Help!

Strange dropped packages - guarddog/iptables

  
  
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Networking RSS
Next:  suspend a thread with an another thread  
Author Message
Paulo da Silva
External


Since: Sep 18, 2009
Posts: 3
PostPosted: Fri Sep 18, 2009 3:55 am    Post subject: Strange dropped packages - guarddog/iptables
Archived from groups: comp>security>firewalls, others (more info?)
Hi!

I am running Gentoo linux. After installing and setting guarddog, I
found the following "strange", at least for me, situations:

1.
There are lots of dropped packets like this one towards various sites

Ex.:
DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=209.85.229.149 LEN=40
TOS=0x00 PREC=0x00 TTL=64 ID=16475 DF PROTO=TCP SPT=4504 DPT=80
SEQ=1247115119 ACK=2605117908 WINDOW=191 RES=0x00 ACK FIN URGP=0

What are these packets and why are they being rejected? I don't notice
any problem in my accesses to my local net nor the "outside world".


2.
On every boot of my laptop, and only then, I got the following 4 packets
(source port changes):

DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
PREC=0x00 TTL=64 ID=19798 DF PROTO=TCP SPT=2334 DPT=80 SEQ=602150045
ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)

DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
PREC=0x00 TTL=64 ID=19799 DF PROTO=TCP SPT=2334 DPT=80 SEQ=602150045
ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)

DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
PREC=0x00 TTL=64 ID=19800 DF PROTO=TCP SPT=2334 DPT=80 SEQ=602150045
ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)

DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
PREC=0x00 TTL=64 ID=3738 DF PROTO=TCP SPT=2342 DPT=80 SEQ=914204314
ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)

This is even more strange because 192.168.1.99 is not an address that I
use in my local network and this situation does not occur on, for
example, another PC (desktop) I have and it has the same SW and very
similar configuration!

192.168.1.xx is the IP address of the PC and xx is not 99.

Thanks for any help/comments.
Back to top
Ansgar -59cobalt- Wiecher
External


Since: Sep 18, 2009
Posts: 1
PostPosted: Fri Sep 18, 2009 6:10 am    Post subject: Re: Strange dropped packages - guarddog/iptables [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
In comp.security.firewalls Paulo da Silva wrote:
> I am running Gentoo linux. After installing and setting guarddog, I
> found the following "strange", at least for me, situations:
>
> 1.
> There are lots of dropped packets like this one towards various sites
>
> Ex.:
> DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=209.85.229.149 LEN=40
> TOS=0x00 PREC=0x00 TTL=64 ID=16475 DF PROTO=TCP SPT=4504 DPT=80
> SEQ=1247115119 ACK=2605117908 WINDOW=191 RES=0x00 ACK FIN URGP=0
>
> What are these packets

Probably your browser closing a connection to Google.

http://www.freesoft.org/CIE/Course/Section4/11.htm

> and why are they being rejected?

We wouldn't know, since you omitted your ruleset.

> I don't notice any problem in my accesses to my local net nor the
> "outside world".

That's because even if the connection isn't terminated correctly, it
will expire after some time.

> 2.
> On every boot of my laptop, and only then, I got the following 4 packets
> (source port changes):
>
> DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
> PREC=0x00 TTL=64 ID=19798 DF PROTO=TCP SPT=2334 DPT=80 SEQ=602150045
> ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)
>
> DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
> PREC=0x00 TTL=64 ID=19799 DF PROTO=TCP SPT=2334 DPT=80 SEQ=602150045
> ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)
>
> DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
> PREC=0x00 TTL=64 ID=19800 DF PROTO=TCP SPT=2334 DPT=80 SEQ=602150045
> ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)
>
> DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
> PREC=0x00 TTL=64 ID=3738 DF PROTO=TCP SPT=2342 DPT=80 SEQ=914204314
> ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)
>
> This is even more strange because 192.168.1.99 is not an address that I
> use in my local network and this situation does not occur on, for
> example, another PC (desktop) I have and it has the same SW and very
> similar configuration!

I don't know of a straightforward way to do this with iptables, but you
could use the owner-match module and add logging rules for processes
that you suspect might generate this. See [1].

[1] http://osdir.com/ml/security.firewalls.wizards/2003-11/msg00058.html

F'up2csf

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich
Back to top
Paulo da Silva
External


Since: Sep 18, 2009
Posts: 3
PostPosted: Fri Sep 18, 2009 2:10 pm    Post subject: Re: Strange dropped packages - guarddog/iptables [Login to view extended thread Info.]
Archived from groups: per prev. post (more info?)
Ansgar -59cobalt- Wiechers escreveu:
> In comp.security.firewalls Paulo da Silva wrote:
>> I am running Gentoo linux. After installing and setting guarddog, I
>> found the following "strange", at least for me, situations:
>>
>> 1.
>> There are lots of dropped packets like this one towards various sites
>>
>> Ex.:
>> DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=209.85.229.149 LEN=40
>> TOS=0x00 PREC=0x00 TTL=64 ID=16475 DF PROTO=TCP SPT=4504 DPT=80
>> SEQ=1247115119 ACK=2605117908 WINDOW=191 RES=0x00 ACK FIN URGP=0
>>
>> What are these packets
>
> Probably your browser closing a connection to Google.
Thanks.
Is there any inconvenience to let this happen? As I said, the ruleset
was written by guarddog. Any rule to allow *only* these packets without
compromising the rest of the ruleset?
Back to top
Paulo da Silva
External


Since: Sep 18, 2009
Posts: 3
PostPosted: Fri Sep 18, 2009 2:10 pm    Post subject: Re: Strange dropped packages - guarddog/iptables [Login to view extended thread Info.]
Archived from groups: comp>os>linux>networking, others (more info?)
Ansgar -59cobalt- Wiechers escreveu:
....

>>
>> DROPPED IN= OUT=wlan0 SRC=192.168.1.xx DST=192.168.1.99 LEN=52 TOS=0x00
>> PREC=0x00 TTL=64 ID=3738 DF PROTO=TCP SPT=2342 DPT=80 SEQ=914204314
>> ACK=0 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030307)
>>
>> This is even more strange because 192.168.1.99 is not an address that I
>> use in my local network and this situation does not occur on, for
>> example, another PC (desktop) I have and it has the same SW and very
>> similar configuration!
>

I found the reason. A html document I have opened in konqueror has 4
references to 192.168.1.99. Somehow who wrote it forgot those refs
there. In fact the "problem" occurs when I login and not as part of the
boot process as I thought first.

Thank you all for answering.
Back to top
Display posts from previous:   
Post new topic   General Reply to Topic (not reply to a specific post)    Forums Home -> Networking All times are: Eastern Time (US & Canada) (change)
Page 1 of 1

 
 You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum