Re: mystery martian source from 127.0.0.1 - more details

From: EricT <ericteuber@xxxxxx>
Date: Thu, 08 Dec 2005 21:09:56 +0100

EricT wrote:
> 80-219-238-182.dclient.hispeed.ch is my external ip assigned by the ISP.
> But still i don't know this strange HWAddr (00:09:7b:8d:98:70).
>
> All the clients (including my firewall) within the highspeed network
> have the same netmask. The IP's are received by DHCP broadcasts.
>
> I have setup iptables, that's why i am wondering about these packets.
>
> These packets are not logged by tcpdump from
> 80-219-238-182.dclient.hispeed.ch but from 127.0.0.1.
>
> It is confusing as i already said.

Todays log and ouput information:

/var/log/messages

Dec 8 20:42:25 localhost kernel: martian source 80.219.238.182 from
127.0.0.1, on dev ext0
Dec 8 20:42:25 localhost kernel: ll header:
xx:xx:xx:xx:xx:xx:00:09:7b:8d:98:70:08:00

the iptables did not log any traffic, the following rules are active:

# Block packets from private networks
$IPTABLES -A INPUT -i $EXTIF -s 127.0.0.1 -j LDROP
$IPTABLES -A INPUT -i $EXTIF -s 192.168.0.0/16 -j LDROP
$IPTABLES -A INPUT -i $EXTIF -s 172.16.0.0/12 -j LDROP
$IPTABLES -A INPUT -i $EXTIF -s 10.0.0.0/8 -j LDROP

The LDROP target will first log and then drop the packets.

The output of the iptables status:

Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 LDROP all -- ext0 * 127.0.0.1
0.0.0.0/0
0 0 LDROP all -- ext0 * 192.168.0.0/16
0.0.0.0/0
0 0 LDROP all -- ext0 * 172.16.0.0/12
0.0.0.0/0
0 0 LDROP all -- ext0 * 10.0.0.0/8
0.0.0.0/0

tcpdump -vv

20:42:25.782992 IP (tos 0x0, ttl 126, id 10724, offset 0, flags [none],
length: 40) localhost.http > 80-219-238-182.dclient.hispeed.ch.stun-p3:
R [tcp sum ok] 0:0(0) ack 1704591361 win 0

the martian source log can be activated by
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

I really would like konw, which circumstances are responsible to get
these martian messages.

Thanks and greetz,
Eric
.

Follow-Ups:
- Re: mystery martian source from 127.0.0.1 - more details
  - From: Tauno Voipio

References:
- mystery martian source from 127.0.0.1
  - From: EricT
- Re: mystery martian source from 127.0.0.1
  - From: Tauno Voipio
- Re: mystery martian source from 127.0.0.1
  - From: EricT
- Re: mystery martian source from 127.0.0.1
  - From: Tauno Voipio
- Re: mystery martian source from 127.0.0.1
  - From: EricT

Prev by Date: Re: mystery martian source from 127.0.0.1
Next by Date: Re: mystery martian source from 127.0.0.1 - more details
Previous by thread: Re: mystery martian source from 127.0.0.1
Next by thread: Re: mystery martian source from 127.0.0.1 - more details
Index(es):
- Date
- Thread

Relevant Pages

X & Gnome crashes the system with iptables
... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ...
(comp.os.linux.x)
X & Gnome crashes the system with iptables
... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ...
(comp.os.linux.setup)
X & Gnome crashes the system with iptables
... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ...
(alt.linux)
X & Gnome crashes the system with iptables
... kernel 2.4.21, ... I spent a lot of time to write rules for iptables to obtain a good firewall. ... # Support for connection tracking ... packets are denied until ...
(comp.os.linux.security)
PPPOE xDSL Firewall with IPTABLES
... don't know how to modify my firewall to account for this. ... Starts and stops the IPTABLES packet filter \ ... # Kill malformed XMAS packets ... # server/client to server query or response ...
(comp.os.linux.networking)