Martian packets

Mark Devin Tue, 03 Jun 2003 19:25:28 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am confused about a routing issue.  The kernel is logging packets
destined to my client subnet as Martians and dropping them.

The firewall has a single ethernet card facing a router.  The router has
three ports, one to the firewall, one to the clients, and one to the
internet.  The ethernet port on the firewall is configured with a public
IP address and I have added some routing rules to the routing table to
cater for the client IP address range of 192.168.17.2 so that they
should be routed out eth0 on the firewall back to the router.

If I try and ping 192.168.17.2 from the firewall then the kernel marks
these packets as martians.  If I try and ping from the 192.168.17.2
machine then the firewall receives the packets OK (confirmed with
tcpdump) and tries to respond with an echo-reply (confirmed with
tcpdump).  However when trying to go out eth0 these reply packets are
marked as martians and not transmitted by the kernel.

The network looks like this:

~   Firewall
~      |eth0(203.xxx.xxx.42)
~      |
~      |203.xxx.xxx.41
~    Router-----Internet
~      |
~      |
~      |192.168.17.x
~   Clients

I have the following routes in my routing table:
route -n
203.xxx.xxx.40  0.0.0.0        255.255.255.252 U    0   0   0 eth0
192.168.17.0    203.xxx.xxx.41 255.255.255.0   UG   0   0   0 eth0
127.0.0.0       0.0.0.0        255.0.0.0       U    0   0   0 lo
0.0.0.0         203.xxx.xxx.41 0.0.0.0         UG   0   0   0 eth0

My syslog shows:
Jun  4 09:46:26 oprah kernel: martian source 192.168.17.2 from
203.xxx.xxx.42, on dev eth0
Jun  4 09:46:26 oprah kernel: ll header:
00:08:6b:58:f1:25:00:09:b7:58:4d:a2:07:00
Jun  4 09:46:50 oprah kernel: martian source 192.168.17.2 from
203.xxx.xxx.42, on dev eth0

I don't know what I have to do to route these packets destined for
192.168.17.x back to the router so that they can be forwarded back to
the clients.  The kernel on the firewall is marking them as martians
despite me adding a routing table rule for them.

Can anyone help me with this?

Regards.
Mark.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+3TjWL/zYpWVgapgRAoTUAKClR9U1irgGlxzyPUmv1hbR5J2kCACfaxgu
xYu2dUpZIVnKLhDPA8e8ucs=
=0Hq7
-----END PGP SIGNATURE-----

Martian packets

Reply via email to