[Mageia-discuss] Odd entry in log file

[imnotpc]

On 05/06/2012 08:18 PM, Frank Griffin wrote:
> On 05/06/2012 06:57 PM, imnotpc wrote:
>>
>> My thanks to you, Maarten, and Doug for replying. I knew that packets 
>> in private subnets are never forwarded by routers, one of the basic 
>> security features of the IPV4 system. I had never heard them referred 
>> to as martian before, but the name makes sense. Based on the 
>> destination of the packets (Google, Facebook), my assumption is that 
>> these are not malicious, and based on my knowledge of my network, I 
>> believe these are originating from the wireless hosts as Doug 
>> indicated. I guess the only part I still don't understand is how 
>> these packets are reaching the kernel of the gateway through NAT and 
>> firewalls? Perhaps there is something I don't understand about how IP 
>> traffic moves between hosts.
>>
> The basic idea of a gateway is that you have two NICs, one (say eth1) 
> connected to the same switch to which all your other wired hosts are 
> connected, and using an IP address of something internal, say 
> 192.168.1.1.  The other NIC (say eth0) is connected to your external 
> internet.  Your routing table should indicate that any traffic for a 
> 192.168.1.x address should go out eth1, and any traffic for something 
> other than 192,168.1.x should go out eth0.  And you have NAT enabled 
> for anything going out eth0 so that your internal addresses get 
> translated to the external IP address assigned by your ISP as they 
> pass through the gateway.
>
> This assumes that you're using a PC as a gateway.  Your router should 
> play no part with the wired connections --- it and all the other wired 
> hosts should be plugged into the switch, i. e. you shouldn't be using 
> the inbound wired jacks on the router at all.  The wireless goes into 
> the router, but beyond that plays on an equal level with the wired 
> guys all going into the gateway PC.
>
> The problem you describe most likely results from trying to use the 
> router as the gateway in conjunction with the switch.  You've got the 
> wired guys coming through the switch and participating in NAT and the 
> wireless guys coming into the router directly, and somehow bypassing NAT.
>
> You mention the "gateway kernel", so I'm guessing that you are using a 
> gateway PC rather than a gateway router.  If you are using a 
> 192.168.3.x subnet, then your gateway is NAT'ing some hosts and not 
> others.

I apologize that I didn't give more detail when I started this thread, 
but this has become more involved/detailed discussion than I envisioned. 
Let me give you the topography of my network as best as I can describe:

Firewall/Gateway: Mga2 box with 3 NICs which forwards traffic from the 
DMZ and the LAN to the Internet and back. The Internet facing NIC has a 
public IP. The DMZ is a private subnet with all fixed IPs. The LAN 
subnet also has all fixed IPs in the 192.168.0.0/24 range. Iptables 
firewall logs and drops all traffic that doesn't originate from these 
subnets.

LAN: All the LAN hosts have fixed IPs IN the 192.168.0.0/24 range. Linux 
host firewalls block all outgoing traffic that doesn't originate from 
the assigned IP address. Windows/other hosts do whatever they do.

Wireless Router Attached to the LAN: The LAN facing NIC on the wireless 
router has a fixed IP of 192.168.0.100. The wireless interface is 
configured to assign IPs in the 192.168.2.0/24 range to the wireless 
hosts using DHCP.

Wireless Hosts: Connect to wireless router via DHCP. I believe these 
hosts are generating the martian packets.

I understand the the wireless host may identify themselves using other 
IPs due to other connection/configuration issues, but I can't understand 
how the kernel on the Mga2 gateway is ever able to see packets 
originating from 192.168.3.2 or any other unauthorized subnet. This is 
my major concern since it may indicate an error in my LAN configuration.

Jeff