I have a setup where an internet connection is available via ISP box, which has a DMZ feature (one of the hosts can be exposed to Internet). The general setup is the following
Internet - PublicIP - 192.168.0.254 - 192.168.0.10
[ FAI box ] [ my server - interface int0]
The server (wired connection to the ISP box) runs shorewall which builds appropriate iptables rules. The logs shows, among others, the following repeated entry:
May 22 18:59:26 srv kernel: [ 1017.353898] Shorewall:int-fw:REJECT:IN=int0 OUT= MAC=40:8d:5c:4b:aa:55:b8:26:6c:c9:bc:34:08:00 SRC=192.168.0.254 DST=192.168.0.10 LEN=427 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=38328 DPT=5784 LEN=407
It therefore looks like
- a device with IP
192.168.0.254(which is the internal IP of the ISP box, and the gateway for my server) is attempting - to talk to device
192.168.0.10(my host - in the FAI box DMZ) on udp/5784 - and this connection is rejected - which is expected as no connection sourced from 'outside' should reach
192.168.0.10. 'outside' is normally Internet but here it is the gateway of the server.
What could be the reason for such a connection? It is always udp/5784 which IANA assigns to Cisco Interbox Application Redundancy.
In contrast, a typical noise from Internet is reject with an expected log (source IP on Internet, directed to the public IP address which is translated to 192.168.0.10 as the host is in the DMZ and gets all packets)
May 22 19:22:03 srv kernel: [ 2345.529390] Shorewall:int-fw:REJECT:IN=int0 OUT= MAC=40:8d:5c:4b:aa:55:b8:26:6c:c9:bc:34:08:00 SRC=113.162.106.145 DST=192.168.0.10 LEN=60 TOS=0x00 PREC=0x00 TTL=47 ID=51469 DF PROTO=TCP SPT=47041 DPT=23 WINDOW=14520 RES=0x00 SYN URGP=0
