Is the iptables firewall really THIS effective?

[Putrifier]

a few days ago I adapted the great script found here, http://forums.gentoo.org/viewtopic.php?t=159710 , by krunk, for my system, and started it up.

Today, checking /usr/log/messages, I found it choking with stuff like this:

Code: Select all

WINDOW=16384 RES=0x00 SYN URGP=0 
Jul  4 15:42:26 kix DROPl:IN=ppp0 OUT= MAC= SRC=67.160.82.205 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=10508 DF PROTO=TCP SPT=64894 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0 
Jul  4 15:42:28 kix DROPl:IN=ppp0 OUT= MAC= SRC=67.160.82.205 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=10825 DF PROTO=TCP SPT=64894 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0 
Jul  4 15:42:34 kix DROPl:IN=ppp0 OUT= MAC= SRC=67.160.82.205 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=108 ID=11450 DF PROTO=TCP SPT=64894 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0 
Jul  4 15:42:47 kix DROPl:IN=ppp0 OUT= MAC= SRC=68.41.226.87 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=47048 DF PROTO=TCP SPT=3160 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0 
Jul  4 15:42:50 kix DROPl:IN=ppp0 OUT= MAC= SRC=68.41.226.87 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=47913 DF PROTO=TCP SPT=3160 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0 
Jul  4 15:42:53 kix DROPl:IN=ppp0 OUT= MAC= SRC=64.229.226.110 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=16965 DF PROTO=TCP SPT=3323 DPT=135 WINDOW=64800 RES=0x00 SYN URGP=0 
Jul  4 15:42:56 kix DROPl:IN=ppp0 OUT= MAC= SRC=68.41.226.87 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=114 ID=48967 DF PROTO=TCP SPT=3160 DPT=6881 WINDOW=64240 RES=0x00 SYN URGP=0 
Jul  4 15:42:56 kix DROPl:IN=ppp0 OUT= MAC= SRC=64.229.226.110 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=17129 DF PROTO=TCP SPT=3323 DPT=135 WINDOW=64800 RES=0x00 SYN URGP=0 
Jul  4 15:43:02 kix DROPl:IN=ppp0 OUT= MAC= SRC=61.64.164.136 DST=64.229.25.81 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=27983 DF PROTO=TCP SPT=30429 DPT=6881 WINDOW=44620 RES=0x00 SYN URGP=0 
Jul  4 15:43:04 kix DROPl:IN=ppp0 OUT= MAC= SRC=61.64.164.136 DST=64.229.25.81 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=28147 DF PROTO=TCP SPT=30429 DPT=6881 WINDOW=44620 RES=0x00 SYN URGP=0 
Jul  4 15:43:05 kix REJECTl:IN= OUT=ppp0 SRC=64.229.25.81 DST=239.255.255.250 LEN=129 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=8008 DPT=1900 LEN=109 
Jul  4 15:43:05 kix REJECTl:IN= OUT=ppp0 SRC=64.229.25.81 DST=239.255.255.250 LEN=129 TOS=0x00 PREC=0x00 TTL=4 ID=0 DF PROTO=UDP SPT=8008 DPT=1900 LEN=109 
Jul  4 15:43:11 kix DROPl:IN=ppp0 OUT= MAC= SRC=64.229.210.228 DST=64.229.25.81 LEN=48 TOS=0x00 PREC=0x00 TTL=125 ID=2049 DF PROTO=TCP SPT=1871 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0 
Jul  4 15:43:11 kix DROPl:IN=ppp0 OUT= MAC= SRC=61.64.164.136 DST=64.229.25.81 LEN=64 TOS=0x00 PREC=0x00 TTL=50 ID=28320 DF PROTO=TCP SPT=30429 DPT=6881 WINDOW=44620 RES=0x00 SYN URGP=0 

Now, I have to admit Im a complete newbie regarding networks here, so maybe I am missing the point of these. (there are hundreds and hundreds of lines like that, btw, in huge chunks.
Whois-ing some of those SRC ip's, I get weird things, like "Latin American and Caribbean IP address Regional Registry", from Uruguay, or "Asia Pacific Network Information Centre", in Australia.
My ISP is Bell Sympatico, by the way, regular ADSL service.

Any ideas what could be going on there? Is the web really such a dangerous place?

And, if those messages are normal, how exactly do I modify the firewall script, so it doesn't log them, as its quite a waste of resources.

Thanks in advance.

[amne]

Nothing to be worried about, these are only misguided Bittorrent clients trying to connect to you because they think you are running BT, too. Some filesharing clients can be quite persistent in trying connecting, just ignore it.

I think removing the lines containing -j LOG in the definitions of the DROP and REJECT chains should work, but you might get a second opinion on it.

[Putrifier]

Great. Thanks a lot.

[Chris W]

Any ideas what could be going on there? Is the web really such a dangerous place?

Most of what you see is just noise. A lot comes from peer-to-peer clients trying to connect to a service that might once have been on your IP. They are essentially harmless. Some of your entries are your machine trying to broadcast uPNP information (UDP port 1900), and this should be blocked.

You will also see attempts to connect to well-known ports for SMTP, FTP, HTTP, DNS, web proxies, and others including trojans, looking for abusable machines to relay spam, viruses, trojans and other nasties. These, too, are harmless if the ports are closed.

[serendipity]

Most of the traffic is P2P, but I must say that I receive constant probes from viruses, portscanners, you name it. I had a similar remark from a friend the other day, who was horrified to see the level of dropped traffic. I could not imagine putting a non-firewalled machine up on the net. I am so paranoid, that my Gentoo box is behind a stateful hardware firewall and is itself running an iptables firewall (I use the wonderful fwbuilder gui to generate my iptables scripts).

I tend to filter out blocked P2P traffic, otherwise the logs grow FAR too quickly.

[bk0]

You are using BitTorrent? If you are going to use it on a regular basis I *STRONGLY* recommend you enable incoming connections on the BitTorrent port range with your iptables setup. Lots of people complain that their torrent speeds are lousy or that they can't get a decent ratio, without realizing that their port(s) are closed.

From your log you appear to be blocking all attempts for peers to connect to you on the torrents you have active, which means you can't upload to them which makes the torrent less efficient. Since you can't upload very well your download speed won't be as good as it could be either. So open TCP port 6881-6890:

Code: Select all

# iptables -A INPUT -p tcp --dport 6881-6890 -j ACCEPT

[Putrifier]

allright, thanks. going to change my iptables firewall to allow that. thanks again.