dropping untracked packet messages

[Corey R. Halpin]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Content-Type: text/plain; charset=us-ascii

  I keep getting messages like this:
  Sep 19 07:55:33 hobbes kernel: NAT: 0 dropping untracked packet d3332980 1 
10.10.0.107 -> 224.0.0.2

  My configuration looks like:
iptables -t nat -F PREROUTING
iptables -t nat -A PREROUTING -p tcp -s 192.168.0.0/24 --dport 80 -j REDIRECT 
- --to-port 3128

iptables -t nat -F POSTROUTING
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d \! 192.168.0.0/24 -j SNAT 
- --to-source 10.10.0.158

iptables -t filter -F INPUT
iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -s 127.0.0.1 -j ACCEPT
iptables -t filter -A INPUT -s 192.168.0.0/24 -d 192.168.0.1 -j ACCEPT
iptables -t filter -A INPUT -p tcp -d 10.10.0.158 --dport 22 -j ACCEPT
iptables -t filter -A INPUT -p tcp -s 10.10.0.153 -d 10.10.0.158 --dport 515 
- -j ACCEPT
iptables -t filter -A INPUT -p tcp -s 10.10.0.153 -d 10.10.0.158 --dport 5865 
- -j ACCEPT
iptables -t filter -A INPUT -p tcp -s 10.10.0.113 -d 10.10.0.158 --dport 5865 
- -j ACCEPT
iptables -t filter -A INPUT -j REJECT

  I had thought that adding a command to explicitly drop packets going to 
224.0.0.0/8 would work.  It didn't.
  I tried then dropping any packets that were INVALID, that also did not work.
  Not that this is a major issue, but it does require me to rotate my logs 
more often than I would like.

  thank you,
  crh
- -- 
Corey R. Halpin (http://www.cae.wisc.edu/~halpin)
Student of Electrical Engineering and Computer Sciences
University of Wisconsin-Madison


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.2 (GNU/Linux)
Comment: Exmh version 2.1.1 10/15/1999 (debian)

iD8DBQE5x2Q2HttEfMmUResRAvE3AJ9CKfm+VPIjba71/iVGBdoAKqOoFQCfW7xu
lV/j8NiL6GjDti3CRkYh7LU=
=6eCe
-----END PGP SIGNATURE-----