[Mageia-discuss] Odd entry in log file

imnotpc imnotpc at Rock3d.net
Mon May 7 14:09:55 CEST 2012 

On 05/07/2012 06:45 AM, Frank Griffin wrote:
> On 05/06/2012 09:15 PM, imnotpc wrote:
>>
>> I apologize that I didn't give more detail when I started this 
>> thread, but this has become more involved/detailed discussion than I 
>> envisioned. Let me give you the topography of my network as best as I 
>> can describe:
>>
>> Firewall/Gateway: Mga2 box with 3 NICs which forwards traffic from 
>> the DMZ and the LAN to the Internet and back. The Internet facing NIC 
>> has a public IP. The DMZ is a private subnet with all fixed IPs. The 
>> LAN subnet also has all fixed IPs in the 192.168.0.0/24 range. 
>> Iptables firewall logs and drops all traffic that doesn't originate 
>> from these subnets.
>>
>> LAN: All the LAN hosts have fixed IPs IN the 192.168.0.0/24 range. 
>> Linux host firewalls block all outgoing traffic that doesn't 
>> originate from the assigned IP address. Windows/other hosts do 
>> whatever they do.
>>
>> Wireless Router Attached to the LAN: The LAN facing NIC on the 
>> wireless router has a fixed IP of 192.168.0.100. The wireless 
>> interface is configured to assign IPs in the 192.168.2.0/24 range to 
>> the wireless hosts using DHCP.
>>
>> Wireless Hosts: Connect to wireless router via DHCP. I believe these 
>> hosts are generating the martian packets.
>>
>> I understand the the wireless host may identify themselves using 
>> other IPs due to other connection/configuration issues, but I can't 
>> understand how the kernel on the Mga2 gateway is ever able to see 
>> packets originating from 192.168.3.2 or any other unauthorized 
>> subnet. This is my major concern since it may indicate an error in my 
>> LAN configuration.
>
> 1) Is eth0 the interface facing the internet ?

No, this interface faces the LAN which has a 192.168.0.0/24 subnet.

>
> 2) Is 173.194.74.154 the IP address assigned (currently) to you by 
> your ISP ?

No, that IP returns to qe-in-f154.1e100.net which appears to be a server 
owned by Google.

>
> 3) If you ping 192.168.3.2 when you're getting the martians, do you 
> get any response ?

[root at Cedar1 /]# ping -c 5 192.168.3.2
PING 192.168.3.2 (192.168.3.2) 56(84) bytes of data.

--- 192.168.3.2 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms

>
> 4) What does "traceroute 192.168.3.2" from the gateway give ?

[root at Cedar1 /]# traceroute 192.168.3.2
traceroute to 192.168.3.2 (192.168.3.2), 30 hops max, 60 byte packets
  1  74-94-209-242-BusName-VA.hfc.comcastbusiness.net (74.94.209.242)  
0.670 ms  1.372 ms  1.686 ms
  2  * * *
  3  * * *
  4  * * *
  5  * * *
  6  * * *
  7  * * *
  8  * * *
  9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *

Well isn't that interesting. That Comcast IP is the address of the ISP 
gateway I use. Both of my firewall/gateway boxes that are logging 
martian packets are connected to similar Comcast routers. The routers 
are configured in bridge mode so the router DHCP service has no effect 
on my connection, but it might still be active on the router. Also each 
ISP router also has a wireless interface and that could still be active. 
My firewall doesn't block any private IPs coming from the Internet 
interface since the ISP routers would never forward them, so that 
explains how they get past the firewall.

I can reconfigure the firewall to block these, but now I'm wondering if 
this is a security issue and if I should try to change the ISP router 
settings. I really hate messing with router settings I haven't used 
before but I hate unauthorized access even more. Thoughts?

Jeff

More information about the Mageia-discuss mailing list