights indicate traffic on ?
I had always assumed it was the NTL side.
Of the various behaviours my firewall rules monitor only two are appearing in the logs
(before being DROP'd).
The first rule :
$IPTABLES -A INPUT -p udp -j LOG --log-level error --log-prefix " IPT: INP udp "
Catches anything I haven't explicitly dealt with before dropping it and is forever logging:
Sep 18 07:04:12 dragon kernel: IPT: INP udp IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:05:74:f7:28:54:08:00 SRC=10.145.167.254 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=53124 PROTO=UDP SPT=67 DPT=68 LEN=308
Sep 18 07:04:12 dragon kernel: IPT: INP udp IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:05:74:f7:28:54:08:00 SRC=10.145.167.254 DST=255.255.255.255 LEN=328 TOS=0x00 PREC=0x00 TTL=255 ID=53127 PROTO=UDP SPT=67 DPT=68 LEN=308
These arrive in pairs every 2-3 minutes. The IP address is always the same (10.145.167.254) and it is alway DST=255.255.255.255.
I'm assuming from the ports that this is aimed at the eth0 dhcp client.
The IP address is private and 'similar' to that of my cable modem (10.145.*.*) but not even close to that
of either my cable modem (213.*.*.*), ntl dhcp server (62.243.0.*) anything else for that matter.
'dig -x 10.145.167.254' (from within NTL) sends me straight to jail (10.in-addr-arpa. blah blah SOA prisoner.iana.org)
so no help there.
* Q2:
I guess I'm trying to understand how and why this is arriving at my door (something must be routing
the private address) and how I can find out more about the sender ?
Also, what would people recommend as good tools for capturing packets and analying them ?
The second rule actually logging something is:
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 5/minute -j LOG --log-level info --log-prefix " IPT: Ping scan "
Which fills my logs with the likes of:
Sep 18 07:11:42 dragon kernel: IPT: Ping scan IN=eth0 OUT= MAC=<eth0MACaddress> SRC=213.104.96.41 DST=<eth0IPaddress> LEN=92 TOS=0x00 PREC=0x00 TTL=121 ID=22537 PROTO=ICMP TYPE=8 CODE=0 ID=768 SEQ=14668
Sep 18 07:12:17 dragon kernel: IPT: Ping scan IN=eth0 OUT= MAC=<eth0MACaddress> SRC=213.106.53.70 DST=<eth0IPaddress> LEN=92 TOS=0x00 PREC=0x00 TTL=119 ID=21086 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=12931
These messages average ~~ 3 per minute ( 2972 over ~~ 16 hours yesterday).
* Q3:
Either I'm being pinged a lot by random people (1763 uniq IP addresses in 2972 messages, mostly originating within ntl) or my understanding of the above rule is wrong.
My understanding of the rule is
"If I receive on average more than 5 pings per minute from a source IP address then the source is logged."
Anyone able to comment ?
Have fun,
Duncan
--
Duncan John Fyfe X-ray Astronomy Group,
Dept. of Physics & Astronomy,
Phone +44 116 252 3635 University of Leicester,
E-mail djf@star.le.ac.uk University Road,
Leicester, LE1 7RH, U.K.