Not TCP protocol prerouting: in:lte1 out

frank333 · April 28, 2023, 4:57pm

i have an rbm11g with ROS 7.8 stable and an LTE module . in the log file i get about 10 messages a day with this wording:

Not TCP protocol prerouting: in:lte1 out:(unknown 0), connection-state:invalid src-mac c6:e0:42:92:21:52, proto 132, 39.98.186.94->151.15.109.102, len 52

I checked the firewall settings and they all seem to be correct.What do you think it could be ?

mkx · April 28, 2023, 6:44pm

IP protocol 132 is SCTP…

Larsa · April 28, 2023, 6:45pm

Sorry, but not a clue without an config export!

rextended · April 28, 2023, 9:02pm

SCTP is used on mobile transport technology to help transport data streams between antennas of different frequencies.

It’s like a leak from the LTE infrastructure, if the reported IPs are not yours.

Larsa · April 28, 2023, 9:43pm

@frank333, you have to check your firewall. If you want help from the forum on how, please post your config using /export.

If you were just interested in what, Rextended has already given you an answer or just google protocol 132 for more details.

frank333 · April 29, 2023, 7:45am

@Larsa here is the firewall configuration,
firewall.rsc (5.02 KB)
@rextended the IPs starting with 47 139 39 202 are not mine; 151… is my IP on windtre. is this a problem with my modem?
(Quindi è un problema del mio modem ?)

rextended · April 29, 2023, 11:49am

No, del ponte LTE…

frank333 · April 29, 2023, 12:01pm

as you can see from my export I used your configuration against flags attack and changed the TTL with the rule in prerouting (would it be better to move it to postrouting?) The problem is that now, after that 'error the router reboots.

frank333 · May 4, 2023, 6:15am

the strange logs continue with the next reboot of the router, I switched to 7.9 stable.

Not TCP protocol prerouting: in:lte1 out:(unknown 0), connection-state:invalid src-mac c6:e0:42:92:21:52, proto 41, 192.88.99.1->151.58.128.200, len 76

Larsa · May 4, 2023, 10:03am

I glanced through your rules and there is plenty of room for optimization such as fast-track, the mangle chain etc. Have a look at these and feel free to come back with any questions:

frank333 · May 4, 2023, 10:11am

@larsa
I essentially used the default RoS rules and added rextended raw rules. I thought the firewall was sufficiently configured

Larsa · May 4, 2023, 10:26am

Well, if you think it’s sufficient, you can just drop the “log=yes” statements in prerouting to get rid of the annoying logging but you probably want to add action=drop (if that was the intention). I mean the rules seems to do its job and catch it, right?

EDIT
Btw, there are also two “protocol=!tcp” in sequence.

frank333 · May 4, 2023, 10:35am

@larsa,
Yes the rules seem to be working , but the problem is that after the log message the modem and sometimes the router restarts.Before there were scpt protocol messages now there are those on ipv6 . In firewall the service port I have three services that I can not disable scpt,dccp,udplite but I think they are enabled by default because they are needed to establish the connection.I am calmly reading all the links you sent me to find something strange.

frank333 · May 4, 2023, 10:42am

the second rule is disabled

add action=drop chain=prerouting comment="Unused protocol protection" \
    disabled=yes protocol=!tcp

Larsa · May 4, 2023, 10:43am

In general, one may have different ways of thinking, like remove all possible combinations and accept the rest, or the other way around. Have you ever checked the activity on your prerouting rules? How about fast-track? It might be good to consider the number of rules and how these are structured in terms of performance if the CPU is heavily loaded.

frank333 · May 4, 2023, 10:48am

@Larsa,
I noticed activity from the flagsattack rules counter in the RAW section.
fasttrack rules are disabled.

Larsa · May 4, 2023, 10:49am

Btw, you might want to add drop to the first rule if that was the intention, otherwise you are letting it through. Question, was fasttrack removed on purpose?

rextended · May 4, 2023, 11:04am

/ip firewall raw
add action=accept chain=prerouting protocol=icmp
add action=accept chain=prerouting protocol=igmp
add action=accept chain=prerouting protocol=tcp
add action=accept chain=prerouting protocol=udp
add action=accept chain=prerouting protocol=gre
add action=log chain=prerouting log=yes log-prefix="Not TCP protocol" protocol=!tcp
add action=drop chain=prerouting comment="Unused protocol protection" disabled=yes protocol=!tcp

L’ultima regola è disattivata in maniera predefinita per evitare che uno si chiuda fuori.
Va attivata quando si è finito di configurare il resto.
La regola “Not TCP protocol” serve proprio per vedere cosa arriva che non sia già stato accettato prima.

aggiungi questo prima di “Not TCP protocol” per smettere di vedere i messaggi riguardo a questo protocollo:

/ip firewall raw
add action=drop chain=prerouting protocol=sctp

The last rule is off by default to prevent one from locking out.
It must be activated when you have finished configuring the rest.
The “Not TCP protocol” rule is used precisely to see what arrives that has not already been accepted before.

add this before “Not TCP protocol” to stop seeing messages about this protocol:

/ip firewall raw
add action=drop chain=prerouting protocol=sctp

frank333 · May 4, 2023, 11:16am

ok
I did as you said,

So it’s just a firewall indication and not an external attack? I also have an alert with prot. 41.

rextended · May 4, 2023, 11:23am

the correct order is drop stp / log unallowed / and you must enabled “drop all at the end”
invert 30 and 31 and enable the disabled rule.

Il protocollo 41 è per fare un tunnel, tipo teredo, 6to4 / 6in4 per passare IPv6 su IPv4. Lo usa windows ad insaputa della gente per collegarsi conumque via IPv6.
Non c’entra niente con l’IPv6, se non lo usi, lo puoi bloccare.

/ip firewall raw
add action=drop chain=prerouting protocol=ipv6-encap

Anche questa regola va sopra il log