Hi. I am relatively new to the list, and Linux in general. I have tried to find out more about security in man files and a couple of books, trying to make my machines more secure. While i was online yesterday and today I have noticed in my console that I had been portscanned. Sorry for the Spam on this, this is just what they sent. Feb 14 10:57:59 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 1764, 1765, 1766, 1767, 1768, 1769, 1770, 1771, 1772, ..., flags ??rp?u, TOS 10, TTL 114, started at 10:57:45 Feb 14 11:21:26 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 1800, 1801, 1802, 1803, 1804, 1805, 1806, 1807, 1808, ..., flags ??rp?u, TOS 10, TTL 114, started at 11:21:12 Feb 14 11:30:56 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 1819, 1820, 1821, 1822, 1823, 1824, 1825, 1826, 1827, ..., flags ??rp?u, TOS 10, TTL 114, started at 11:30:42 Feb 14 16:28:07 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 1902, 1903, 1904, 1905, 1906, 1907, 1908, 1909, 1910, ..., flags ??rp?u, TOS 10, TTL 114, started at 16:27:55 Feb 14 16:50:44 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 1925, 1926, 1927, 1928, 1929, 1930, 1931, 1932, 1933, ..., flags ??rp?u, TOS 10, TTL 114, started at 16:50:29 Feb 14 17:02:38 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 1976, 1977, 1978, 1979, 1980, 1981, 1982, 1983, 1984, ..., flags ??rp?u, TOS 10, TTL 114, started at 17:02:23 Feb 14 17:33:54 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, ..., flags ??rp?u, TOS 10, TTL 114, started at 17:33:40 Feb 14 21:03:23 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 2052, 2053, 2054, 2055, 2056, 2057, 2058, 2059, 2060, ..., flags ??rp?u, TOS 10, TTL 114, started at 21:03:11 Feb 15 13:42:21 reaper scanlogd: From 216.77.42.93:20 to 192.168.0.51 ports 2120, 2121, 2122, 2123, 2124, 2125, 2126, 2127, 2128, ... Now i have a small linux machine used to masquerade for the machines in our local setup so we can use the internet together. This is my ipchains setup at the moment (I know there is an SuSE packet filter script, I just havent got to grips with it yet :(, but at least im trying to find out the answers) <start of shell script> INTERNAL=192.168.0.0/24 echo -n "Turning on packet filtering:" # Stop all the rules before we set up the new ones echo 0 > /proc/sys/net/ipv4/ip_forward # set the default policy to REJECT /sbin/ipchains -X /sbin/ipchains -F /sbin/ipchains -P input REJECT /sbin/ipchains -P output REJECT /sbin/ipchains -P forward REJECT # Attempt to stop spoofing ipchains -A input -s 192.168.0.0/24 -i ppp0 -j REJECT -l ipchains -A input -s 127.0.0.1 -i ppp0 -j REJECT -l # Set up the input # Allow loopback connections ipchains -A input -s 127.0.0.1 -j ACCEPT # Allow the internal net to the internal net ipchains -A input -s $INTERNAL -d $INTERNAL -j ACCEPT # Allow the internal net to the external net ipchains -A input -s 127.0.0.1 -d ! $INTERNAL -j ACCEPT ipchains -A input -s $INTERNAL -d ! $INTERNAL -j ACCEPT # Allow the external net to the internal net # the active FTP stuff here. ipchains -A input -p tcp -s ! $INTERNAL 20 -j ACCEPT ipchains -A input -p tcp -s ! $INTERNAL 21 -j ACCEPT # Deny all incoming SYN requests on TCP ipchains -A input -p tcp -s ! $INTERNAL ! -y -j ACCEPT ipchains -A input -p udp -s ! $INTERNAL -d ! $INTERNAL -j ACCEPT ipchains -A input -s ! $INTERNAL -d ! $INTERNAL -j REJECT # Set up the forwarding chain # Allow forwarding in the internal net ipchains -A forward -s $INTERNAL -d $INTERNAL -j ACCEPT # Masqurade the internal to the external net ipchains -A forward -s $INTERNAL -d ! $INTERNAL -j MASQ # Masqurade should take care of external to internal # this should stop non masquraded forwarding ipchains -A forward -s ! $INTERNAL -d $INTERNAL -j REJECT # Set up the output rules ipchains -A output -j ACCEPT ipchains -P input REJECT ipchains -P output REJECT ipchains -P forward REJECT echo 1 > /proc/sys/net/ipv4/ip_forward <end of script> All I want the external network to do is send ICQ packets inside. Otherwise stop anything not a reply to a masqed packet. My questions are as follows (and i know they may be foolish): How did the person doing the portscan mannage to send thier packets to my internal machine 192.168.0.51 directly ? (I have noticed a lack of the same activity on the router which is 192.168.0.50 and i thought all my packets would look like they came from there) How can I get more information about the scanner on that host. I have tried to do the usual of host 216.77.42.93 and got no host, I've done a traceroute so I know what machines it goes through. I've tried to telnet to a few ports to see if they have any open to get the name of the place. I just want more information so I can keep tabs on it and mail the admin about the activities. Can anyone give me a few links to places to find out mroe about security in general. Thank you for your patience with this newbie. Stephen Thompson