[SLUG] OT? Packet filtering etc.

Ken Caldwell Thu, 19 Oct 2000 04:17:11 -0700

Hi,

I originally posted this about 1:40 this afternoon but it seems to have
gone astray.  Apologies if it appears twice.

Can ICMP packets pose a security risk? (See the attached text files for
the context)

TIA

Ken

Prologue
On Tuesday evening I purchased an airline ticket from Virgin Blue over
the internet.  The home page and the screen where you enter your
selection came up fairly quickly but after entering my requirements
there was a _long_ delay before I was presented with a list of available
flights.  After making my seletction entering credit card details etc.
there was an extremely long delay (over 10 minutes) before the flight
was confirmed.  (The previous screen warns you not to touch any keys for
45 seconds while your booking is being confirmed).  The confirmation
screen never did get rendered completely but it contained the lines
"While no other documentation is necessary,you are able to print this
screen as confirmation of your booking with Virgin Blue"
When I printed the screen I saw the following message at the top of the
page which had not been rendered on screen
"This service makes use of Javascript, which appears to be turned off.
Click here to learn how to operate it"
In fact Javascript was turned on but I believe it can be a problem with
Netscape 4.7x.

The packet filtering bit
On checking the logs on Wednesday I noticed a flood of packets denied
corresponding to the time that I was buying the ticket.  I was unable to
find out who 202.139.120.234 is using nslookup, traceroute revealed
nothing and I was unable to ping the machine.  On rechecking the logs I
found entries suggesting that I was filtering my own pings.

Attached is a file containing 1) excerpts from /var/log/messages 2) the
script used to set up the packet filter and 3) the output from ipchains
-L.

As there is a rule to accept ICMP packets why were these packets denied?

Why would they have been sent in the first place?  I am assuming that
202.139.120.234 has something to do with Virgin Blue but is this so?

Ken

This file contains excerpts from /var/log/messages
The entries from Oct 17 21:45:03 to 22:32:08 correspond to the time that I was trying 
to book a ticket with Virgin Blue.
The entries dated Oct 18 correspond to when I was trying to traceroute 202.139.120.234 
having failed to find it using nslookup and being unable to ping it.

