On 05/07/2012 06:45 AM, Frank Griffin wrote:
On 05/06/2012 09:15 PM, imnotpc wrote:
I apologize that I didn't give more detail when I started this
thread, but this has become more involved/detailed discussion than I
envisioned. Let me give you the topography of my network as best as I
can describe:
Firewall/Gateway: Mga2 box with 3 NICs which forwards traffic from
the DMZ and the LAN to the Internet and back. The Internet facing NIC
has a public IP. The DMZ is a private subnet with all fixed IPs. The
LAN subnet also has all fixed IPs in the 192.168.0.0/24 range.
Iptables firewall logs and drops all traffic that doesn't originate
from these subnets.
LAN: All the LAN hosts have fixed IPs IN the 192.168.0.0/24 range.
Linux host firewalls block all outgoing traffic that doesn't
originate from the assigned IP address. Windows/other hosts do
whatever they do.
Wireless Router Attached to the LAN: The LAN facing NIC on the
wireless router has a fixed IP of 192.168.0.100. The wireless
interface is configured to assign IPs in the 192.168.2.0/24 range to
the wireless hosts using DHCP.
Wireless Hosts: Connect to wireless router via DHCP. I believe these
hosts are generating the martian packets.
I understand the the wireless host may identify themselves using
other IPs due to other connection/configuration issues, but I can't
understand how the kernel on the Mga2 gateway is ever able to see
packets originating from 192.168.3.2 or any other unauthorized
subnet. This is my major concern since it may indicate an error in my
LAN configuration.
1) Is eth0 the interface facing the internet ?
No, this interface faces the LAN which has a 192.168.0.0/24 subnet.
2) Is 173.194.74.154 the IP address assigned (currently) to you by
your ISP ?
No, that IP returns to qe-in-f154.1e100.net which appears to be a server
owned by Google.
3) If you ping 192.168.3.2 when you're getting the martians, do you
get any response ?
[root@Cedar1 /]# ping -c 5 192.168.3.2
PING 192.168.3.2 (192.168.3.2) 56(84) bytes of data.
--- 192.168.3.2 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms
4) What does "traceroute 192.168.3.2" from the gateway give ?
[root@Cedar1 /]# traceroute 192.168.3.2
traceroute to 192.168.3.2 (192.168.3.2), 30 hops max, 60 byte packets
1 74-94-209-242-BusName-VA.hfc.comcastbusiness.net (74.94.209.242)
0.670 ms 1.372 ms 1.686 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Well isn't that interesting. That Comcast IP is the address of the ISP
gateway I use. Both of my firewall/gateway boxes that are logging
martian packets are connected to similar Comcast routers. The routers
are configured in bridge mode so the router DHCP service has no effect
on my connection, but it might still be active on the router. Also each
ISP router also has a wireless interface and that could still be active.
My firewall doesn't block any private IPs coming from the Internet
interface since the ISP routers would never forward them, so that
explains how they get past the firewall.
I can reconfigure the firewall to block these, but now I'm wondering if
this is a security issue and if I should try to change the ISP router
settings. I really hate messing with router settings I haven't used
before but I hate unauthorized access even more. Thoughts?
Jeff
