outgoing 10.x.x.x packets being logged

This is a discussion on outgoing 10.x.x.x packets being logged within the Linux Security forums, part of the System Security and Security Related category; I am running Debian Sarge as a router. The box has eth0 connected to an ADSL modem, and eth1 connected ...


Go Back   Usenet Forums > System Security and Security Related > Linux Security

Reload this Page outgoing 10.x.x.x packets being logged

FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply

 

LinkBack Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old 05-18-2004
H. S.
 
Posts: n/a
Default outgoing 10.x.x.x packets being logged

I am running Debian Sarge as a router. The box has eth0 connected to an
ADSL modem, and eth1 connected to a switch to which my home computers
are connected.

My internal home network is 192.168.x.x.

Network cards congif is:

auto eth0
iface eth0 inet static
address 10.0.0.1
netmask 255.0.0.0
network 10.0.0.0
broadcast 10.0.0.255
#used 10.x.x.x just to have eth0 on different network than eth1


auto eth1
iface eth1 inet static
address 192.168.0.2
netmask 255.255.255.0
network 192.168.0.0
broadcast 192.168.0.255


I have a firewall setup. Among other things, it stops all packets
addressed to 192.168.x.x going to ppp0, my ADSL modem. Now, in the
/var/log/syslog file, I see the lines given below. If somebody could
explain what is going on, it would be great. It seems that packets
addressed to 10.x.x.x destined towards eth0 are being logged. But where
are these packets coming from? How do I find out what applications is
trying to send these packets?

Thanks,
->HS
PS: I am no expert in TCP/IP, though I have an overall understanding
what each line of my firewall does.

LOG lines:

May 17 07:15:36 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
DST=10.0.0.104 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58271 DF PROTO=TCP
SPT=48000 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
May 17 07:15:39 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
DST=10.0.0.104 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58272 DF PROTO=TCP
SPT=48000 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
May 17 07:17:01 localhost /USR/SBIN/CRON[4798]: (root) CMD ( run-parts
--report /etc/cron.hourly)
May 17 07:30:36 localhost kernel: PingOfDeath: IN=ppp0 OUT= MAC=
SRC=218.18.38.233 DST=65.92.22.19 LEN=60 TOS=0x00 PREC=0x00 TTL=31
ID=27559 DF PROTO=TCP SPT=46311 DPT=49318 WINDOW=5808 RES=0x00 RST SYN
URGP=0
May 17 07:36:47 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
DST=10.174.139.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1662 DF PROTO=TCP
SPT=49878 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
May 17 07:36:50 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
DST=10.174.139.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1663 DF PROTO=TCP
SPT=49878 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
May 17 07:54:34 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
DST=10.135.187.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30331 DF PROTO=TCP
SPT=51463 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
May 17 07:54:37 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
DST=10.135.187.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30332 DF PROTO=TCP
SPT=51463 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
May 17 08:01:49 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
DST=10.10.5.109 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35286 DF PROTO=TCP
SPT=52094 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
May 17 08:01:52 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
DST=10.10.5.109 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35287 DF PROTO=TCP
SPT=52094 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0


--
(Please remove all underscores from my email address to get the correct
one. Apologies for the inconvenience, but this is to reduce spam.)
Reply With Quote
  #2 (permalink)  
Old 05-18-2004
H. S.
 
Posts: n/a
Default Re: outgoing 10.x.x.x packets being logged
H. S. wrote:
>
> I am running Debian Sarge as a router. The box has eth0 connected to an
> ADSL modem, and eth1 connected to a switch to which my home computers
> are connected.
>
> My internal home network is 192.168.x.x.
>
> Network cards congif is:
>
> auto eth0
> iface eth0 inet static
> address 10.0.0.1
> netmask 255.0.0.0
> network 10.0.0.0
> broadcast 10.0.0.255
> #used 10.x.x.x just to have eth0 on different network than eth1
>
>
> auto eth1
> iface eth1 inet static
> address 192.168.0.2
> netmask 255.255.255.0
> network 192.168.0.0
> broadcast 192.168.0.255
>
>
> I have a firewall setup. Among other things, it stops all packets
> addressed to 192.168.x.x going to ppp0, my ADSL modem. Now, in the
> /var/log/syslog file, I see the lines given below. If somebody could
> explain what is going on, it would be great. It seems that packets
> addressed to 10.x.x.x destined towards eth0 are being logged. But where
> are these packets coming from? How do I find out what applications is
> trying to send these packets?
>
> Thanks,
> ->HS
> PS: I am no expert in TCP/IP, though I have an overall understanding
> what each line of my firewall does.
>
> LOG lines:
>
> May 17 07:15:36 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.0.0.104 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58271 DF PROTO=TCP
> SPT=48000 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
> May 17 07:15:39 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.0.0.104 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=58272 DF PROTO=TCP
> SPT=48000 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
> May 17 07:17:01 localhost /USR/SBIN/CRON[4798]: (root) CMD ( run-parts
> --report /etc/cron.hourly)
> May 17 07:30:36 localhost kernel: PingOfDeath: IN=ppp0 OUT= MAC=
> SRC=218.18.38.233 DST=65.92.22.19 LEN=60 TOS=0x00 PREC=0x00 TTL=31
> ID=27559 DF PROTO=TCP SPT=46311 DPT=49318 WINDOW=5808 RES=0x00 RST SYN
> URGP=0
> May 17 07:36:47 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.174.139.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1662 DF PROTO=TCP
> SPT=49878 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
> May 17 07:36:50 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.174.139.4 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=1663 DF PROTO=TCP
> SPT=49878 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
> May 17 07:54:34 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.135.187.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30331 DF PROTO=TCP
> SPT=51463 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
> May 17 07:54:37 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.135.187.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=30332 DF PROTO=TCP
> SPT=51463 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
> May 17 08:01:49 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.10.5.109 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35286 DF PROTO=TCP
> SPT=52094 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
> May 17 08:01:52 localhost kernel: IN= OUT=eth0 SRC=10.0.0.1
> DST=10.10.5.109 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=35287 DF PROTO=TCP
> SPT=52094 DPT=2500 WINDOW=5840 RES=0x00 SYN URGP=0
>
>


I guess comp.os.linux.security is not a high frequency newsgroup,
perhaps comp.os.linux.networking will be helpful. Hence this post to
networking.

Followups are all set to networking.

->HS

--
(Remove all underscores,if any, from my email address to get the correct
one. Apologies for the inconvenience but this is to reduce spam.)

Reply With Quote
Reply
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On




All times are GMT +1. The time now is 11:11 AM.

Contact Us - Usenet Forums - Archive - Top

Powered by vBulletin® Version 3.7.3
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0