[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: strange masq packets



Cedar,
In the prerouting you send packets with destination = 172..... to the log
masq is done in the postrouting.
Dani

On Sun, 18 Nov 2001, Cedar Cox wrote:

>
> Well, I guess they're probably not that "strange".
>
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=-=
> Nov 17 22:36:53 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61707 172.26.140.6:9044 L=40 S=0x00 I=3796 F=0x0000 T=255 (#2)
> Nov 17 22:36:58 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61707 172.26.140.6:9044 L=40 S=0x00 I=3844 F=0x0000 T=255 (#2)
> Nov 17 22:37:10 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61707 172.26.140.6:9044 L=40 S=0x00 I=3983 F=0x0000 T=255 (#2)
> Nov 17 22:37:32 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61707 172.26.140.6:9044 L=40 S=0x00 I=4063 F=0x0000 T=255 (#2)
> Nov 17 22:38:18 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61707 172.26.140.6:9044 L=40 S=0x00 I=4071 F=0x0000 T=255 (#2)
> Nov 17 22:40:38 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61733 172.26.140.7:9044 L=40 S=0x00 I=4317 F=0x0000 T=255 (#2)
> Nov 17 22:40:49 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61733 172.26.140.7:9044 L=40 S=0x00 I=4449 F=0x0000 T=255 (#2)
> Nov 17 22:41:12 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61733 172.26.140.7:9044 L=40 S=0x00 I=4477 F=0x0000 T=255 (#2)
> Nov 17 22:41:58 bibi kernel: Packet log: output DENY ppp0 PROTO=6 192.117.108.105:61733 172.26.140.7:9044 L=40 S=0x00 I=4495 F=0x0000 T=255 (#2)
>
> Correct me if I'm wrong but it just looks like a internal (masq'ed) host
> tried to contact the 172.26 network.  We do not use this network so it was
> sent to the default route but blocked on the way out (..just a safety so
> no private traffic gets sent out the ppp0 interface).
>
> Anyway, my question is how do I log which internal machine sent these
> packets (2.2 kernel)?  I have a machine that's under "quarantine" but
> still on the network.  I'd just like to know if it's that one doing
> "suspicious things"...
>
> Thanks,
> -Cedar
>
>
> =================================================================
> To unsubscribe, send mail to linux-il-request@linux.org.il with
> the word "unsubscribe" in the message body, e.g., run the command
> echo unsubscribe | mail linux-il-request@linux.org.il
>


=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il