I believe Kenneth is correct. This log message is your iptables notifying
you that hosts with NAT sessions it believes to be finished, timed-out, or
non-existant, are trying to re-use the a previous session rather than
establishing a new session.

The log entry you have given however, shows that your DMZ server is trying
to re-open old sessions backward through the NAT to your workstation.

The information you have given implies that you establish sessions from your
workstation outbound to the DMZ server. Therefore it is your workstation
that is responsible for maintaining any open sessions.

The question you should be asking is: What, if any, service running on your
DMZ server would require it to attempt connecting to your workstation?

The answer should be: nothing.

That would be insecure and possibly dangerous.

I would start looking very carefully at the DMZ server to determine if it
has been compromised. See if one of the CISSP's here on the list could give
you a hand with the forensics.

On 9/25/06, Kenneth <madhse@yahoo.com> wrote:
>
>
> > Sep 25 18:46:55 helen kernel: IN=eth0 OUT=
> > MAC=00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:00 SRC=192.168.21.11
> > DST=192.168.20.31 LEN=308 TOS=0x10 PREC=0x00 TTL=63 ID=40237 DF
> PROTO=TCP
> > SPT=22 DPT=57702 WINDOW=2160 RES=0x00 ACK PSH URGP=0
>
> I see occasional messages like these. I always assumed it was from old
> connections, so the connection tracking had forgotten them.  I never tried
> to
> track them down further.
>
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam?  Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>