Oct 17 21:45:03 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=55853 F=0x4000 T=248 (#10)
Oct 17 21:45:03 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=55854 F=0x4000 T=248 (#10)
Oct 17 21:45:05 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=55855 F=0x4000 T=248 (#10)
Oct 17 21:45:23 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=55856 F=0x4000 T=248 (#10)
Oct 17 21:45:45 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=55857 F=0x4000 T=248 (#10)
Oct 17 21:46:28 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=55858 F=0x4000 T=248 (#10)
Oct 17 21:47:53 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=30035 F=0x4000 T=248 (#10)
Oct 17 21:49:53 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=18973 F=0x4000 T=248 (#10)
Oct 17 21:51:53 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=7871 F=0x4000 T=248 (#10)
Oct 17 21:53:53 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=62365 F=0x4000 T=248 (#10)
Oct 17 21:55:53 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=51253 F=0x4000 T=248 (#10)
Oct 17 21:57:53 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=40171 F=0x4000 T=248 (#10)
Oct 17 21:59:53 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=29089 F=0x4000 T=248 (#10)
Oct 17 22:01:53 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=18007 F=0x4000 T=248 (#10)
Oct 17 22:03:53 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6925 F=0x4000 T=248 (#10)
Oct 17 22:03:55 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6926 F=0x4000 T=248 (#10)
Oct 17 22:03:55 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6927 F=0x4000 T=248 (#10)
Oct 17 22:03:56 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6928 F=0x4000 T=248 (#10)
Oct 17 22:03:57 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6929 F=0x4000 T=248 (#10)
Oct 17 22:03:58 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6930 F=0x4000 T=248 (#10)
Oct 17 22:03:59 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6931 F=0x4000 T=248 (#10)
Oct 17 22:04:00 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6932 F=0x4000 T=248 (#10)
Oct 17 22:04:02 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6933 F=0x4000 T=248 (#10)
Oct 17 22:04:05 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6934 F=0x4000 T=248 (#10)
Oct 17 22:04:06 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6935 F=0x4000 T=248 (#10)
Oct 17 22:04:09 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6936 F=0x4000 T=248 (#10)
Oct 17 22:04:16 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6937 F=0x4000 T=248 (#10)
Oct 17 22:04:18 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6938 F=0x4000 T=248 (#10)
Oct 17 22:04:24 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6939 F=0x4000 T=248 (#10)
Oct 17 22:04:37 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6940 F=0x4000 T=248 (#10)
Oct 17 22:04:54 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6941 F=0x4000 T=248 (#10)
Oct 17 22:05:01 linux /USR/SBIN/CRON[10603]: (root) CMD ( test -x /usr/sbin/texpire && 
/usr/sbin/texpire) 
Oct 17 22:05:20 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6942 F=0x4000 T=248 (#10)
Oct 17 22:05:31 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6943 F=0x4000 T=248 (#10)
Oct 17 22:05:55 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=6944 F=0x4000 T=248 (#10)
Oct 17 22:06:46 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=48063 F=0x4000 T=248 (#10)
Oct 17 22:07:09 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=48064 F=0x4000 T=248 (#10)
Oct 17 22:07:55 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=51537 F=0x4000 T=248 (#10)
Oct 17 22:08:46 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37011 F=0x4000 T=248 (#10)
Oct 17 22:09:06 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37012 F=0x4000 T=248 (#10)
Oct 17 22:09:09 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37013 F=0x4000 T=248 (#10)
Oct 17 22:09:33 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37014 F=0x4000 T=248 (#10)
Oct 17 22:09:35 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37015 F=0x4000 T=248 (#10)
Oct 17 22:09:36 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37016 F=0x4000 T=248 (#10)
Oct 17 22:09:38 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37017 F=0x4000 T=248 (#10)
Oct 17 22:09:39 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37018 F=0x4000 T=248 (#10)
Oct 17 22:09:43 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37019 F=0x4000 T=248 (#10)
Oct 17 22:09:47 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37020 F=0x4000 T=248 (#10)
Oct 17 22:09:54 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37021 F=0x4000 T=248 (#10)
Oct 17 22:10:01 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37022 F=0x4000 T=248 (#10)
Oct 17 22:10:16 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37023 F=0x4000 T=248 (#10)
Oct 17 22:10:30 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37024 F=0x4000 T=248 (#10)
Oct 17 22:10:46 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37025 F=0x4000 T=248 (#10)
Oct 17 22:11:00 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37026 F=0x4000 T=248 (#10)
Oct 17 22:11:09 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37027 F=0x4000 T=248 (#10)
Oct 17 22:11:28 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37028 F=0x4000 T=248 (#10)
Oct 17 22:11:55 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37029 F=0x4000 T=248 (#10)
Oct 17 22:12:22 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37030 F=0x4000 T=248 (#10)
Oct 17 22:12:24 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37031 F=0x4000 T=248 (#10)
Oct 17 22:12:27 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37032 F=0x4000 T=248 (#10)
Oct 17 22:12:27 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37033 F=0x4000 T=248 (#10)
Oct 17 22:12:34 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37034 F=0x4000 T=248 (#10)
Oct 17 22:12:46 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37035 F=0x4000 T=248 (#10)
Oct 17 22:12:49 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37036 F=0x4000 T=248 (#10)
Oct 17 22:13:09 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37037 F=0x4000 T=248 (#10)
Oct 17 22:13:17 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37038 F=0x4000 T=248 (#10)
Oct 17 22:13:23 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37039 F=0x4000 T=248 (#10)
Oct 17 22:13:55 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37040 F=0x4000 T=248 (#10)
Oct 17 22:14:14 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37041 F=0x4000 T=248 (#10)
Oct 17 22:14:27 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37042 F=0x4000 T=248 (#10)
Oct 17 22:14:46 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37043 F=0x4000 T=248 (#10)
Oct 17 22:15:09 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37044 F=0x4000 T=248 (#10)
Oct 17 22:15:23 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37045 F=0x4000 T=248 (#10)
Oct 17 22:15:55 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37046 F=0x4000 T=248 (#10)
