[Mageia-discuss] Odd entry in log file

imnotpc imnotpc at Rock3d.net
Tue May 8 02:05:44 CEST 2012

On 05/07/2012 05:27 PM, Maarten Vanraes wrote:
> Op maandag 07 mei 2012 23:04:14 schreef Frank Griffin:
>> On 05/07/2012 04:50 PM, Maarten Vanraes wrote:
>>> Op maandag 07 mei 2012 14:23:44 schreef Frank Griffin:
>>> [...]
>>> it's like this:
>>> mostly people natting will do:
>>> iptables -s -o eth0 -j MASQUERADE
>>> which means internal traffic on would go outside without
>>> being natted. if someone nearby uses as a local network ip,
>>> it would get martians, since that network is coming from an unexpected
>>> source interface.
>> Yes, but it would go to the ISP gateway and get discarded.  Why would it
>> be seen by anything else on the ISP subnet, unless the NIC were in
>> promiscuous mode ?  And if that (promiscuous mode) were the case, why
>> would iptables complain ?
> promiscuous mode means you're passing through from layer 2 to layer 3
> irrespective of mac address (ie: even if it's not for you)
> iptables is not complaining
> martians is kernel level, (resource path filtering (for asynchronous routing)),
> before iptables even comes into play.

So the kernel would log the martian before iptables sees it? That 
explains why it isn't dropped by the firewall. But that begs the 
question, is there any point in using iptables rules to block packets 
from other subnets if iptables will never see them? Just about every 
sample firewall ruleset I've ever seen does this either explicitly or by 
allowing them to fall through to the default DROP rule. Now that I'm 
thinking back, in 10+ years of Linux LAN experience I've never seen a 
martian packet logged by any of my firewalls. i just assumed it was good 
network management   ;-)

> martians is actually also on the same level as promiscuous checking iinm...
> ie: it's disregarding an ip packet on an interface, which should not have come
> from that interface, but according to routing information, you expect it to
> come from another interface.
> ie: if you have:
> eth0:
> eth1:
> eth2:
> and default route via eth2
> if coming from eth2 there is a packet with source IP, it would
> fire.
> if going out to eth1 a packet with dest IP it would also fire.
> if coming from eth0 is a packet with source ip, it also fires,
> since default route is eth2.
> i donno if you see an interface which it's speaking of in the martians
> warning, but i suggest you look at the routing table and see what is going on.
> you can furthermore try to use tcpdump and see what is going on.

I'll give this a try and see what I dig up.

More information about the Mageia-discuss mailing list