firewall connection log entries - hack attempt?

15 A 12.169.174.160:1794 xxx.69.35.6:135 tcp established 3d16h55m40s
16 A 12.169.186.137:4944 xxx.69.35.6:135 tcp established 3d19h14m15s
17 A 12.169.186.149:3881 xxx.69.35.6:135 tcp established 3d9h55m
18 A 12.169.186.149:4436 xxx.69.35.6:135 tcp established 3d9h16m46s
19 A 12.169.230.170:3578 xxx.69.35.6:1025 tcp established 3d10m19s

I have these entries in my 2.8.28 router. The xxx.69.35.6 IP is natted to a video camera on port 8000 with this rule.

ip firewall dst-nat> pr
Flags: X - disabled, I - invalid, D - dynamic

1 ;;; video server
in-interface=public dst-address=xxx.69.35.6/32 protocol=tcp action=nat
to-dst-address=192.168.0.41 to-dst-port=8000

If I’m limiting traffic to port 8000 why am I seeing port 135 traffic?
I disabled the public IP address and the entries are still there, how often does list of connections refresh? Is there a way to drop connections in 2.8.28?


My input and forward rules drop port 135 via a virus filter chain so I’m confused as to why I’m seeing these entries.

drop it on the forward chain

135-139 prot=udp,tcp

You’re natting all tcp traffic to port 8000 on the webcam.

Specify the port in the match part of the rule:

e.g.

chain=dstnat in-interface=Internet protocol=tcp dst-port=8000
action=dst-nat to-addresses=192.168.1.2 to-ports=8000

(This is 2.9 syntax so you’ll need to modify slightly).

Regards

Andrew

I put port 8000 in the dst-nat rule,
;;; station video
src-address=:8000 dst-address=xxx.69.35.6/32 protocol=tcp action=nat
to-dst-address=192.168.0.42 to-dst-port=8000

I forgot that connection tracking is higher up in the processing chain than the firewall filter rules, that’s why the port 135 and 445 stuff was showing up even though the filter chains drop those packets, at least that’s the only reason I can think of.