Oct 17 22:16:08 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37047 F=0x4000 T=248 (#10)
Oct 17 22:16:27 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37048 F=0x4000 T=248 (#10)
Oct 17 22:16:46 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37049 F=0x4000 T=248 (#10)
Oct 17 22:17:09 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37050 F=0x4000 T=248 (#10)
Oct 17 22:17:23 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37051 F=0x4000 T=248 (#10)
Oct 17 22:17:55 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37052 F=0x4000 T=248 (#10)
Oct 17 22:18:08 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37053 F=0x4000 T=248 (#10)
Oct 17 22:18:27 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37054 F=0x4000 T=248 (#10)
Oct 17 22:18:46 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37055 F=0x4000 T=248 (#10)
Oct 17 22:19:09 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37056 F=0x4000 T=248 (#10)
Oct 17 22:19:23 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37057 F=0x4000 T=248 (#10)
Oct 17 22:19:55 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37058 F=0x4000 T=248 (#10)
Oct 17 22:20:08 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37059 F=0x4000 T=248 (#10)
Oct 17 22:20:27 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37060 F=0x4000 T=248 (#10)
Oct 17 22:20:46 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37061 F=0x4000 T=248 (#10)
Oct 17 22:21:09 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37062 F=0x4000 T=248 (#10)
Oct 17 22:21:23 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37063 F=0x4000 T=248 (#10)
Oct 17 22:21:55 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37064 F=0x4000 T=248 (#10)
Oct 17 22:22:08 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37065 F=0x4000 T=248 (#10)
Oct 17 22:22:27 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37066 F=0x4000 T=248 (#10)
Oct 17 22:22:46 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37067 F=0x4000 T=248 (#10)
Oct 17 22:23:09 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=112 S=0x00 I=37068 F=0x4000 T=248 (#10)
Oct 17 22:23:23 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37069 F=0x4000 T=248 (#10)
Oct 17 22:24:08 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37070 F=0x4000 T=248 (#10)
Oct 17 22:24:27 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=37071 F=0x4000 T=248 (#10)
Oct 17 22:26:08 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=30785 F=0x4000 T=248 (#10)
Oct 17 22:26:27 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=30786 F=0x4000 T=248 (#10)
Oct 17 22:27:23 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=39879 F=0x4000 T=248 (#10)
Oct 17 22:28:08 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=39880 F=0x4000 T=248 (#10)
Oct 17 22:28:27 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=39881 F=0x4000 T=248 (#10)
Oct 17 22:30:08 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=8661 F=0x4000 T=248 (#10)
Oct 17 22:32:08 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:11 
203.164.9.230:0 L=91 S=0x00 I=63085 F=0x4000 T=248 (#10)
Oct 17 22:45:35 linux -- MARK --
Oct 18 09:23:52 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38733 F=0x4000 T=248 (#10)
Oct 18 09:23:53 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38734 F=0x4000 T=248 (#10)
Oct 18 09:23:54 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38735 F=0x4000 T=248 (#10)
Oct 18 09:23:55 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38736 F=0x4000 T=248 (#10)
Oct 18 09:23:56 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38737 F=0x4000 T=248 (#10)
Oct 18 09:23:57 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38738 F=0x4000 T=248 (#10)
Oct 18 09:23:58 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38739 F=0x4000 T=248 (#10)
Oct 18 09:23:59 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38740 F=0x4000 T=248 (#10)
Oct 18 09:24:00 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38741 F=0x4000 T=248 (#10)
Oct 18 09:24:01 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38742 F=0x4000 T=248 (#10)
Oct 18 09:24:02 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38743 F=0x4000 T=248 (#10)
Oct 18 09:24:03 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38744 F=0x4000 T=248 (#10)
Oct 18 09:24:04 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38745 F=0x4000 T=248 (#10)
Oct 18 09:24:05 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38746 F=0x4000 T=248 (#10)
Oct 18 09:24:06 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38747 F=0x4000 T=248 (#10)
Oct 18 09:24:07 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.120.234:0 
203.164.9.230:0 L=84 S=0x00 I=38748 F=0x4000 T=248 (#10)
Oct 18 09:25:22 linux kernel: Packet log: input DENY eth0 PROTO=1 10.201.102.1:11 
203.164.9.230:0 L=56 S=0xC0 I=60737 F=0x0000 T=255 (#10)
Oct 18 09:25:25 linux kernel: Packet log: input DENY eth0 PROTO=1 10.201.102.1:11 
203.164.9.230:0 L=56 S=0xC0 I=60741 F=0x0000 T=255 (#10)
Oct 18 09:25:28 linux kernel: Packet log: input DENY eth0 PROTO=1 10.201.102.1:11 
203.164.9.230:0 L=56 S=0xC0 I=60745 F=0x0000 T=255 (#10)
Oct 18 09:25:31 linux kernel: Packet log: input DENY eth0 PROTO=1 203.164.20.81:11 
203.164.9.230:0 L=56 S=0xC0 I=31551 F=0x0000 T=254 (#10)
Oct 18 09:25:34 linux kernel: Packet log: input DENY eth0 PROTO=1 203.164.20.81:11 
203.164.9.230:0 L=56 S=0xC0 I=31554 F=0x0000 T=254 (#10)
Oct 18 09:25:37 linux kernel: Packet log: input DENY eth0 PROTO=1 203.164.20.81:11 
203.164.9.230:0 L=56 S=0xC0 I=31561 F=0x0000 T=254 (#10)
Oct 18 09:25:40 linux kernel: Packet log: input DENY eth0 PROTO=1 203.164.3.21:11 
203.164.9.230:0 L=56 S=0x00 I=0 F=0x0000 T=253 (#10)
Oct 18 09:25:46 linux last message repeated 2 times
Oct 18 09:25:49 linux kernel: Packet log: input DENY eth0 PROTO=1 203.164.3.161:11 
203.164.9.230:0 L=56 S=0xC0 I=13879 F=0x0000 T=252 (#10)
Oct 18 09:25:52 linux kernel: Packet log: input DENY eth0 PROTO=1 203.164.3.161:11 
203.164.9.230:0 L=56 S=0xC0 I=13887 F=0x0000 T=252 (#10)
Oct 18 09:25:55 linux kernel: Packet log: input DENY eth0 PROTO=1 203.164.3.161:11 
203.164.9.230:0 L=56 S=0xC0 I=13896 F=0x0000 T=252 (#10)
Oct 18 09:25:58 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.138.25:11 
203.164.9.230:0 L=56 S=0xC0 I=22366 F=0x0000 T=251 (#10)
Oct 18 09:26:01 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.138.25:11 
203.164.9.230:0 L=56 S=0xC0 I=22370 F=0x0000 T=251 (#10)
Oct 18 09:26:04 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.138.25:11 
203.164.9.230:0 L=56 S=0xC0 I=22373 F=0x0000 T=251 (#10)
Oct 18 09:26:07 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.190.11:11 
203.164.9.230:0 L=56 S=0xC0 I=56663 F=0x0000 T=250 (#10)
Oct 18 09:26:10 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.190.11:11 
203.164.9.230:0 L=56 S=0xC0 I=56774 F=0x0000 T=250 (#10)
Oct 18 09:26:13 linux kernel: Packet log: input DENY eth0 PROTO=1 202.139.190.11:11 
203.164.9.230:0 L=56 S=0xC0 I=56873 F=0x0000 T=250 (#10)
Oct 18 09:45:35 linux -- MARK --


