Visiting http://62.67.50.112/ gives me a Rapidshare.com page. Does your modem, or the machine in question, let you run tcpdump/ngrep/some other packet inspection thingy to have a look in more detail inside the packets?
Also, there's nothing in what you posted to suggest that the internal machine was responding to the external machine - the port numbers suggest that it was the internal machine that initiated the connection. If you could catch the three-way handshake at the start of the connection (syn/syn-ack/ack), we could tell for sure which was opening the connection. On Wed, Aug 12, 2009 at 5:23 PM, Rick Welykochy <[email protected]> wrote: > Hi sluggers, > > I thought I understood the mechanics of NAT. My modem blocks all incoming > requests to my 192.168.0.* internal network, save a few port forwards, i.e. > about five ports are open. > > During an idle period today I noticed annoying but consistent > traffic of about 100 bytes/sec. Why? > > tcpdump reveals that my local machine on 192.168.0.27 is responding to > what seems to be a port scan from Germany (62.67.50.112) ... > > 17:20:28.677718 IP 192.168.0.27.52262 > 62.67.50.112.80: . ack 1 win 65535 > <nop,nop,timestamp 1078011251 3938531074> > 17:20:28.677842 IP 192.168.0.27.52262 > 62.67.50.112.80: P 1:607(606) ack 1 > win 65535 <nop,nop,timestamp 1078011251 3938531074> > 17:20:29.045173 IP 62.67.50.112.80 > 192.168.0.27.52262: . ack 607 win 55 > <nop,nop,timestamp 3938531166 1078011251> > 17:20:29.055137 IP 62.67.50.112.80 > 192.168.0.27.52262: P 1:306(305) ack > 607 win 55 <nop,nop,timestamp 3938531167 1078011251> > > Their egress port is always 80 (suspicious in itself) and > my ingress port is climbing through all numbers, serially. > > My possible misunderstanding of NAT is that my local machine > on .27 should not even be seeing this traffic since it *should* > be blocked at the modem/router. > > Is it me or is it the modem that is wrong? > > > cheers > rickw > > > -- > _________________________________ > Rick Welykochy || Praxis Services > > Beware of he who would deny you information, > for in his mind he dreams of being your master. > -- message on a computer game > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
