| View previous topic :: View next topic |
| Author |
Message |
padukes
Apprentice
Joined: 27 Feb 2003
Posts: 232
|
 Posted: Thu Nov 10, 2005 6:28 pm Post subject: Am I Attacking MySelf? [SOLVED - and it was yes, sort of] |
 |
|
Hi All,
Lets imagine that my ip address is "1.2.3.4". About every 10 minutes I see two packets in my iptables log that look like they are coming from me and are being sent near my subnet. However, instead of going to 1.2.3.255 they go to 1.2.4.255. The machine that holds that IP is running gentoo and acting as my firewall to several windows (and linux) machines behind it. Am I somehow attacking myself? Any ideas what is causing these packets (every friggin 10 minutes)?
| Code: | Nov 10 13:20:37 phoenix IPTABLES-INPUT: IN=eth0 OUT= MAC= SRC=1.2.3.4 DST=1.2.4.255 LEN=248 TOS=0x00 PREC=0x00 TTL=64 ID=655 DF PROTO=UDP SPT=138 DPT=138 LEN=228
Nov 10 13:20:37 phoenix IPTABLES-INPUT: IN=eth0 OUT= MAC= SRC=1.2.3.4 DST=1.2.4.255 LEN=236 TOS=0x00 PREC=0x00 TTL=64 ID=656 DF PROTO=UDP SPT=138 DPT=138 LEN=216 |
Thanks,
P
Last edited by padukes on Thu Nov 10, 2005 9:09 pm; edited 1 time in total |
|
| Back to top |
|
 |
Mark Clegg
Apprentice
Joined: 05 Jan 2004
Posts: 270
Location: ZZ9 Plural Z Alpha
|
| Posted: Thu Nov 10, 2005 6:44 pm Post subject: |
|
|
Well first I'd check /etc/conf.d/net. If you're using a static IP address, I'd geuss you've set the broadcast address wrong, and that would explain the 1.2.4.255 instead of 1.2.3.255 (assuming a subnet mask of 255.255.255.0). Can you post an ifconfig -a ?
Secondly, your iptables log shows UDP port 138, that's netbios, so I'd be looking for a samba process, on the local machine,. |
|
| Back to top |
|
|
padukes
Apprentice
Joined: 27 Feb 2003
Posts: 232
|
| Posted: Thu Nov 10, 2005 7:10 pm Post subject: |
|
|
Hi Mark,
Here's the relevant portion from my ifconfig (I have a dynamic IP with the real IP replaced):
| Code: | eth0 Link encap:Ethernet HWaddr 00:90:47:03:2B:BF
inet addr:1.2.3.4 Bcast:255.255.255.255 Mask:255.255.252.0
UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
RX packets:6781924 errors:0 dropped:0 overruns:0 frame:0
TX packets:167507 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:497593813 (474.5 Mb) TX bytes:61587455 (58.7 Mb)
Interrupt:10 Base address:0xe400
|
Could the IP weirdness be that my mask is "255.255.252.0"?
Anyway, I do have samba running on this box - is there a setting I should look for? Why would it be using my external ip?
Thanks again,
P |
|
| Back to top |
|
|
think4urs11
Bodhisattva
Joined: 25 Jun 2003
Posts: 6659
Location: above the cloud
|
| Posted: Thu Nov 10, 2005 7:55 pm Post subject: |
|
|
the 10 minutes are because that how netbios works.
Your samba announces itself into the network every 10 minutes.
Reconfigure samba to listen only on your internal interface
in setion [global], parameter interfaces
_________________
Nothing is secure / Security is always a trade-off with usability / Do not assume anything / Trust no-one, nothing / Paranoia is your friend / Think for yourself |
|
| Back to top |
|
|
padukes
Apprentice
Joined: 27 Feb 2003
Posts: 232
|
| Posted: Thu Nov 10, 2005 8:32 pm Post subject: |
|
|
Thanks all!
It appears that it was Samba. I changed the various interface params but I think it was this in the [global] section that did the trick:
remote announce = 192.168.0.1/255.255.255.0
Thanks for the help,
P |
|
| Back to top |
|
|
|
Networking & Security
