Shorewall users - Jan 2004 - Strange ip_conntrack / no big deal ?

Hi all,
I don''t know if my sending this question to the right place...
while installing shorewall, I had a look to the /proc/net/ip_conntrack 
contents, and noticed that there were weird ip connection established 
(because the reccords do not contain _my_ IP address), for example :
tcp      6 426262 ESTABLISHED src=192.38.163.38 dst=A.B.C.156 sport=16616 
dport=4662 [UNREPLIED] src=A.B.C.156 dst=192.38.163.38 sport=4662 
dport=16616 use=1
tcp      6 426091 ESTABLISHED src=172.184.111.248 dst=A.B.C.165 sport=4662 
dport=4744 [UNREPLIED] src=A.B.C.165 dst=172.184.111.248 sport=4744 
dport=4662 use=1
tcp      6 425607 ESTABLISHED src=81.53.54.2 dst=A.B.C.156 sport=4662 
dport=3475 [UNREPLIED] src=A.B.C.156 dst=81.53.54.2 sport=3475 dport=4662 
use=1
tcp      6 426365 ESTABLISHED src=172.176.131.104 dst=A.B.C.165 sport=4662 
dport=1627 [UNREPLIED] src=A.B.C.165 dst=172.176.131.104 sport=1627 
dport=4662 use=1
tcp      6 425151 ESTABLISHED src=81.51.113.100 dst=A.B.C.167 sport=3405 
dport=4662 [UNREPLIED] src=A.B.C.167 dst=81.51.113.100 sport=4662 dport=3405 
use=1
Does anyone has an idea on why I can see these packets, despite being 
neither the originator nor the receiver ? my IP address belongs to the 
subnet A.B.C (eg, my ISP) , and my netmask is 255.255.255.0. I googled a bit 
an found that besides viruses, port 4662 is used by emule; this application 
is not installed on my computer.

I also have some entries like the one below,
tcp      6 430143 ESTABLISHED src=*MYIPADDRESS* dst=A.B.C.156 sport=36299 
dport=80 [UNREPLIED] src=A.B.C.156 dest=MYIPADDRESS sport=80 dport=36299 
use=1

I checked and A.B.C.156 does not belong to a valid web server, netstat 
-tupan does not reveal any  tcp connection between my port 36299  and  the 
remote port 80 ( I double checked with a fuser -n tcp 36299 ). I also tested 
with ShieldsUp!, and this port is marked "Stealth"...So I''m a
bit lost ..

Has anyone an idea about this also ? Can this be artificially created by 
some port scan ?
Does [UNREPLIED] means that my linux box dropped the packet ?

Any help or suggestion to further track this problem would be very much 
welcomed ..

Caml.

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE* 
http://join.msn.com/?page=features/virus

On Monday 12 January 2004 03:23 pm, Alexis L. wrote:
>
> Has anyone an idea about this also ? Can this be artificially created by
> some port scan ?
> Does [UNREPLIED] means that my linux box dropped the packet ?
>
> Any help or suggestion to further track this problem would be very much
> welcomed ..
>
Without knowing the real addresses involved and without knowing what your 
network topology is, I''m not going to spend any time trying to
understand
what these entries might mean. UNREPLIED entries in the conntrack table are 
pretty common when you are trying to set up a firewall/gateway and usually 
result from configuration errors that you made along the way and have now 
corrected. Once you have everything working OK, such conntrack entries will 
eventually time out and disappear.

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

On 12 Jan 2004 at 23:23, Alexis L. wrote:
> Hi all,
> I don''t know if my sending this question to the right place...
> while installing shorewall, I had a look to the 
/proc/net/ip_conntrack
> contents, and noticed that there were weird ip connection 
established
> (because the reccords do not contain _my_ IP address), for example 
:
> tcp      6 426262 ESTABLISHED src=192.38.163.38 dst=A.B.C.156
> sport=16616 dport=4662 [UNREPLIED] src=A.B.C.156 dst=192.38.163.38
4662 sounds like overnet or edonkey.  
someone trying to download music perhaps?

-- 
______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

._______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

Hi all,
> > tcp      6 426262 ESTABLISHED src=192.38.163.38 dst=A.B.C.156
> > sport=16616 dport=4662 [UNREPLIED] src=A.B.C.156 dst=192.38.163.38
>
>4662 sounds like overnet or edonkey.
>someone trying to download music perhaps?
That''s right (actually, I though about emule). I still don''t
know why I have
records about connections in which I''m not involved. Unfortunately, I
don''t
have much information about the network topology (question from Tom), 
because the IP address I''m talking about is my home (static) address, 
acquired from my ISP . For this reason,  I would rather prefer not to 
display it in plain text... Just to be more specific, my IP is A.B.C.121 
(see above)
I was wondering whether such records could be due to my address and 
A.B.C.156 being on the same subnet ?

also, any Ideas about :
tcp      6 430143 ESTABLISHED src=*MYIPADDRESS* dst=A.B.C.156 sport=36299 
dport=80 [UNREPLIED] src=A.B.C.156 dest=MYIPADDRESS sport=80 dport=36299 
use=1
What bothers me is that dst=A.B.C.156  is _not_ a web server (dport=80), and 
I did not found any records of that connection in netstat output.

