[Shorewall-users] Three way ICMP ?

Bill.Light at kp.org Bill.Light at kp.org
Tue Dec 2 11:39:23 PST 2003


On Mon, 2003-12-01 at 18:04, Bill.Light at kp.org wrote:
> I'm getting 2 or three of these a day...Any ideas ?
> 
> The 192.168.250.zz  is a eth0:3  on a box that currently only has eth0:1 

> active
> 
> Dec  1 15:47:40 machine-name kernel: Shorewall:all2all:REJECT:IN= 
OUT=eth0 
> SRC=my.real.ip.addr DST=66.228.216.22 LEN=68 TOS=0x00 PREC=0xC0 TTL=255 
> ID=12031 PROTO=ICMP TYPE=3 CODE=1 [SRC=66.228.216.22 DST=192.168.250.zz 
> LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=36178 PROTO=TCP INCOMPLETE [8 bytes] 
]
> 
> This is the same type activity when Tom had guessed that I had been 
> compromised before - Tripwire says NO I have NOT been compromised as 
well 
> as anything else I can check says everything is still safe.   This box 
is 
> a SuSE 7.3 Professional (2.4.16 Kernel) running Shorewall 1.4.8.  The 
box 
> has been up 185 days straight (replaced UPS batteries) without a hiccup 
> the 192.168.250.zz  is in my DMZ on eth0   That DMZ box is a SuSE 9.0 
> Professional (2.4.21 Kernel) running apache and shorewall 1.4.8 without 
> any log entries except for me to get NTP working (and I don't have it 
> yet...)
> 
> The 66.228.216.22  is "SexTraffic.com" site that apparently tries to 
> enlist webmasters to "sign up" for pay site portals...
> 
> What in the dickens are they doing ?

Do you have any DNAT rules with 192.168.250.zz as the target?

-Tom

================================================================

Sure do....

Real IP   DNAT to 192.168.250.zz
Real IP+1  DNAT to 192.168.250.zz+1
Real IP +2 DNAT to 192.168.250.zz+2

Until I re-do the IP routing that you suggested for this 5 IP setup of SBC 
 

- Bill


More information about the Shorewall-users mailing list