HiHO...
Feb 14 10:57:59 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports ^^ # Allow the external net to the internal net # the active FTP stuff here. ipchains -A input -p tcp -s ! $INTERNAL 20 -j ACCEPT
this is, how the packages came in...
ipchains -A input -p udp -s ! $INTERNAL -d ! $INTERNAL -j ACCEPT
what is the sense of this rule ?? not FROM internal and not TO internal ??? only packets from external to your world decices will match this rule...
ipchains -A input -s ! $INTERNAL -d ! $INTERNAL -j REJECT
# Set up the forwarding chain # Allow forwarding in the internal net ipchains -A forward -s $INTERNAL -d $INTERNAL -j ACCEPT
i don't think, you really need this rule- forwarding is between two interfaces, e.g. eth0 <-> ppp0 and your internal net is connected to one interface, and the machines communicate directly, without the router...
# Masqurade should take care of external to internal # this should stop non masquraded forwarding ipchains -A forward -s ! $INTERNAL -d $INTERNAL -j REJECT
i think, masquerading won't work at all with this rule- no packet will be forwarded back to internal ?
All I want the external network to do is send ICQ packets inside. Otherwise stop anything not a reply to a masqed packet.
hmmm, i could't find any rules for icq (but i don't know, which ports are used)
How did the person doing the portscan mannage to send thier packets to my internal machine 192.168.0.51 directly ?
i think it was an active ftp-request, (20 -> 1023:), i don't really understand, which way the packets took back to you, as the masquerading should not work in my eyes. maybe the module ip_masq_ftp does it ?? any hints please)
and i thought all my packets would look like they came from there)
no, the packets come from there, but tey look, like they come from where they come...
How can I get more information about the scanner on that host. I have tried to do the usual of host 216.77.42.93 and got no host, I've done a traceroute so I know what machines it goes through. I've tried to telnet to a few ports to see if they have any open to get the name of the place. I just want more information so I can keep tabs on it and mail the admin about the activities.
i think you were on the right way- the only service provided by this machine is ftp. but i don't think, it was really a scan. it won't be possible to adress a package to an adress with 192.168.x.x - it never would find the way to you. it would be only possible to scan that host from within your net and for this your router must be hacked and the sender adress would not be from outside your network. i didn't check everything in your setup, but it looks quite broken to me. maybe you should try to update the suse-firewall to 1.4 and try a configuration like this: FW_DEV_WORLD="ppp0" FW_DEV_INT="eth0" FW_ROUTE="yes" FW_MASQUERADE="yes" FW_LOCALNETS="192.168.0.0/24" FW_MASQ_DEV="$FW_DEV_WORLD" FW_KERNEL_SECURITY="yes" FW_AUTOPROTECT_GLOBAL_SERVICES="yes" FW_PROTECT_FROM_INTERNAL="no" FW_TCP_SERVICES_EXTERNAL="" FW_UDP_SERVICES_EXTERNAL="" FW_TRUSTED_HOSTS="" FW_TCP_SERVICES_TRUSTED="" FW_UDP_SERVICES_TRUSTED="" FW_TCP_SERVICES_INTERNAL="" FW_UDP_SERVICES_INTERNAL="" FW_TCP_ALLOW_INCOMING_HIGHPORTS="" FW_UDP_ALLOW_INCOMING_HIGHPORTS="dns" FW_SERVICE_DNS="no" FW_FORWARD_TCP="" FW_FORWARD_UDP="" FW_REDIRECT_TCP="" FW_REDIRECT_UDP="" FW_LOG_DENY_CRIT="yes" FW_LOG_DENY_ALL="no" FW_LOG_ACCEPT_CRIT="yes" FW_LOG_ACCEPT_ALL="no" FW_ALLOW_FW_PING="no" FW_ALLOW_FW_TRACEROUTE="no" FW_ALLOW_FW_SOURCEQUENCH="yes" FW_MASQ_MODULES="ftp " with this configuration everything will be masqueraded, only passive ftp is possible and i don't know, if icq will work. you will find information on this in /etc/rc.firewall and in /usr/doc/packages/firewals so far... ____________________________________________________________ | .~. s.martin@odn.de | | /V\ fon +49(0)911.2256 03 | | /( )\ fax +49(0)911.2256 06 | | ^`~'^ mobile +49(0)173.380 43 12 | | pgp: http://www.xhponozon.com/keys/stephan.asc | |___________________________________________________________|