I have been receiving these requests which are stopped with _DENY_ rule at the firewall. Now I have adsl connection which is using rp_pppoe and I thought private ip's should not be allowed thru the external interface. I believe this is coming from my isp but is this normal or what Aug 15 16:16:02 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=1640 F=0x0000 T=254 (#4) Aug 15 16:16:59 gardiyan last message repeated 2 times Aug 15 16:20:05 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=63495 F=0x0000 T=254 (#4) Aug 15 16:26:05 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=63495 F=0x0000 T=254 (#4) Aug 15 16:28:05 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=63495 F=0x0000 T=254 (#4) Aug 15 16:30:05 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=15693 F=0x0000 T=254 (#4) Aug 15 16:32:05 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=15693 F=0x0000 T=254 (#4) Aug 15 16:38:05 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=40482 F=0x0000 T=254 (#4) -- Togan Muftuoglu
Hi Togan, icmp type 3 is destination unreachable. You should not block these packets coming from inet to you (re-read ipchains howto). It seems your 10.14.9.254 cannot reach a host in the internet. HTH Philipp
-----Ursprungliche Nachricht----- Von: Togan Muftuoglu [mailto:toganm@users.sourceforge.net] Gesendet: Mittwoch, 15. August 2001 15:53 An: Suse-Security Betreff: [suse-security] icmp requests from 10.0.0.0 network to ppp0
I have been receiving these requests which are stopped with _DENY_ rule at the firewall.
Now I have adsl connection which is using rp_pppoe and I thought private ip's should not be allowed thru the external interface.
I believe this is coming from my isp but is this normal or what
Aug 15 16:16:02 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=1640 F=0x0000 T=254 (#4) Aug 15 16:16:59 gardiyan last message repeated 2 times Aug 15 16:20:05 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=63495 F=0x0000 T=254 (#4) Aug 15 16:26:05 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=63495 F=0x0000 T=254 (#4) Aug 15 16:28:05 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=63495 F=0x0000 T=254 (#4) Aug 15 16:30:05 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=15693 F=0x0000 T=254 (#4) Aug 15 16:32:05 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=15693 F=0x0000 T=254 (#4) Aug 15 16:38:05 gardiyan kernel: Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=40482 F=0x0000 T=254 (#4)
-- Togan Muftuoglu
-- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
* Philipp Snizek;
Hi Togan,
icmp type 3 is destination unreachable. You should not block these packets coming from inet to you (re-read ipchains howto). It seems your 10.14.9.254 cannot reach a host in the internet.
Excuse me I do not get it I have my local net on the 192.168.1.0/24 subnet Internet is assigned via pppoe which is going thru eth1 which has no adress assigned and ppp0 has 212.156.197.144 as the ip number eth0 Link encap:Ethernet HWaddr 00:00:21:D2:D3:73 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1559952 errors:0 dropped:0 overruns:0 frame:0 TX packets:2195196 errors:0 dropped:0 overruns:0 carrier:0 collisions:255 txqueuelen:100 Interrupt:11 Base address:0x1000 eth1 Link encap:Ethernet HWaddr 00:60:97:50:AE:DB UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2284437 errors:0 dropped:0 overruns:0 frame:0 TX packets:1642777 errors:0 dropped:0 overruns:0 carrier:3 collisions:39 txqueuelen:100 Interrupt:10 Base address:0x300 ppp0 Link encap:Point-to-Point Protocol inet addr:212.156.197.144 P-t-P:212.156.196.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:24492 errors:0 dropped:0 overruns:0 frame:0 TX packets:23939 errors:0 dropped:0 overruns:0 carrier 0 collisions:0 txqueuelen:10 this is the routing table thereis no 10.0.0.0. network assigned 212.156.196.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 0.0.0.0 212.156.196.1 0.0.0.0 UG 0 0 0 ppp0 So if I am reading the log correctly the traffic is 10.4.9.254 port 3 to my internet ip port 1 Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=40482 F=0x0000 T=254 (#4) Since there is no 10.0.0.0 network on my routing table and there is no ip from this group assigned to ny intrefaces I think it is quite logical to block private IP coming to the internet ip (the rule is input) So before complaing to the ISP I wnat to make sure I know what I am talking. -- Togan Muftuoglu
Lots of ISP's/etc use 10.* for "internal clouds" of routers and the like. My adsl box for example is a 10.* IP printed on the sticker on the bottom of it. At one colo provider (using this ISP) they do not filter 10.* and so you can access the "internal cloud" which is kind of fun =). -Kurt On Wed, 15 Aug 2001, 'Togan Muftuoglu' wrote:
* Philipp Snizek;
on 15 Aug, 2001 wrote: Hi Togan,
icmp type 3 is destination unreachable. You should not block these packets coming from inet to you (re-read ipchains howto). It seems your 10.14.9.254 cannot reach a host in the internet.