In practice I should not worry because shorewall is configured to 
drop/reject any incoming connection attempts, and to allow new ones provided 
that were initiated from my computer). However, the reason I''m asking
all
this questions is due to recent and unexpected events on my linux box eg,
       1- LAN Wake-up. I had to disable this option in my bios
       2- Clear evidences of port scans, with IP spoofing (mainly on 
well-known Win32 port, not so unexpected, but..)
Basically, I just wanted to know wheter the above mentioned record could be 
a side effect of a port scan ?

thx
A.
Note: OS LInux MDK 9.1, shorewall 1.4

_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

>That''s right (actually, I though about emule).

Once you are a "known" emule client/host, even if you shut down, for
days
afterwards you''ll get connection attempts out the wazoo on 4662. 
They''ll
decrease over time and then stop, if you aren''t active.

- Bob Coffman

I understand, but I''ve never used any P2P client /host on my computer,
and
I''m the only user
(..I hope so...) .  This is why "Once you are a "known" emule
client/host"
worries me somehow..

I would understand connection attempts on port 4662, but I still don''t 
figure out why I got tracks of tcp connections in which I''m not
involved ...

>From: "Robert K Coffman Jr - Info From Data Corporation" 
><bcoffman@infofromdata.com>
>Reply-To: Mailing List for Experienced Shorewall Users 
><shorewall-users@lists.shorewall.net>
>To: "Mailing List for Experienced Shorewall Users" 
><shorewall-users@lists.shorewall.net>
>Subject: RE: [Shorewall-users] Strange ip_conntrack / no big deal ?
>Date: Tue, 13 Jan 2004 08:30:34 -0500
>
>
> >That''s right (actually, I though about emule).
>
>
>Once you are a "known" emule client/host, even if you shut down,
for days
>afterwards you''ll get connection attempts out the wazoo on 4662. 
They''ll
>decrease over time and then stop, if you aren''t active.
>
>- Bob Coffman
>
>
>_______________________________________________
>Shorewall-users mailing list
>Post: Shorewall-users@lists.shorewall.net
>Subscribe/Unsubscribe: 
>https://lists.shorewall.net/mailman/listinfo/shorewall-users
>Support: http://www.shorewall.net/support.htm
>FAQ: http://www.shorewall.net/FAQ.htm
_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE* 
http://join.msn.com/?page=features/virus

On Tuesday 13 January 2004 04:18 am, Alexis L. wrote:
> Hi all,
>
> > > tcp      6 426262 ESTABLISHED src=192.38.163.38 dst=A.B.C.156
> > > sport=16616 dport=4662 [UNREPLIED] src=A.B.C.156
dst=192.38.163.38
> >
> >4662 sounds like overnet or edonkey.
> >someone trying to download music perhaps?
>
> That''s right (actually, I though about emule). I still
don''t know why I
> have records about connections in which I''m not involved.
You need to understand that TCP conntrack entries have a default ESTABLISHED 
timeout of *5 days*. The above connection still has 118 hours 24 minutes to 
go which means that it was created over an hour and a half before you posted. 
Are you absolutely certain that your IP address 90 minutes before you posted 
wasn''t A.B.C.156?

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

my IP is static (as it is the case for most ADSL links); it''s been the
same
since I signed up with my ISP.
>From: Tom Eastep <teastep@shorewall.net>
>To: Mailing List for Experienced Shorewall Users 
><shorewall-users@lists.shorewall.net>,"Alexis L."
<camlpet@hotmail.com>
>Subject: Re: [Shorewall-users] Strange ip_conntrack / no big deal ?
>Date: Tue, 13 Jan 2004 09:01:29 -0800
>
>On Tuesday 13 January 2004 04:18 am, Alexis L. wrote:
> > Hi all,
> >
> > > > tcp      6 426262 ESTABLISHED src=192.38.163.38
dst=A.B.C.156
> > > > sport=16616 dport=4662 [UNREPLIED] src=A.B.C.156
dst=192.38.163.38
> > >
> > >4662 sounds like overnet or edonkey.
> > >someone trying to download music perhaps?
> >
> > That''s right (actually, I though about emule). I still
don''t know why I
> > have records about connections in which I''m not involved.
>
>You need to understand that TCP conntrack entries have a default 
>ESTABLISHED
>timeout of *5 days*. The above connection still has 118 hours 24 minutes to
>go which means that it was created over an hour and a half before you 
>posted.
>Are you absolutely certain that your IP address 90 minutes before you 
>posted
>wasn''t A.B.C.156?
>
>-Tom
>--
>Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
>Shoreline,     \ http://shorewall.net
>Washington USA  \ teastep@shorewall.net
>
>
_________________________________________________________________
Add photos to your e-mail with MSN 8. Get 2 months FREE*. 
http://join.msn.com/?page=features/featuredemail

