iptables - UDP Packets from unknown IP addresses

2

I'm really new to basic systems administration, and this question is a bit difficult for me to Google. I'm setting up a small raspberry pi server for my own personal use, to teach myself some basic server administration stuff. I've the following requests in my logs for iptables:

Dec 23 11:22:50 raspberrypi kernel: [ 9265.069490] iptables denied: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=223.252.23.219 DST=192.168.1.110 LEN=76 TOS=0x00 PREC=0x00 TTL=50 ID=38239 DF PROTO=UDP SPT=123 DPT=123 LEN=56 
Dec 23 11:26:21 raspberrypi kernel: [ 9476.067683] iptables denied: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=202.60.94.15 DST=192.168.1.110 LEN=76 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56 
Dec 23 11:28:57 raspberrypi kernel: [ 9632.043036] iptables denied: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=192.189.54.17 DST=192.168.1.110 LEN=76 TOS=0x00 PREC=0x00 TTL=246 ID=43921 DF PROTO=UDP SPT=123 DPT=123 LEN=56 
Dec 23 11:31:48 raspberrypi kernel: [ 9803.084926] iptables denied: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=223.252.23.219 DST=192.168.1.110 LEN=76 TOS=0x00 PREC=0x00 TTL=50 ID=22008 DF PROTO=UDP SPT=123 DPT=123 LEN=56 
Dec 23 11:35:02 raspberrypi kernel: [ 9997.074316] iptables denied: IN=eth0 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=202.60.94.15 DST=192.168.1.110 LEN=76 TOS=0x00 PREC=0x00 TTL=51 ID=0 DF PROTO=UDP SPT=123 DPT=123 LEN=56

192.168.1.110 is the raspberry pi (if you couldn't guess)

So first of all, who/what are the requests from all these strange IPs coming from? Is this something I should be concerned about? The raspberry pi is not in a DMZ. There are no ports forwarded to it. All communications from the pi to the internet go through a switch and then my home's router before the modem connected to the router. How are these strange packets even getting through the router?

If it's of any use, here is the current configuration for iptables:

*filter

##############################################
##### Dealing with loopback connections: #####
##############################################
# Append a rule to the INPUT chain. For connections coming in from the "lo" Interface, Jump to the ACCEPT target.
-A INPUT -i lo -j ACCEPT

# Append a rule to the INPUT chain. For connections with a Destination of 127.0.0.0 - 127.255.255.255, Jump to the REJECT target.
-A INPUT -d 127.0.0.0/8 -j REJECT

##############################################
##### Dealing with SSH connections: ##########
##############################################
# Append a rule to the INPUT chain. For all connections (established or new) from 192.168.1.125 on TCP port 22 (ssh), Jump to the ACCEPT target.
-A INPUT  -p tcp --dport ssh -s 192.168.1.125 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport ssh -d 192.168.1.125 -m state --state ESTABLISHED -j ACCEPT

##############################################
##### Dealing with HTTP connections: #########
##############################################
-A INPUT  -p tcp --dport 80 -s 192.168.1.125 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp --sport 80 -d 192.168.1.125 -m state --state ESTABLISHED -j ACCEPT

##############################################
##### Dealing with ping: #####################
##############################################
-A INPUT -p icmp --icmp-type echo-request -j ACCEPT
-A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

##############################################
##### Log denied calls: ######################
##############################################
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

##############################################
##### Accept input related to output #########
##############################################
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

##############################################
##### Kill everything but output: ############
##############################################
-A INPUT -j REJECT
-A FORWARD -j REJECT
-A OUTPUT -j ACCEPT

--policy INPUT DROP
--policy OUTPUT ACCEPT
--policy FORWARD DROP

COMMIT

Thanks in advance!

AStupidNoob

Posted 2014-12-23T12:16:55.963

Reputation: 291

1Well, they're all from Australia and it's probably NTP traffic (port 123). – slhck – 2014-12-23T12:30:41.800

Oh I see! There is a NTPD process running on the raspberry pi. I guess this is to get the time since there is no on-board battery. So I assume my pi requesting these, (OUTPUT is unblocked) but the response is being trashed since there is no INPUT rule. I have a small question though (just to make sure I understand). Are all computers on my network receiving these packets too (since UDP has no concept of a connection, the router just sends it to everyone)? – AStupidNoob – 2014-12-23T12:52:49.260

Answers

2

These are NTP packets (as indicated by the port 123) sent from local servers in your server's area. It's the Network Time Protocol response to your server requesting time updates via ntpd. Since iptables blocks these, your time will not get updated.

It therefore makes sense to let incoming NTP traffic through, but only if it's from your own NTP request. If you let your ntpd accept incoming requests from the outside world, this may be problematic and should be disabled.

No other machine in your network is receiving these packets though, since like TCP, UDP is bound to a certain port on a certain IP address. And unless that IP address is actually a broadcast address, your router will deliver it only to the server that requested it.

slhck

Posted 2014-12-23T12:16:55.963

Reputation: 182 472

Thanks for the help! Couple more questions: How does a program bind a port like that? Is simply requesting through it enough to bind it for some length of time? Secondly, I noticed that the time on my pi is actually correct despite these responses being blocked: do you think that these packets may have got through between startup and iptables coming into effect, or is something else going on? – AStupidNoob – 2014-12-23T13:23:17.960

The question is a little hard to answer concisely, as binding to a socket is a very low-level operating system concept, and it uses system calls. There are a few books on that, such as Tanenbaum's Computer Networks, which is considered the go-to reference. I don't know how exactly your time was set to correct, but it may have been set when iptables was not yet enabled? You can try forcing an update of the time and see if it still gets through: http://askubuntu.com/questions/254826/how-to-force-a-clock-update-using-ntp

– slhck – 2014-12-23T13:30:44.717

Hi again! Thanks for your time with this, by the way! Actually, I'm aware about system calls. I've even used that one before (but only at a veery basic level)! What I don't understand is how it works on the network. My understanding was that binding to the port just let the OS know that your process is using that port for something. How does this let the router know to send incoming UDP packets on that port just to my rpi. I think it has to do with NAT. For TCP I understand, because the router knows about connections and do things it can't with UDP. Sorry if my understanding is way off! – AStupidNoob – 2014-12-23T13:49:17.423

Asked: 2014-12-23T12:16:55.963

Viewed: 1 092 times

Active: 2014-12-23T13:28:16.723