I started to actually log dropped packets on my VPS and saw some strange behavior while using Safari to access my website.
Mar 6 08:03:16 zion kernel: iptables-dropped: IN=eth0 OUT= MAC=REDACTED SRC=REDACTED DST=192.155.81.248 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=49875 DF PROTO=TCP SPT=51584 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 Mar 6 08:03:17 zion kernel: iptables-dropped: IN=eth0 OUT= MAC=REDACTED SRC=REDACTED DST=192.155.81.248 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=31288 DF PROTO=TCP SPT=51584 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 Mar 6 08:03:18 zion kernel: iptables-dropped: IN=eth0 OUT= MAC=REDACTED SRC=REDACTED DST=192.155.81.248 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=39426 DF PROTO=TCP SPT=51584 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 Mar 6 08:03:19 zion kernel: iptables-dropped: IN=eth0 OUT= MAC=REDACTED SRC=REDACTED DST=192.155.81.248 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=33789 DF PROTO=TCP SPT=51584 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 Mar 6 08:03:21 zion kernel: iptables-dropped: IN=eth0 OUT= MAC=REDACTED SRC=REDACTED DST=192.155.81.248 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=36214 DF PROTO=TCP SPT=51584 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 Mar 6 08:03:22 zion kernel: iptables-dropped: IN=eth0 OUT= MAC=REDACTED SRC=REDACTED DST=192.155.81.248 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=47271 DF PROTO=TCP SPT=51584 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 Mar 6 08:03:24 zion kernel: iptables-dropped: IN=eth0 OUT= MAC=REDACTED SRC=REDACTED DST=192.155.81.248 LEN=64 TOS=0x00 PREC=0x00 TTL=54 ID=32707 DF PROTO=TCP SPT=51584 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 Mar 6 08:03:28 zion kernel: iptables-dropped: IN=eth0 OUT= MAC=REDACTED SRC=REDACTED DST=192.155.81.248 LEN=48 TOS=0x00 PREC=0x00 TTL=54 ID=52329 DF PROTO=TCP SPT=51584 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 Mar 6 08:03:36 zion kernel: iptables-dropped: IN=eth0 OUT= MAC=REDACTED SRC=REDACTED DST=192.155.81.248 LEN=48 TOS=0x00 PREC=0x00 TTL=54 ID=56004 DF PROTO=TCP SPT=51584 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 Mar 6 08:03:52 zion kernel: iptables-dropped: IN=eth0 OUT= MAC=REDACTED SRC=REDACTED DST=192.155.81.248 LEN=48 TOS=0x00 PREC=0x00 TTL=54 ID=9670 DF PROTO=TCP SPT=51584 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0 Mar 6 08:04:25 zion kernel: iptables-dropped: IN=eth0 OUT= MAC=REDACTED SRC=REDACTED DST=192.155.81.248 LEN=48 TOS=0x00 PREC=0x00 TTL=54 ID=4731 DF PROTO=TCP SPT=51584 DPT=443 WINDOW=65535 RES=0x00 SYN URGP=0
As you can see above, my VPS is dropping packets from my client’s browser to the VPS on port 443 (https).
My site only uses port 80 (http) and does not listen on 443 (https) and the INPUT chain on iptables has an explicit DROP for all ports without a defined ALLOW rule (or rules).
I tested a browser session using Chrome and it does not make any port knocks against 443.
Google searches for this type of anomaly yield no results. I wonder if anyone else out there has noticed the same behavior.
Comment on this post