Hi, I use a simple set of iptables rules for my laptop to reject everything from outside using ip_conntrack (from the howto) :
# Generated by iptables-save v1.2.6a on Thu Jul 4 09:54:11 2002 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [43965:4118502] :block - [0:0] -A INPUT -j block -A FORWARD -j block -A block -m state --state RELATED,ESTABLISHED -j ACCEPT -A block -i ! eth0 -m state --state NEW -j ACCEPT -A block -i eth0 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet from eth0:" -A block -i ! eth0 -m limit --limit 3/hour -j LOG --log-prefix "Bad packet not from eth0:" -A block -j DROP COMMIT # Completed on Thu Jul 4 09:54:11 2002 I have a ADSL connection and only a hub between my laptop and the ADSL-modem. Recently something changed, I guess on the router from my provider and now I see unexpected traffic. I see it with the eth0 monitor in gkrellm and with iftop but not with lsof -i. I was not expecting this traffic and the pattern seems strange : a constant 20kB incoming traffic during a few seconds. So I started looking closer. With ethereal I saw that it was a kind of flooding most of the time a lot of SYN packet but also netbios .... Each time both IPs are not one of my computer. For example I see during one of this flooding with 'tcpdump -c 2 -e' tcpdump: listening on eth0 10:00:39.946940 0:0:c:c3:a:88 ff:ff:ff:ff:0:30 ip 62: 216-203-233-196.customer.algx.net.3574 > adsl-216-158-52-76.cust.oldcity.dca.net.www: S 2011680397:2011680397(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) 10:00:39.949401 0:0:c:c3:a:88 ff:ff:ff:ff:0:30 ip 62: 216-203-233-196.customer.algx.net.3574 > adsl-216-158-52-76.cust.oldcity.dca.net.www: S 2011680397:2011680397(0) win 16384 <mss 1460,nop,nop,sackOK> (DF) I am not sure how to interpret 'ff:ff:ff:ff:0:30' is it a kind of broadcasting at the ethernet level ? Why can I see these packets that are not for me ? Why this traffic is not dropped by netfilter ? It seems to be a miss-configuration of my ISP router, no ? I believe it's harmless (except for my bandwidth) but I don't understand why I see (with gkrellm) this traffic which seems to be rejected before netfilter. Is gkrellm using packets information before the iptable processing ? I have tried to set /proc/.../eth0/rp_filter to 0 without any difference. Thanks, Christophe -- Christophe Barb� <[EMAIL PROTECTED]> GnuPG FingerPrint: E0F6 FADF 2A5C F072 6AF8 F67A 8F45 2F1E D72C B41E Dogs come when they're called; cats take a message and get back to you later. --Mary Bly
msg04517/pgp00000.pgp
Description: PGP signature
