Trying to understand iptables log messages

I have set up iptables to log outgoing traffic from all but a limited set of users, and I’m trying to understand the log messages that this produces. Looking at /var/log/syslog, I see requests from 127.0.0.1 to 127.0.0.53 (DNS lookups?) and quite a few to 224.0.0.22 that look like this:

IN= OUT=wlp2s0 SRC=10.100.102.200 DST=224.0.0.22 LEN=40 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2 MARK=0x94

which is a multicast address… any ideas what would be causing this?

Finally, I have several that look like this, which seem to be outgoing ICMP requests addressed to various places around the world:

IN= OUT=wlp2s0 SRC=10.100.102.200 DST=151.80.9.69 LEN=138 TOS=0x08 PREC=0xC0 TTL=64 ID=26846 PROTO=ICMP TYPE=3 CODE=3 [SRC=151.80.9.69 DST=10.100.102.200 LEN=110 TOS=0x08 PREC=0x40 TTL=51 ID=48812 DF PROTO=UDP SPT=27209 DPT=8083 LEN=90 ]

But, what really puzzles me is the bit in the brackets (SRC=151.80.9.69 PROTO=UDP SPT=27209 DPT=8083). Does mean the ICMP packet is a response to a UDP request to port 8083? Should I be worried that this is a possible intrusion (or attempted intrusion)? And if so, is there any reason why I shouldn’t block all incoming UDP traffic? (I only have webservers listening on ports 80 and 443, and no other ports are open — I’ve checked and double-checked this.)

Grateful for any help understanding what I’m seeing here…

Asked By: user1636349

||

Separate answers for separate bits of questions

  • 224.0.0.22 is the multicast address for IGMP, which stays on your local network

  • 127.0.0.53 is the systemd DNS resolver

  • Your PROTO=ICMP TYPE=3 CODE=3 outgoing packets are "Port unreachable" responses to attempts from 151.80.9.69 to send a UDP message to 10.100.102.200 on port 8083

    In order for traffic to reach 10.100.102.200 on udp/8083 the server must be reachable through NAT and port forwarding. Either because you used to run a service on udp/8083 and the NAT has not yet timed out despite you no longer running that service (just a matter of seconds or minutes), or because you have a static port forwarding through your NAT layer.

Answered By: Chris Davies
Categories: Answers Tags:
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.