Excuse me I do not get it
I have my local net on the 192.168.1.0/24 subnet
Internet is assigned via pppoe which is going thru eth1 which has no adress assigned and ppp0 has 212.156.197.144 as the ip number
eth0 Link encap:Ethernet HWaddr 00:00:21:D2:D3:73 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1559952 errors:0 dropped:0 overruns:0 frame:0 TX packets:2195196 errors:0 dropped:0 overruns:0 carrier:0 collisions:255 txqueuelen:100 Interrupt:11 Base address:0x1000
eth1 Link encap:Ethernet HWaddr 00:60:97:50:AE:DB UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2284437 errors:0 dropped:0 overruns:0 frame:0 TX packets:1642777 errors:0 dropped:0 overruns:0 carrier:3 collisions:39 txqueuelen:100 Interrupt:10 Base address:0x300
ppp0 Link encap:Point-to-Point Protocol inet addr:212.156.197.144 P-t-P:212.156.196.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:24492 errors:0 dropped:0 overruns:0 frame:0 TX packets:23939 errors:0 dropped:0 overruns:0 carrier 0 collisions:0 txqueuelen:10
this is the routing table thereis no 10.0.0.0. network assigned
212.156.196.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 212.156.196.1 0.0.0.0 UG 0 0 0 ppp0
So if I am reading the log correctly the traffic is
10.4.9.254 port 3 to my internet ip port 1 Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=40482 F=0x0000 T=254 (#4)
Since there is no 10.0.0.0 network on my routing table and there is no ip from this group assigned to ny intrefaces I think it is quite logical to block private IP coming to the internet ip (the rule is input)
So before complaing to the ISP I wnat to make sure I know what I am talking.
icmp type 3 is destination unreachable. You should not block these packets coming from inet to you (re-read ipchains howto). It seems your 10.14.9.254 cannot reach a host in the internet.
Excuse me I do not get it
I have my local net on the 192.168.1.0/24 subnet
Internet is assigned via pppoe which is going thru eth1 which has no adress assigned and ppp0 has 212.156.197.144 as the ip number
eth0 Link encap:Ethernet HWaddr 00:00:21:D2:D3:73 inet addr:192.168.1.2 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1559952 errors:0 dropped:0 overruns:0 frame:0 TX packets:2195196 errors:0 dropped:0 overruns:0 carrier:0 collisions:255 txqueuelen:100 Interrupt:11 Base address:0x1000
eth1 Link encap:Ethernet HWaddr 00:60:97:50:AE:DB UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:2284437 errors:0 dropped:0 overruns:0 frame:0 TX packets:1642777 errors:0 dropped:0 overruns:0 carrier:3 collisions:39 txqueuelen:100 Interrupt:10 Base address:0x300
ppp0 Link encap:Point-to-Point Protocol inet addr:212.156.197.144 P-t-P:212.156.196.1 Mask:255.255.255.255 UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1492 Metric:1 RX packets:24492 errors:0 dropped:0 overruns:0 frame:0 TX packets:23939 errors:0 dropped:0 overruns:0 carrier 0 collisions:0 txqueuelen:10
The missing link: it's not you running a 10.0.0.0 network internally. Well, that changes things.
this is the routing table thereis no 10.0.0.0. network assigned
212.156.196.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
0.0.0.0 212.156.196.1 0.0.0.0 UG 0 0 0 ppp0
So if I am reading the log correctly the traffic is
10.4.9.254 port 3 to my internet ip port 1 Packet log: input DENY ppp0 PROTO=1 10.14.9.254:3 212.156.197.144:1 L=56 S=0x00 I=40482 F=0x0000 T=254 (#4)
Still dest unreach. But not coming from you but the other side. First I thought you were the 10. guy using NAT. This may be a router or firewall sending you icmp dest unreach maybe type 10 or so telling you that it's blocking your packets. I Experienced that with other routers/firewalls in the inet. If it's that then it's nothing to worry 'bout. But good opportunity to learn more about dest unreach.
Since there is no 10.0.0.0 network on my routing table and there is no ip from this group assigned to ny intrefaces I think it is quite logical to block private IP coming to the internet ip (the rule is input)
Yes, you can drop that.
So before complaing to the ISP I wnat to make sure I know what I am talking.
First I would try what Kurt said. Sounds like a lot of fun :) Philipp
participants (4)
-
'Togan Muftuoglu'
-
listuser@seifried.org
-
Philipp Snizek
-
Togan Muftuoglu