Re: [Mldonkey-users] some connections to mld dropped by iptables

[Lionel Bouton]

Neil Sedger wrote:

> I'm constantly - one every few seconds - getting firewall drop 
> messages from iptables that look like:
>
>
> Feb 21 01:19:52 giles kernel: RULE -1 - DROP: IN=ppp0 OUT= MAC= 
> SRC=<some inet ip> DST=<my internet ip> LEN=40 TOS=0x00 PREC=0x00 
> TTL=118 ID=47465 DF PROTO=TCP SPT=1729 DPT=8000 WINDOW=17280 RES=0x00 
> ACK FIN URGP=0
>
> Feb 21 01:53:12 giles kernel: RULE -1 - DROP: IN=ppp0 OUT= MAC= 
> SRC=<some inet ip> DST=<my internet ip> LEN=121 TOS=0x00 PREC=0x00 
> TTL=49 ID=13664 DF PROTO=TCP SPT=3560 DPT=8000 WINDOW=64240 RES=0x00 
> ACK PSH FIN URGP=0
>
>
>
> I run my mldonkey as 8000 as the incoming TCP port, and this is open 
> in the firewall (as shown by my high id and lots of connections to me 
> on that port, some from lowid users).


Port 8000 is often used for secondary web sites (test instance or image 
specific site for example) or http proxies. Script kiddies launch 
various probes on this port.

> My iptables script is generated by 'fwbuilder' - a very nice gui in 
> which I now have a busy setup. The rules that create 'RULE -1' are:
>
>
>
> # Rule dropping TCP sessions opened prior firewall restart
> #
> $IPTABLES -N RULE_000
> $IPTABLES -A OUTPUT -p tcp ! --syn  -m state --state NEW -j RULE_000
> $IPTABLES -A INPUT -p tcp ! --syn  -m state --state NEW -j RULE_000
> $IPTABLES -A FORWARD -p tcp ! --syn  -m state --state NEW -j RULE_000
> $IPTABLES -A RULE_000 -m state --state NEW -j LOG  --log-level info 
> --log-prefix "RULE -1 - DROP: "
> $IPTABLES -A RULE_000 -m state --state NEW -j DROP
>
>
>
> Is this right? Should these packets be dropped by a security-concious 
> firewall?


Yes. This is probably a probe attempting to circumvent classic firewall 
rules.

LB.