I would not worry about it too much. I wonder why Android calls home so often? Do you run any security/tracker apps on them? (no need to answer)

I think Firefox uses Google for its safe browsing and looking around, so does Android. It would have to call home to get updates.

Update:
Tried the iptables FORWARD command with more luck.

It looks like my android devices are calling back to the mothership every few minutes. They each do about 8-10 of

May 16 10:31:19 localhost kernel: IN=eth2 OUT=ppp0 SRC=android.device.ip DST=173.194.43.72 LEN=268 TOS=0x00 PREC=0x00 TTL=63 ID=49933 DF PROTO=TCP SPT=45061 DPT=443 WINDOW=229 RES=0x00 ACK PSH URGP=0

every few minutes. So with 3-4 android devices this is happening a lot.

Funny thing is my Apple Laptop is also calling back to the Google ship. I'm using Little Snitch and see that this is Firefox, Thunderbird (multiple gmail accts), Busycal (connected to google calendar).

I'm getting the feeling that this isn't as serious as I originally thought. Am I mistaken???

173.194.43.87 is Google.

I'm running the OUTPUT logging.

iptables -I OUTPUT -d 173.194.43.0/25 -j LOG

I'm running the proxy server. Access control is off. It is running in transparent mode.

So why would the COS server be doing this?

The IN flag is the source interface and will be blank if the packet comes from ClearOS. Which chain are you logging that from OUTPUT or FORWARD?. If it is OUTPUT then ClearOS is the source (I'm not sure the statement is true if you have run the proxy in some modes). It looks like a standard browser access - DPT = port 80, with the SYN flag set. I'm blocked at work so I can't try to access the 173.194.43.87 site

Thanks again, Nick.

I've been watching the log for a number of days. I'm not able figure out the source. What I get is:

kernel: IN= OUT=ppp0 SRC=my.ppoe.com DST=173.194.43.87 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=59807 DF PROTO=TCP SPT=45724 DPT=80 WINDOW=5808 RES=0x00 SYN URGP=0

Unfortunately, this doesn't show the initiating IP address. Is there a way to get more details? I see the IN= portion is blank.

I have narrowed it down to my wifi network segment because it stops at midnight and starts again at 6:30am. I had to kill the wifi during those periods or my kids wouldn't sleep. Damn texting going on at all hours of the night and they don't have the sense to turn off the device.....

Iptables does not take a regex. /25 will give you 0 - 127 which is only two addresses more than 1-126 so just use the /25 notation. To use --dst-range add "-m iprange" to the rule.

 iptables -I OUTPUT -m iprange --dst-range 173.194.43.1-173.194.43.126 -j LOG

Look in /var/log/messages for the log. It can be redirected but that is more complicated.

[edit]
That block is owned by Google!
[/edit]

Hmm. I guess for this one I can do

iptables -I OUTPUT -d 173.194.43.0/25 -j LOG

But that includes more IPs than I want. Figuring out how to do a range would be better.

Would something like this work?

iptables -I OUTPUT -d 173.194.43.[1-126] -j LOG

Or am I getting out of control with the attempted bash regex?

Thanks again for your help, Nick.

I have a range of IPs that I would like to check using these rules but when I try the rule

iptables -I OUTPUT --dst-range 173.194.43.1-173.194.43.126 -j LOG

I get an error.

How do I do a --dst-range and --src-range using the iptables 1.3.5 version on COS5.2sp1?

I can't figure it out from the man page. I don't think this option exists in v1.3.5. I don't seem to be able to figure out the right google-fu to find examples of doing a range using v1.3.5.

Oh, and does this go to the messages log?

That looks like one of the internal rules and I don't know how they are constructed, but it could be 173.194.43.78 who is scanning you, but snort is picking up the replies.

You could try logging all messages to that IP with some firewall rules:

iptables -I FORWARD -d 173.194.43.78 -j LOG

iptables -I OUTPUT -d 173.194.43.78 -j LOG

iptables -I INPUT -s 173.194.43.78 -j LOG

Try the input or output rules first. If they get any hits it is pretty certain 173.194.43.78 is scanning you. If the forward rule gets any hits then you are scanning him and the log should identify the source of the traffic.