Re: mystery martian source from 127.0.0.1 - more details
- From: Tauno Voipio <tauno.voipio@xxxxxxxxxxxxx>
- Date: Thu, 08 Dec 2005 20:36:48 GMT
EricT wrote:
EricT wrote:
80-219-238-182.dclient.hispeed.ch is my external ip assigned by the ISP. But still i don't know this strange HWAddr (00:09:7b:8d:98:70).
All the clients (including my firewall) within the highspeed network have the same netmask. The IP's are received by DHCP broadcasts.
I have setup iptables, that's why i am wondering about these packets.
These packets are not logged by tcpdump from 80-219-238-182.dclient.hispeed.ch but from 127.0.0.1.
It is confusing as i already said.
Todays log and ouput information:
/var/log/messages
Dec 8 20:42:25 localhost kernel: martian source 80.219.238.182 from 127.0.0.1, on dev ext0 Dec 8 20:42:25 localhost kernel: ll header: xx:xx:xx:xx:xx:xx:00:09:7b:8d:98:70:08:00
It does not add any to your security to obfuscate the MAC address in the data link header.
the iptables did not log any traffic, the following rules are active:
# Block packets from private networks $IPTABLES -A INPUT -i $EXTIF -s 127.0.0.1 -j LDROP
If you prefer to LDROP the local loop sources, change the source IP to 127.0.0.0/8.
$IPTABLES -A INPUT -i $EXTIF -s 192.168.0.0/16 -j LDROP $IPTABLES -A INPUT -i $EXTIF -s 172.16.0.0/12 -j LDROP $IPTABLES -A INPUT -i $EXTIF -s 10.0.0.0/8 -j LDROP
Here you drop the RFC 1918 packets coming from the outside.
(clip clip)
tcpdump -vv
20:42:25.782992 IP (tos 0x0, ttl 126, id 10724, offset 0, flags [none], length: 40) localhost.http > 80-219-238-182.dclient.hispeed.ch.stun-p3: R [tcp sum ok] 0:0(0) ack 1704591361 win 0
This is a TCP reset packet from the WWW server port. For a better view, save the tcpdump data with tcpdump -w, and look at it with Ethereal. Also, the -n switch can make the situation clearer by preventing the translation of numeric addresses and port numbers.
Do you have a Web server running? Check for any open ports with:
netstat -tupan
(You may need a wide screen for responses, there's plenty).
the martian source log can be activated by echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
I really would like konw, which circumstances are responsible to get these martian messages.
Google for 'linux martian source'. It gives plenty of information.
In principle, the kernel considers a packet martian if its source address is obviously incorrect for the interface it's coming in.
HTH
--
Tauno Voipio tauno voipio (at) iki fi .
- Follow-Ups:
- References:
- mystery martian source from 127.0.0.1
- From: EricT
- Re: mystery martian source from 127.0.0.1
- From: Tauno Voipio
- Re: mystery martian source from 127.0.0.1
- From: EricT
- Re: mystery martian source from 127.0.0.1
- From: Tauno Voipio
- Re: mystery martian source from 127.0.0.1
- From: EricT
- Re: mystery martian source from 127.0.0.1 - more details
- From: EricT
- mystery martian source from 127.0.0.1
- Prev by Date: Re: mystery martian source from 127.0.0.1 - more details
- Next by Date: Re: mystery martian source from 127.0.0.1 - more details
- Previous by thread: Re: mystery martian source from 127.0.0.1 - more details
- Next by thread: Re: mystery martian source from 127.0.0.1 - more details
- Index(es):
Relevant Pages
|
