[Mageia-discuss] Odd entry in log file
Maarten Vanraes
alien at rmail.be
Mon May 7 22:47:41 CEST 2012
Op maandag 07 mei 2012 14:23:44 schreef Frank Griffin:
> On 05/07/2012 06:45 AM, Frank Griffin wrote:
> >> On 05/06/2012 09:15 PM, imnotpc wrote:
> >> 1) Is eth0 the interface facing the internet ?
> >
> > No, this interface faces the LAN which has a 192.168.0.0/24 subnet.
>
> OK, so if eth0 has no outside internet access, you are correct in saying
> that something in your network is doing this.
>
> >> 2) Is 173.194.74.154 the IP address assigned (currently) to you by
> >> your ISP ?
> >
> > No, that IP returns to qe-in-f154.1e100.net which appears to be a
> > server owned by Google.
>
> Yes. I thought maybe Google was your ISP.
>
> >> 4) What does "traceroute 192.168.3.2" from the gateway give ?
> >
> > [root at Cedar1 /]# traceroute 192.168.3.2
> > traceroute to 192.168.3.2 (192.168.3.2), 30 hops max, 60 byte packets
> >
> > 1 74-94-209-242-BusName-VA.hfc.comcastbusiness.net (74.94.209.242)
> >
> > 0.670 ms 1.372 ms 1.686 ms
> >
> > 2 * * *
> >
> > Well isn't that interesting. That Comcast IP is the address of the ISP
> > gateway I use. Both of my firewall/gateway boxes that are logging
> > martian packets are connected to similar Comcast routers. The routers
> > are configured in bridge mode so the router DHCP service has no effect
> > on my connection, but it might still be active on the router. Also
> > each ISP router also has a wireless interface and that could still be
> > active. My firewall doesn't block any private IPs coming from the
> > Internet interface since the ISP routers would never forward them, so
> > that explains how they get past the firewall.
>
> No, I think traceroute doesn't special-case internal IP addresses. Your
> routing table is (correctly) set up to route traffic for anything other
> than your known subnets to the external internet, and that's exactly
> what traceroute is doing. It's your ISP's job to discard internal
> address packets, not yours.
>
> But I think you're on to something with the ISP routers. Is there some
> reason you don't just run the cable from the cable modem to the external
> NIC on the gateway PC ? If you're willing to try that, and the martians
> disappear, it's these routers.
>
> Try going into configuration on these routers, and see what their DHCP
> servers are set up for, and whether the 192.168.3 subnet appears
> anywhere in there. It's possible that one of your DHCP-using wireless
> clients is getting an answer to its broadcast from these guys before
> your internal router, and picking up a 192.168.3.2 IP address from them.
my martians are mostly from: hosts in subnet of my public IP, or internal
ranges from modems, and mostly broadcasts or arp stuff.
i think this 192.168.3.1 stuff is likely someone in your ISP subnet that is
doing bad natting and is trying to get out (much like you pinging 192.168.3.x
which is going outside your public ip, that'll get martians on someone elses
pc for instance
More information about the Mageia-discuss
mailing list