I'm getting an unusual message on the console which says.....
Packet log: output DENY ippp0 PROTO=17 xxx.xxx.xxx.xxx: 61417 194.247.47.47 L=78 S=0x00 I=36552 F=0x4000 T=63 (#5)
Are you sure that's all there is? I'm missing the destination port number. 61417 is the source port. The destination port could tell us what the packet was supposed to achieve.
Both the 61417 and the 36552 numbers rise all of the time to the next one and then drop back down to another one. Also getting ........
The rise in those numbers is their expected behaviour, since the source port is allocated by the IP masquerading code and the IP ID, used to distinguish IP packets from one another, seems to change in the same fashion in the Linux TCP/IP stack.
IP_MASQ: lp_fw_masquerade(): change masq.addr from xxx.xxx.xxx.xx to xxx..xxx.xxxx.xx. Both these addresses are on this machine. One of them is eth0 and the other is the address of the machine.
Could be the machine is running out of source ports to use or the masquerading table per source address is full. I don't know if the latter is real, though, i.e. if there is a separate table per source address.
Seen this on every SuSE 7.1 machine that I've installed. Anyone know what to do about it ?
Well, why do you have ipchains rules configured to block that traffic and what is generating it, those are the questions to be answered. Cheers, Tobias