The following script is used to generate my packet filter.

#!/bin/bash
# file: protect.sh
# modified by: ken from a script by John Clark
ANY=0.0.0.0/0

# flush all rules
ipchains -F input
ipchains -F forward
ipchains -F output

# policy deny for all rules
ipchains -P input DENY
ipchains -P forward DENY
ipchains -P output DENY

# accept all packets on the loopback interface
ipchains -A input -p all -i lo -j ACCEPT
ipchains -A output -p all -i lo -j ACCEPT

# If you have an (internal) ethernet, use the next two rules to accept
# any packet on eth1.  Use a similar pair of rules if you have more than
# one internal networks.  You can improve this rule by checking source/
# destination addresses too, but this basic rule is a good starting
# point.
ipchains -A input -p all -i eth1 -j ACCEPT
ipchains -A output -p all -i eth1 -j ACCEPT

# eth0 (connected to the big bad world via Optushome!)
# accept any packet with ACK set and SYN clear
ipchains -A input -p tcp -i eth0 ! -y -j ACCEPT
# accept incoming ftp-data connections (for outgoing active ftp)
ipchains -A input -p tcp -s $ANY ftp-data -d $ANY 1024:65535 -i eth0 -y -j ACCEPT
# allow DHCP to work
ipchains -A input -p udp -s 203.164.2.55 bootps -d 0.0.0.0/0 bootpc -i eth0 -j ACCEPT
# allow udp responses to dns lookups
ipchains -A input -p udp -s $ANY 53 -d $ANY 1024:65535 -i eth0 -j ACCEPT
# allow incoming icmp requests
ipchains -A input -p icmp -d $ANY -i $ANY -j ACCEPT
# immediately reject incoming auth requests
ipchains -A input -p tcp -d $ANY auth -i eth0 -j REJECT
# get rid of broadcast pings
ipchains -A input -p 2 -s 10.201.102.1 -i eth0 -j DENY
# allow all packets out
ipchains -A output -p all -i eth0 -j ACCEPT

# log everything else to syslog and drop the packet
ipchains -A input -l -j DENY
ipchains -A output -s $ANY -d $ANY -l -j DENY


Below is the output from running ipchains -L

Chain input (policy DENY):
target     prot opt     source                destination           ports
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     tcp  !y----  anywhere             anywhere              any ->   any
ACCEPT     tcp  -y----  anywhere             anywhere              ftp-data ->   
1024:65535
ACCEPT     udp  ------  lh1.rdc2.nsw.optushome.com.au anywhere              bootps ->  
 bootpc
ACCEPT     udp  ------  anywhere             anywhere              domain ->   
1024:65535
ACCEPT     icmp ------  anywhere             anywhere              any ->   any
REJECT     tcp  ------  anywhere             anywhere              any ->   ident
DENY       igmp ------  10.201.102.1         anywhere              n/a
DENY       all  ----l-  anywhere             anywhere              n/a
Chain forward (policy DENY):
Chain output (policy DENY):
target     prot opt     source                destination           ports
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     all  ------  anywhere             anywhere              n/a
ACCEPT     all  ------  anywhere             anywhere              n/a
DENY       all  ----l-  anywhere             anywhere              n/a

[SLUG] OT? Packet filtering etc.

Reply via email to