On Tue, 12 Sep 2006, in the Usenet newsgroup comp.os.linux.networking, in
article <(E-Mail Removed)>, Peter Lowrie wrote:
>One of the Windows 2000 boxs is sending data out of the network to some host
>on the internet.
1. Disconnect the windoze box
2. Ask the luser running it WTF they are doing.
>My gateway is Mandrake Linux 8.2
That's over four years old. Why are you running such an ancient UNSUPPORTED
release on the Internet? OK - saw your other post - you shouldn't have a
problem booting with anything current. What happens when you try? Does the
computer catch on fire or something? The packet errors you are reporting
suggest a problem with the NIC - possibly an interrupt being blocked by
some other process. As for the "slow" port 110, use tcpdump to see what
traffic is occurring. Is the POP server trying to Ident you (trying a
connect to your port 113)?
>running straight iptables.
OK, but the rules don't make much sense to me.
>I've tried tcpdump against the internet facing NIC but the data
>are inconclusive.
What is that supposed to mean? Is the stuff encrypted (like SSH traffic)?
Or is it that you merely don't understand IP and TCP headers?
>How do I determine what traffic is leaving the network
Disconnect the stupid windoze box, and ask the luser to explain. If they
can't, talk to your legal types, and remove the luser. Then make a copy
of the hard disk, and take the copy to a windoze expert.
>and determine what host it is being sent to
What is the source/destination IP address? If you are masquerading, run
tcpdump on the inside NIC, rather than the Internet side. You'd also want
to record what port numbers are being used on the source and destination
sides.
>then what string do I use in the /etc/sysconfig/iptables file to block it?
708351 Nov 14 2005 IP-Masquerade-HOWTO
17605 Jul 21 2004 Masquerading-Simple-HOWTO
278012 Jul 23 2002 Security-Quickstart-HOWTO
but the better solution is to find out what is running on the windoze box
and fix that.
Old guy
|
Similar Threads
Linear Mode
