Iptables – is this an evidence of attack?

Support for security such as Firewalls and securing linux
Post Reply
kriticar
Posts: 36
Joined: 2017/02/23 19:02:58

Iptables – is this an evidence of attack?

Post by kriticar » 2017/03/12 10:04:47

In the following network topology:

[Internet]
<---->
(public ip) [adsl/router] (192.168.10.1)
<---->
(192.168.10.10) [CENTOS] (192.168.2.1)
<---->
[private 192.168.2.xxx network]

I am using iptables instead of firewalld.
Using iptables I have opened few input ports, accepted everything related and established.
On forward chain, I accept everything related and established , and with
iptables -t nat -A POSTROUTING -o $EXTIF (192.168.10.10) -j MASQUERADE
everything is nat-ed.

I believe that with this setup nobody from the outside should know my internal IP address.
Behind centos server on local private network everything works with no problems at all.

In /var/log/messages I have found entries that are coming on centos’s external interface (192.168.10.10) that are not related nor established. Are these entries evidence of attack?

As you can see external IP's want to connect to the centos using ports 80, 443 or 993. Should I be warried?

Mar 10 09:03:55 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=23.206.93.151 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=53 ID=36435 DF PROTO=TCP SPT=443 DPT=49319 WINDOW=0 RES=0x
Mar 10 09:03:55 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=23.206.93.151 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=53 ID=36436 DF PROTO=TCP SPT=443 DPT=49319 WINDOW=0 RES=0x
Mar 10 09:43:34 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=31.13.93.36 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=85 ID=6798 DF PROTO=TCP SPT=443 DPT=63939 WINDOW=0 RES=0x00
Mar 10 09:43:34 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=31.13.93.36 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=85 ID=6799 DF PROTO=TCP SPT=443 DPT=63939 WINDOW=0 RES=0x00
Mar 10 10:13:20 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=208.117.229.248 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=60 ID=60740 PROTO=TCP SPT=443 DPT=49648 WINDOW=0 RES=0x0
Mar 10 10:13:20 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=208.117.229.248 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=60 ID=60741 PROTO=TCP SPT=443 DPT=49648 WINDOW=0 RES=0x0
Mar 10 10:13:20 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=208.117.229.248 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=60 ID=60742 PROTO=TCP SPT=443 DPT=49648 WINDOW=0 RES=0x0
Mar 10 10:13:20 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=172.217.19.168 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=50751 PROTO=TCP SPT=443 DPT=49647 WINDOW=0 RES=0x00
Mar 10 10:13:20 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=172.217.19.168 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=50752 PROTO=TCP SPT=443 DPT=49647 WINDOW=0 RES=0x00
Mar 10 10:13:20 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=172.217.19.168 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=50753 PROTO=TCP SPT=443 DPT=49647 WINDOW=0 RES=0x00
Mar 10 10:17:46 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=95.101.39.32 DST=192.168.10.10 LEN=1462 TOS=0x00 PREC=0x00 TTL=58 ID=53560 DF PROTO=TCP SPT=80 DPT=52691 WINDOW=1080 RES
Mar 10 10:17:46 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=95.101.39.32 DST=192.168.10.10 LEN=1462 TOS=0x00 PREC=0x00 TTL=58 ID=53570 DF PROTO=TCP SPT=80 DPT=52691 WINDOW=1080 RES
Mar 10 10:17:46 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=95.101.39.32 DST=192.168.10.10 LEN=1462 TOS=0x00 PREC=0x00 TTL=58 ID=53572 DF PROTO=TCP SPT=80 DPT=52691 WINDOW=1080 RES
Mar 10 10:52:31 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=54.230.44.88 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=60102 DF PROTO=TCP SPT=80 DPT=62186 WINDOW=0 RES=0x0
Mar 10 10:52:49 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=208.117.229.246 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=60 ID=12790 PROTO=TCP SPT=80 DPT=62194 WINDOW=0 RES=0x00
Mar 10 10:53:10 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=91.228.166.91 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=45208 DF PROTO=TCP SPT=80 DPT=62340 WINDOW=0 RES=0x0
Mar 10 10:53:10 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=91.228.166.91 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=45209 DF PROTO=TCP SPT=80 DPT=62341 WINDOW=0 RES=0x0
Mar 10 11:16:12 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=208.117.229.251 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=60 ID=30776 PROTO=TCP SPT=443 DPT=52014 WINDOW=0 RES=0x0
Mar 10 11:16:12 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=208.117.229.251 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=60 ID=30778 PROTO=TCP SPT=443 DPT=52014 WINDOW=0 RES=0x0
Mar 10 11:16:12 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=208.117.229.251 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=60 ID=30779 PROTO=TCP SPT=443 DPT=52014 WINDOW=0 RES=0x0
Mar 10 12:29:45 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=64.233.166.109 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=61108 PROTO=TCP SPT=993 DPT=49546 WINDOW=0 RES=0x00
Mar 10 12:29:45 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=64.233.166.109 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=61109 PROTO=TCP SPT=993 DPT=49546 WINDOW=0 RES=0x00
Mar 10 12:29:45 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=64.233.166.109 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=61110 PROTO=TCP SPT=993 DPT=49546 WINDOW=0 RES=0x00
Mar 10 12:29:45 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=64.233.166.109 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=61111 PROTO=TCP SPT=993 DPT=49546 WINDOW=0 RES=0x00
Mar 10 12:29:45 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=64.233.166.109 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=61112 PROTO=TCP SPT=993 DPT=49546 WINDOW=0 RES=0x00
Mar 10 12:29:45 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=64.233.166.109 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=61113 PROTO=TCP SPT=993 DPT=49546 WINDOW=0 RES=0x00
Mar 10 12:29:45 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=64.233.166.109 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=61114 PROTO=TCP SPT=993 DPT=49546 WINDOW=0 RES=0x00
Mar 10 12:29:45 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=64.233.166.109 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=43 ID=61115 PROTO=TCP SPT=993 DPT=49546 WINDOW=0 RES=0x00
Mar 10 15:10:42 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=184.24.198.121 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=45404 DF PROTO=TCP SPT=443 DPT=62210 WINDOW=0 RES=0
Mar 10 15:10:42 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=184.24.198.121 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=45406 DF PROTO=TCP SPT=443 DPT=62210 WINDOW=0 RES=0
Mar 10 15:19:49 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=216.58.208.200 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=17895 PROTO=TCP SPT=443 DPT=56967 WINDOW=0 RES=0x00
Mar 10 15:19:49 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=216.58.208.200 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=17896 PROTO=TCP SPT=443 DPT=56967 WINDOW=0 RES=0x00
Mar 10 15:19:50 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=208.117.229.247 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=60 ID=51843 PROTO=TCP SPT=443 DPT=56968 WINDOW=0 RES=0x0
Mar 10 15:19:50 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=208.117.229.247 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=60 ID=51844 PROTO=TCP SPT=443 DPT=56968 WINDOW=0 RES=0x0
Mar 10 15:19:50 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=208.117.229.247 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=60 ID=51845 PROTO=TCP SPT=443 DPT=56968 WINDOW=0 RES=0x0
Mar 10 15:20:20 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=172.217.21.202 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=4386 PROTO=TCP SPT=443 DPT=56964 WINDOW=0 RES=0x00
Mar 10 15:20:20 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=172.217.21.202 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=4387 PROTO=TCP SPT=443 DPT=56964 WINDOW=0 RES=0x00
Mar 10 15:20:20 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=172.217.21.202 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=57 ID=4389 PROTO=TCP SPT=443 DPT=56964 WINDOW=0 RES=0x00
Mar 10 15:58:50 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=172.217.22.74 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=58 ID=49070 PROTO=TCP SPT=443 DPT=57089 WINDOW=0 RES=0x00
Mar 10 15:58:51 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=216.58.198.200 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=17885 PROTO=TCP SPT=443 DPT=57093 WINDOW=0 RES=0x00
Mar 10 15:58:51 server kernel: IN=enp1s6 OUT= MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=216.58.198.200 DST=192.168.10.10 LEN=40 TOS=0x00 PREC=0x00 TTL=55 ID=17888 PROTO=TCP SPT=443 DPT=57093 WINDOW=0 RES=0x00
http://pastebin.com/9Ke6g7wF