On 13 Jan 2004 at 21:38, Alexis L. wrote:
> my IP is static (as it is the case for most ADSL links); it''s been
the
> same since I signed up with my ISP.
 
And no wireless Accesspoint in the house?
(Sorry, just had to ask  ;-)   - - war driving is on the rise
in some areas.


-- 
______________________________________
John Andersen
NORCOM / Juneau, Alaska
http://www.screenio.com/
(907) 790-3386

._______________________________________
John S. Andersen
NORCOM  mailto:JAndersen@norcomsoftware.com
Juneau, Alaska
http://www.screenio.com/

On Tuesday 13 January 2004 01:38 pm, Alexis L. wrote:
> my IP is static (as it is the case for most ADSL links); it''s been
the same
> since I signed up with my ISP.

Then I have no clue as to what happened...

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net

>
>Then I have no clue as to what happened...
neither do I... to answer to John''s question, there''s no
wireless  access
point.  Any of you knows a good, real time, IP traffic monitor runing on 
Linux?  I would like to check whether my linux box was hacked or not, and if 
it is used as a  relay.
thx for your help
A.

_________________________________________________________________
MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. 
http://join.msn.com/?page=features/virus

>
>
>>
>>Then I have no clue as to what happened...
> neither do I... to answer to John''s question, there''s no
wireless  access
> point.  Any of you knows a good, real time, IP traffic monitor runing on
> Linux?  I would like to check whether my linux box was hacked or not, and
> if
> it is used as a  relay.
I don''t exactly know what you mean but I suggest you try iptraf.

Simon
> thx for your help
> A.
>
> _________________________________________________________________
> MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
> http://join.msn.com/?page=features/virus
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>

Can you recommend a good iptables log analyzer.
I''m looking for something that actually analyze the logs, not just
draws
some nice stats/pictures.
It should be able to warn if it finds something abnormal.
Other features could be to do whois on request, interactively change
it''s
output
when clicking on addresses/ports/whatever. You get the picture.

Regards
Christer Nilsson

I had nTOP runnin on my Linux Box, really nice traffic analyzer....
Mit freundlichen Grüßen
Günter Michaeller
print data
A-2700 Wiener Neustadt, Schrattensteingasse 28/42
Tel.: +43 664/1035949  Fax: +43 2622/26448-4
email: g.michaeller@print-data.at
www: www.print-data.at


-----Ursprüngliche Nachricht-----
Von:
shorewall-users-bounces+g.michaeller=print-data.at@lists.shorewall.net
[mailto:shorewall-users-bounces+g.michaeller=print-data.at@lists.shorewa
ll.net] Im Auftrag von Simon Matter
Gesendet: Mittwoch, 14. Jänner 2004 10:04
An: Mailing List for Experienced Shorewall Users
Cc: shorewall-users@lists.shorewall.net
Betreff: Re: [Shorewall-users] Strange ip_conntrack / no big deal ?
>
>
>>
>>Then I have no clue as to what happened...
> neither do I... to answer to John''s question, there''s no
wireless
access
> point.  Any of you knows a good, real time, IP traffic monitor runing
on
> Linux?  I would like to check whether my linux box was hacked or not,
and
> if
> it is used as a  relay.
I don''t exactly know what you mean but I suggest you try iptraf.

Simon
> thx for your help
> A.
>
> _________________________________________________________________
> MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*.
> http://join.msn.com/?page=features/virus
>
> _______________________________________________
> Shorewall-users mailing list
> Post: Shorewall-users@lists.shorewall.net
> Subscribe/Unsubscribe:
> https://lists.shorewall.net/mailman/listinfo/shorewall-users
> Support: http://www.shorewall.net/support.htm
> FAQ: http://www.shorewall.net/FAQ.htm
>
_______________________________________________
Shorewall-users mailing list
Post: Shorewall-users@lists.shorewall.net
Subscribe/Unsubscribe:
https://lists.shorewall.net/mailman/listinfo/shorewall-users
Support: http://www.shorewall.net/support.htm
FAQ: http://www.shorewall.net/FAQ.htm