You are not logged in.

Pages: 1

#1 2020-03-11 10:29:10

mkkot
Member
From: Poland
Registered: 2009-12-20
Posts: 288

[Solved] Why so many new UPD packets?

I'm trying to understand my network. I copied rules from here: https://wiki.archlinux.org/index.php/Si … l_firewall

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:TCP - [0:0]
:UDP - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
COMMIT

and I can see that many new UDP packets are being rejected and this value increases rapidly:


iptables -L -vx
Chain INPUT (policy DROP 0 packets, 0 bytes)
    pkts      bytes target     prot opt in     out     source               destination         
   23913 27794942 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
      53     3528 ACCEPT     all  --  lo     any     anywhere             anywhere            
       1       40 DROP       all  --  any    any     anywhere             anywhere             ctstate INVALID
       0        0 ACCEPT     icmp --  any    any     anywhere             anywhere             icmp echo-request ctstate NEW
     572   105326 UDP        udp  --  any    any     anywhere             anywhere             ctstate NEW  < =========================== HERE
       0        0 TCP        tcp  --  any    any     anywhere             anywhere             tcp flags:FIN,SYN,RST,ACK/SYN ctstate NEW
     572   105326 REJECT     udp  --  any    any     anywhere             anywhere             reject-with icmp-port-unreachable  < ========= HERE
       0        0 REJECT     tcp  --  any    any     anywhere             anywhere             reject-with tcp-reset
       0        0 REJECT     all  --  any    any     anywhere             anywhere             reject-with icmp-proto-unreachable

So this computer is behind 2 routers with secured NAT and firewall. Where those packages are coming from?

// edit

Okay, it seems my stupid router is "hacking" me. Wireshark with upd filter shows:

Frame 257: 215 bytes on wire (1720 bits), 215 bytes captured (1720 bits) on interface asrock, id 0
Ethernet II, Src: Netgear_fa:a0:c2 (4c:60:de:fa:a0:c2), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Source: Netgear_fa:a0:c2 (4c:60:de:fa:a0:c2)
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 10.0.0.1, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 52913, Dst Port: 7423
Data (173 bytes)
    Data: 4b414e4e4f55254e00000000004c60defaa0c24a4e523332…
    [Length: 173]

7423     udp     readyshare     Netgear routers are known to broadcast every 3 seconds to the LAN on UDP port 7423, related to USB Control Center and ReadyShare (even if readyshare is disabled).

Last edited by mkkot (2020-03-11 10:41:17)

Offline

Pages: 1

Board footer

Powered by FluxBB