[Shorewall-users] Three way ICMP ?
teastep at shorewall.net
Tue Dec 2 12:47:59 PST 2003
On Tue, 2003-12-02 at 11:39, Bill.Light at kp.org wrote:
> On Mon, 2003-12-01 at 18:04, Bill.Light at kp.org wrote:
> > I'm getting 2 or three of these a day...Any ideas ?
> > The 192.168.250.zz is a eth0:3 on a box that currently only has eth0:1
> > active
> > Dec 1 15:47:40 machine-name kernel: Shorewall:all2all:REJECT:IN=
> > SRC=my.real.ip.addr DST=18.104.22.168 LEN=68 TOS=0x00 PREC=0xC0 TTL=255
> > ID=12031 PROTO=ICMP TYPE=3 CODE=1 [SRC=22.214.171.124 DST=192.168.250.zz
> > LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=36178 PROTO=TCP INCOMPLETE [8 bytes]
> > This is the same type activity when Tom had guessed that I had been
> > compromised before - Tripwire says NO I have NOT been compromised as
> > as anything else I can check says everything is still safe. This box
> > a SuSE 7.3 Professional (2.4.16 Kernel) running Shorewall 1.4.8. The
> > has been up 185 days straight (replaced UPS batteries) without a hiccup
> > the 192.168.250.zz is in my DMZ on eth0 That DMZ box is a SuSE 9.0
> > Professional (2.4.21 Kernel) running apache and shorewall 1.4.8 without
> > any log entries except for me to get NTP working (and I don't have it
> > yet...)
> > The 126.96.36.199 is "SexTraffic.com" site that apparently tries to
> > enlist webmasters to "sign up" for pay site portals...
> > What in the dickens are they doing ?
> Do you have any DNAT rules with 192.168.250.zz as the target?
> Sure do....
> Real IP DNAT to 192.168.250.zz
> Real IP+1 DNAT to 192.168.250.zz+1
> Real IP +2 DNAT to 192.168.250.zz+2
> Until I re-do the IP routing that you suggested for this 5 IP setup of SBC
Here's my best guess -- Because of the DNAT, a connection from
188.8.131.52 -> <Real IP> would be directed to 192.168.250.zz. Since
192.168.250.zz isn't active, your firewall isn't able to reach it so it
is trying to return a <host unreachable> ICMP. The original packet
hasn't yet been "un-natted" so you are still seeing the the confusing
destination address 192.168.250.zz rather that "My.real.IP.addr".
Because a connection hasn't yet been established, the ICMP isn't related
to an existing connection so it is being blocked.
You can eliminate these annoying messages by adding this to your
run_iptables -I OUTPUT 3 -p icmp -j ACCEPT
Tom Eastep \ Nothing is foolproof to a sufficiently talented fool
Shoreline, \ http://shorewall.net
Washington USA \ teastep at shorewall.net
More information about the Shorewall-users