Public IP address are scanning my private network (Firewall issue?)

I'm not sure how this is happening but I may have a security hole open somewhere in my openwrt router. I do not have a DMZ setup and I do not have any port forwards setup to my internal network.

I enabled a firewall on my desktop machine and I'm seeing this:

[262883.557909] [UFW BLOCK] IN=enx00e04c6803aa OUT= MAC=00:e0:4c:68:03:aa:a0:f3:c1:8f:8b:e4:08:00 SRC=13.227.49.156 DST=10.1.3.192 LEN=40 TOS=0x00 PREC=0x00 TTL=230 ID=0 DF PROTO=TCP SPT=443 DPT=55340 WINDOW=0 RES=0x00 RST URGP=0 
[262883.560954] [UFW BLOCK] IN=enx00e04c6803aa OUT= MAC=00:e0:4c:68:03:aa:a0:f3:c1:8f:8b:e4:08:00 SRC=13.227.49.156 DST=10.1.3.192 LEN=40 TOS=0x00 PREC=0x00 TTL=230 ID=0 DF PROTO=TCP SPT=443 DPT=55340 WINDOW=0 RES=0x00 RST URGP=0 
[262903.510450] [UFW BLOCK] IN=enx00e04c6803aa OUT= MAC=00:e0:4c:68:03:aa:a0:f3:c1:8f:8b:e4:08:00 SRC=52.45.33.138 DST=10.1.3.192 LEN=40 TOS=0x00 PREC=0x00 TTL=42 ID=2566 DF PROTO=TCP SPT=443 DPT=60214 WINDOW=0 RES=0x00 RST URGP=0 
[262903.510560] [UFW BLOCK] IN=enx00e04c6803aa OUT= MAC=00:e0:4c:68:03:aa:a0:f3:c1:8f:8b:e4:08:00 SRC=52.45.33.138 DST=10.1.3.192 LEN=40 TOS=0x00 PREC=0x00 TTL=42 ID=2567 DF PROTO=TCP SPT=443 DPT=60214 WINDOW=0 RES=0x00 RST URGP=0 
[262904.436265] [UFW BLOCK] IN=enx00e04c6803aa OUT= MAC=00:e0:4c:68:03:aa:a0:f3:c1:8f:8b:e4:08:00 SRC=204.154.111.117 DST=10.1.3.192 LEN=40 TOS=0x08 PREC=0x20 TTL=44 ID=51288 DF PROTO=TCP SPT=443 DPT=57000 WINDOW=0 RES=0x00 RST URGP=0 
[262904.439876] [UFW BLOCK] IN=enx00e04c6803aa OUT= MAC=00:e0:4c:68:03:aa:a0:f3:c1:8f:8b:e4:08:00 SRC=204.154.111.117 DST=10.1.3.192 LEN=40 TOS=0x08 PREC=0x20 TTL=44 ID=51292 DF PROTO=TCP SPT=443 DPT=57000 WINDOW=0 RES=0x00 RST URGP=0 
[262906.635800] [UFW BLOCK] IN=enx00e04c6803aa OUT= MAC=00:e0:4c:68:03:aa:a0:f3:c1:8f:8b:e4:08:00 SRC=204.154.111.115 DST=10.1.3.192 LEN=40 TOS=0x00 PREC=0x00 TTL=49 ID=51865 DF PROTO=TCP SPT=443 DPT=42616 WINDOW=0 RES=0x00 RST URGP=0 
[262909.004365] [UFW BLOCK] IN=enx00e04c6803aa OUT= MAC=00:e0:4c:68:03:aa:a0:f3:c1:8f:8b:e4:08:00 SRC=204.154.111.115 DST=10.1.3.192 LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=52503 DF PROTO=TCP SPT=443 DPT=42618 WINDOW=0 RES=0x00 RST URGP=0 
[262909.004837] [UFW BLOCK] IN=enx00e04c6803aa OUT= MAC=00:e0:4c:68:03:aa:a0:f3:c1:8f:8b:e4:08:00 SRC=204.154.111.115 DST=10.1.3.192 LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=52504 DF PROTO=TCP SPT=443 DPT=42618 WINDOW=0 RES=0x00 RST URGP=0 
[262909.004840] [UFW BLOCK] IN=enx00e04c6803aa OUT= MAC=00:e0:4c:68:03:aa:a0:f3:c1:8f:8b:e4:08:00 SRC=204.154.111.115 DST=10.1.3.192 LEN=40 TOS=0x00 PREC=0x00 TTL=47 ID=52505 DF PROTO=TCP SPT=443 DPT=42618 WINDOW=0 RES=0x00 RST URGP=0 
[262909.923511] [UFW BLOCK] IN=enx00e04c6803aa OUT= MAC=00:e0:4c:68:03:aa:a0:f3:c1:8f:8b:e4:08:00 SRC=205.185.216.10 DST=10.1.3.192 LEN=40 TOS=0x00 PREC=0x00 TTL=50 ID=0 DF PROTO=TCP SPT=443 DPT=48968 WINDOW=0 RES=0x00 RST URGP=0

How is it possible that a public IP is trying to connect to a machine on my private network?? Has my router been hacked?

Thanks,
Chris

There are two likely reasons for seeing this:

1. it is actually return traffic from some application or service running on the computer in question
2. it is a configuration issue on your router.

What router are you using and what version of OpenWrt are you running?

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I think this is normal. These are RST (reset) packets being sent from public web servers (port 443 = https) to your desktop machine, after it has closed it's web connection. Because it closed the connection the kernel no longer recognizes the open connection. Basically some packets left over after the end of the connection.

Awesome thank you. I think must be what is happening.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.