aks
Posts: 3073
Joined: 2014/09/20 11:22:14

Re: Iptables – is this an evidence of attack?

Post by aks » 2017/03/13 17:28:03

It looks like outgoing https (given source port of tcp/443) - it may or may not be - further analysis would be required. The reason for outbound is the seemingly emphemeral destination ports used.

kriticar
Posts: 36
Joined: 2017/02/23 19:02:58

Re: Iptables – is this an evidence of attack?

Post by kriticar » 2017/03/14 09:03:28

I noticed that it happens with only three of the following ports:
443 (HTTPS / SSL - encrypted web traffic.)
993 IMAP over SSL
80

Very interesting.

I have created a iptables rule:
iptables -A INPUT -i $EXTIF (192.168.10.10) -p tcp --match multiport --sport 443,993,80 -d 192.168.10.10 -j DROP

as nobody complains I think that these packets are not necessary.
I don't know why you think that these packet originates from private subnet.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Iptables – is this an evidence of attack?

Post by TrevorH » 2017/03/14 09:25:32

Those iptables messges look like connections that you have made from your machine to an external website which is then responding to you with packets in hte same conversation but your side has timed that out. I don't think it's anything to worry about but you new rule is. With that new rule in place, I would expect you to get weird problems attempting to make https/imaps and http connections and you should remove it.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

kriticar
Posts: 36
Joined: 2017/02/23 19:02:58

Re: Iptables – is this an evidence of attack?

Post by kriticar » 2017/03/14 10:26:32

On centos server nobody is doing anything. People on private subnet surely use https imap and http, but as there are forward rules that will enable private computers (on 192.168.2.0) to contact internet and accept their all related and established packets, these packets should reach private computers with no problems at all.

I will leave this rule for a while and check all clients whether they are experience any kind of problems.

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Iptables – is this an evidence of attack?

Post by TrevorH » 2017/03/14 10:57:12

But things like yum use http/https to get updates.
The future appears to be RHEL or Debian. I think I'm going Debian.
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 and 6 are deadest, do not use them.
Use the FAQ Luke

kriticar
Posts: 36
Joined: 2017/02/23 19:02:58

Re: Iptables – is this an evidence of attack?

Post by kriticar » 2017/03/14 13:48:05

You are right. That rule shouldn't exist.

Post Reply