iptables denies internal access to port 17500

Question

In the kernel log there are hundreds of these lines. The source is the external IP of the VPS (not localhost nor 127.0.0.1), other times an IP of the network of the VPS provider. The source port and dest port is always 17500. I searched a bit but doesn't seem to be a known port. It's not used by SSH, FTP, mailserver or others on my part.

EDIT: Dropbox is not installed of the server (that runs Ubuntu Server 12.04)

Jan  2 01:17:17 kernel: [8861587.504866] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:25:09:e7:9b:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=190 
Jan  2 01:17:40 kernel: [8861610.825311] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:05:90:ad:c2:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=131 
Jan  2 01:17:47 kernel: [8861617.544797] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:25:09:e7:9b:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=190 
Jan  2 01:18:10 kernel: [8861640.864049] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:05:90:ad:c2:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=131 
Jan  2 01:18:17 kernel: [8861647.584077] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:25:09:e7:9b:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=190 
Jan  2 01:18:40 kernel: [8861670.903856] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:05:90:ad:c2:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=131 
Jan  2 01:18:47 kernel: [8861677.623413] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:25:09:e7:9b:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=190 
Jan  2 01:19:10 kernel: [8861700.944182] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:05:90:ad:c2:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=131 
Jan  2 01:19:17 kernel: [8861707.662837] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:25:09:e7:9b:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=190 
Jan  2 01:19:40 kernel: [8861730.984200] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:05:90:ad:c2:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=131 
Jan  2 01:19:47 kernel: [8861737.702796] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:25:09:e7:9b:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=190 
Jan  2 01:20:10 kernel: [8861761.023621] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:05:90:ad:c2:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=131 
Jan  2 01:20:17 kernel: [8861767.742645] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:25:09:e7:9b:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=190 
Jan  2 01:20:40 kernel: [8861791.064367] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:05:90:ad:c2:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=131 
Jan  2 01:20:47 kernel: [8861797.782511] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:25:09:e7:9b:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=190 
Jan  2 01:21:10 kernel: [8861821.103867] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:05:90:ad:c2:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=131 
Jan  2 01:21:17 kernel: [8861827.822161] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:25:09:e7:9b:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=190 
Jan  2 01:21:40 kernel: [8861851.144209] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:05:90:ad:c2:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=131 
Jan  2 01:21:47 kernel: [8861857.862165] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:25:09:e7:9b:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=190 
Jan  2 01:22:10 kernel: [8861881.181915] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:05:90:ad:c2:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=131 
Jan  2 01:22:17 kernel: [8861887.901566] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:25:09:e7:9b:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=190 
Jan  2 01:22:41 kernel: [8861911.215488] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:05:90:ad:c2:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=131 
Jan  2 01:22:47 kernel: [8861917.941271] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:25:09:e7:9b:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=190 
Jan  2 01:23:11 kernel: [8861941.252756] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:05:90:ad:c2:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=131 
Jan  2 01:23:17 kernel: [8861947.981005] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:25:09:e7:9b:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=190 
Jan  2 01:23:41 kernel: [8861971.292991] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:05:90:ad:c2:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=131 
Jan  2 01:23:47 kernel: [8861978.021033] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:25:09:e7:9b:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=210 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=190 
Jan  2 01:24:11 kernel: [8862001.333676] iptables denied: IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:10:00:05:90:ad:c2:08:00 SRC=xx.xx.xx.xx DST=255.255.255.255 LEN=151 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=17500 DPT=17500 LEN=131

Here's my iptables:

################## FILTER ##################
*filter

#  Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT -i lo -d 127.0.0.0/8 -j REJECT

#  Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#  Allows all outbound traffic
#  You can modify this to only allow certain traffic
-A OUTPUT -j ACCEPT

# Allows HTTP and HTTPS connections from anywhere (the normal ports for websites)
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT

#  Allows SSH and Webmin connections
-A INPUT -p tcp -m state --state NEW --dport 50000 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 1212 -j ACCEPT

# Allows FTP access
-A OUTPUT -p tcp -m tcp --sport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT

# Disallow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP

# log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7

# Reject all other inbound - default deny unless explicitly allowed policy
-A INPUT -j REJECT
-A FORWARD -j REJECT

COMMIT


################## NAT ##################
*nat

:PREROUTING ACCEPT [59412:4936393]
:INPUT ACCEPT [41513:2484958]
:OUTPUT ACCEPT [16417:1072327]
:POSTROUTING ACCEPT [16417:1072327]

COMMIT


################## MANGLE ##################
*mangle

:PREROUTING ACCEPT [1574957:131349929]
:INPUT ACCEPT [1572501:131156748]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1669706:6747756890]
:POSTROUTING ACCEPT [1669706:6747756890]

COMMIT

Yep. Oh, I forgot to say that Dropbox is not installed (seems that it uses that port). — MultiformeIngegno, Jan 02 '13 at 00:56
It's alterned. One time it's 37.9.231.xxx (my VPS external IP), the other it's 5.144.173.194 (belonging to the VPS provider range, I don't have access to it). — MultiformeIngegno, Jan 02 '13 at 01:07
this is just a wild guess, if somebody else had your current IP address before, and was synchronizing stuff with dropbox across his VPSs maybe the dropbox software on the other VPSs of his or dropbox.com is trying to contact the stored address that is now yours. How long do you have this current ip address? — titus, Jan 02 '13 at 01:13
Created on: 2012-06-08 12:15:02. I never cared too much about kernel log, I don't remember checking it before. But it's strange that after 7 months the other client is still trying to reach my IP.. uhm.. anyway I've sent a mail to my provider. let's see if they know something more — MultiformeIngegno, Jan 02 '13 at 01:16
Do you have vpn setup on your vps box? The request maybe from vpn/nat clients. — John Siu, Jan 02 '13 at 01:41
Is dropbox installed on any machine in the same broadcast domain as the server? This is dropbox LAN sync, and it's broadcast. (Track the source MAC address, see what machine has it.) — David Schwartz, Jan 02 '13 at 02:28
John: No VPN installed.. :( @DavidSchwartz Oh! It's really strange. I don't have Dropbox installed. I don't know if other machines in the same broadcast domain of the server have dropbox installed (I just have my VPS with a dedicated IP, can't control the other machines). I'll add this info to my mail though, thanks! :) — MultiformeIngegno, Jan 02 '13 at 02:37
If you share a broadcast domain with other systems you don't control, then they may well subject you to random broadcast stuff. That's to be expected. — David Schwartz, Jan 02 '13 at 02:37
But why the requests come alternately from MY IP and from the other network IP (the "caller")? Shouldn't they all come from the caller? — MultiformeIngegno, Jan 02 '13 at 02:41

score 2 · Answer 1 · answered Aug 22 '14 at 14:15

Port 17500 is used by Dropbox LAN Sync. If you have 2 computers on the same network with Dropbox installed, activating it would allow for very fast transfers.

Lan Sync uses broadcast to detect peers, so if someone in your lan has Dropbox installed with it activated, you will see those entries in the log.

To never see those entries again, add this line to your filters:

# Ignore Dropbox LAN Sync broadcasts
-A INPUT -p udp -m udp --dport 17500 -j DROP

You should never see those entries again.

This ought to be the accepted answer, IMHO. Worked a treat. – JK Laiho May 07 '15 at 07:32 — JK Laiho, May 07 '15 at 07:32

iptables denies internal access to port 17500

1 Answers1