icmp type 3 is destination unreachable. You should not block these packets coming from inet to you (re-read ipchains howto). It seems your 10.14.9.254 cannot reach a host in the internet.
Excuse me I do not get it
I have my local net on the 192.168.1.0/24 subnet
Internet is assigned via pppoe which is going thru eth1 which has no adress assigned and ppp0 has 212.156.197.144 as the ip number
eth0 Link encap:Ethernet HWaddr 00:00:21:D2:D3:73 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1559952 errors:0 dropped:0 overruns:0 frame:0 TX packets:2195196 errors:0 dropped:0 overruns:0 carrier:0 collisions:255 txqueuelen:100 Interrupt:11 Base address:0x1000
eth1 Link encap:Ethernet HWaddr 00:60:97:50:AE:DB UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2284437 errors:0 dropped:0 overruns:0 frame:0 TX packets:1642777 errors:0 dropped:0 overruns:0 carrier:3 collisions:39 txqueuelen:100 Interrupt:10 Base address:0x300
ppp0 Link encap:Point-to-Point Protocol inet addr:212.156.197.144 P-t-P:212.156.196.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:24492 errors:0 dropped:0 overruns:0 frame:0 TX packets:23939 errors:0 dropped:0 overruns:0 carrier 0 collisions:0 txqueuelen:10
The missing link: it's not you running a 10.0.0.0 network internally. Well, that changes things.
this is the routing table thereis no 10.0.0.0. network assigned
212.156.196.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 212.156.196.1 0.0.0.0 UG 0 0 0 ppp0
So if I am reading the log correctly the traffic is
10.4.9.254 port 3 to my internet ip port 1 Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=40482 F=0x0000 T=254 (#4)
Still dest unreach. But not coming from you but the other side. First I thought you were the 10. guy using NAT. This may be a router or firewall sending you icmp dest unreach maybe type 10 or so telling you that it's blocking your packets. I Experienced that with other routers/firewalls in the inet. If it's that then it's nothing to worry 'bout. But good opportunity to learn more about dest unreach.
Since there is no 10.0.0.0 network on my routing table and there is no ip from this group assigned to ny intrefaces I think it is quite logical to block private IP coming to the internet ip (the rule is input)
Yes, you can drop that.
So before complaing to the ISP I wnat to make sure I know what I am talking.
First I would try what Kurt said. Sounds like a lot of fun :) Philipp