I've recently upgraded my server to SME8 (clean install, restore backup, apply contribs) and have been monitoring it closely to make sure it's working perfectly (again).
One things I've noticed is the following in the iptables log:
@400000004d191e242f7d574c Dec 28 12:15:38 hellcat denylog: IN=eth0 OUT= MAC=00 SRC=27.252.116.192 DST=192.168.0.88 LEN=40 TOS=08 PREC=0x00 TTL=245 ID=62233 CE DF PROTO=TCP SPT=49721 DPT=993 SEQ=3103410449 ACK=1124310915 WINDOW=0 ACK RST URGP=0
@400000004d1921bc17cd8f2c Dec 28 12:30:58 hellcat denylog: IN=eth0 OUT= MAC=00 SRC=27.252.70.141 DST=192.168.0.88 LEN=40 TOS=08 PREC=0x00 TTL=245 ID=15839 DF PROTO=TCP SPT=49722 DPT=993 SEQ=2997648674 ACK=2104880692 WINDOW=0 ACK RST URGP=0
@400000004d192973162c23cc Dec 28 13:03:53 hellcat denylog: IN=eth0 OUT= MAC=00 SRC=27.252.251.19 DST=192.168.0.88 LEN=40 TOS=08 PREC=0x00 TTL=246 ID=7448 DF PROTO=TCP SPT=49724 DPT=993 SEQ=1560173296 ACK=4163114180 WINDOW=0 ACK RST URGP=0
@400000004d192a7b293b7544 Dec 28 13:08:17 hellcat denylog: IN=eth0 OUT= MAC=00 SRC=27.252.107.108 DST=192.168.0.88 LEN=40 TOS=08 PREC=0x00 TTL=245 ID=20773 DF PROTO=TCP SPT=49723 DPT=993 SEQ=4248950134 ACK=3083465375 WINDOW=0 ACK RST URGP=0
@400000004d192d1114bbe644 Dec 28 13:19:19 hellcat denylog: IN=eth0 OUT= MAC=00 SRC=49.227.197.56 DST=192.168.0.88 LEN=40 TOS=08 PREC=0x00 TTL=246 ID=24450 DF PROTO=TCP SPT=49725 DPT=993 SEQ=2903490518 ACK=849882440 WINDOW=0 ACK RST URGP=0
@400000004d1930b21b940924 Dec 28 13:34:48 hellcat denylog: IN=eth0 OUT= MAC=00 SRC=121.90.239.72 DST=192.168.0.88 LEN=40 TOS=08 PREC=0x00 TTL=246 ID=59542 CE DF PROTO=TCP SPT=49726 DPT=993 SEQ=1711286184 ACK=1823455766 WINDOW=0 ACK RST URGP=0
@400000004d1934442f3117c4 Dec 28 13:50:02 hellcat denylog: IN=eth0 OUT= MAC=00 SRC=121.90.229.175 DST=192.168.0.88 LEN=40 TOS=08 PREC=0x00 TTL=246 ID=60524 CE DF PROTO=TCP SPT=49727 DPT=993 SEQ=1085722792 ACK=2796837760 WINDOW=0 ACK RST URGP=0
@400000004d1937d52fd95de4 Dec 28 14:05:15 hellcat denylog: IN=eth0 OUT= MAC=00 SRC=121.90.183.44 DST=192.168.0.88 LEN=40 TOS=08 PREC=0x00 TTL=246 ID=63513 CE DF PROTO=TCP SPT=49728 DPT=993 SEQ=3350844998 ACK=3759946292 WINDOW=0 ACK RST URGP=0
I was alerted to this by entries from logwatch, but note that this has nothing to do with the logwatch contrib!
This is directly from the iptables log in /var/log/iptables/current, from an otherwise default configuration of SME8 / IMAPS.
The machine in question (hellcat) is stilling behind an IPCop firewall with port-forwarding rules for the IMAPS port (993).
I've checked the IP addresses, and they are all valid, and are my own requests from my iPhone - through Vodafone 2G/3G network here in New Zealand.
Nothing dodgy happening there (no attacks/etc.), so that's not the issue.
The questions I have are as follows:
1). Why is the MAC address being reported as "00", and not a full MAC address?
2). Why are these packets being logged for port 993 (IMAPS), which is open, working and accessible?
3). Is there a way to adjust iptables to drop/handle/ignore these events?
Just looking to get the server set up 'perfectly' - so any clues/help would be appreciated.
Cheers.