Shorewall users - Oct 2011 - Identifying rogue rejected packets

Hi,

I have a fedora15 box with two interfaces and shorewall-v4.4.23.3
connected to a cable modem and a few internal hosts, primarily doing
web and email traffic, and a little bittorrent. I have a consistent
amount of rejected packets that I think originate from bittorrent
traffic, although I can''t be sure.

How can I easily identify this traffic to determine if it''s being
masqueraded or forwarded for bittorrent, or it''s just some random
rogue attack?

Here''s an example from the logs:

[ 6833.967833] Shorewall:ext2fw:REJECT:IN=br0
OUTMAC=40:61:86:4e:84:09:00:21:a0:75:e3:12:08:00 SRC=58.166.65.50
DST=68.XXX.YYY.42 LEN=105 TOS=0x00 PREC=0x00 TTL=41 ID=27915 PROTO=UDP
SPT=31469 DPT=31469 LEN=85

I understand I can use tcpdump or wireshark, but do you have any
recommendations on parameters for these applications to most easily
identify this traffic?

Is there an easier way to identify NAT traffic in real-time, as it
would pertain to bittorrent?

Thanks,
Alex

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct

Hi,
> I have a fedora15 box with two interfaces and shorewall-v4.4.23.3
> connected to a cable modem and a few internal hosts, primarily doing
> web and email traffic, and a little bittorrent. I have a consistent
> amount of rejected packets that I think originate from bittorrent
> traffic, although I can''t be sure.
> 
> How can I easily identify this traffic to determine if it''s being
> masqueraded or forwarded for bittorrent, or it''s just some random
> rogue attack?
> [..snip..] 
> I understand I can use tcpdump or wireshark, but do you have any
> recommendations on parameters for these applications to most easily
> identify this traffic?
> 
> Is there an easier way to identify NAT traffic in real-time, as it
> would pertain to bittorrent?
Pretty good question, It''s still on my list of things to find out,
too. :)

One additional tool I found is netstat-nat (a different program than
netstat altogether). I haven''t made use of it much, though.

But for specifically bittorrent you can try to create a dummy nic and
give it its own IP. The bittorrent client can then use only that IP
(e.g. 192.168.37.1) which btw must be NAT''ted specifically.

If you combine it with rules and routes that are formed along the lines
of:

 ''ip ru from/to .. table p2p'',
 ''ip route add 192.168.17.1 dev eth0 table p2p'', and
 ''ip route add default via route dev eth0 table p2p'',

you can even route all bittorent, or other data traffic via a certain
node (e.g. ethernet, VPN, Tor, i2p..) without the risk of leaking
data. Or at least I think you don''t leak data... I''m no
expert.

Essentially this just means a specific gateway is used for data arriving
and leaving from a specific IP address. 

Note - I found the torrent client ''transmission'' to be a bit
tricky
because it cannot be bound to a nic interface and the above suggestion
does not prevent it from still binding to :: (the IPv6 variant of
0.0.0.0 meaning ''all addresses'')... despite the configured
IPv4 address.
One solution might be to configure its IPv6 address to be a ULA and
then by rejecting the traffic from/to that IP. Personally I am a bit
cautious with IPv6, at least until I have understood just a "few" more
RFCs.

And meanwhile I found ''deluge'' to be a niftier client
"but I shan''t
elaborate lest I derail the subject"

Mark

------------------------------------------------------------------------------
All the data continuously generated in your IT infrastructure contains a
definitive record of customers, application performance, security
threats, fraudulent activity and more. Splunk takes this data and makes
sense of it. Business sense. IT sense. Common sense.
http://p.sf.net/sfu/splunk-d2d-oct