Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I run a 'netstat -r' on one of our internal LAN gateways in the night (after several idle hours of our LAN), and it gave an unexpected result:
192.168.1.2 pollux UGHD 0 6 rl0
(the above line repeated with 12 different IP addresses in the 192.168.1.1/24 range)
I wonder how these IP addresses can make connections, since these IP addresses are valid, but unused on our LAN, i.e. they are not assigned to any machines!
We use static IP addresses, but only in the IP address range 192.168.0.1/24.
IP address range 192.168.1.1/24 belongs to a non-existing subnet routed through an idle internal gateway server, named pollux.
That subnet actually does not exist, as there is nothing connected to the second interface of pollux.
Pollux itself should not make any connections, either, since it was only built for test purposes, and it should be idle since its last reboot. (There are services like sendmail, samba, pop3, ssh installed on pollux for test purposes, but they are not used by anyone since even the existence of this server is not known to any users on our LAN.)
I do not think that pollux would be corrupted, since it is inside our LAN, it should be efficiently separated from the internet by our internet firewall, especially that it never makes connections to the internet.
Besides, pollux, through which the 192.168.1.1/24 subnet is routed, does not seem to know about these connections, or at least 'netstat -r' does not list them there.
Could you give me an idea what is happening there? How to trace down the source of these connections?
I have just noticed that one user left his machine on for the night. It is a WinXP.
Can it make connections using IPs other than its own static IP?
Do you have anything like arpwatch running on the LAN gateway?
Samba on Pollux has to do the broadcast thing every 12 mins and it's quite possible to detect what it is offering on the unused interface if it is up.
Something like arpwatch would detect that and add it to it's cache.
type arp on the LAN gateway to see who it knows..
And if Pollux is up all the time, it would become the Master Browser by default...
Scan your windoze machines for viruses. An incrementing ip scan is signature of recent viruses released over the past couple of months.
Otherwise, how is this machine connected to the internet? My cable provider uses 10.x.x.x for internal use and that conflicted with my network so I had to change to 192.168.x.x. Since installing a router those addresses are blocked.
This morning (8 hours ago) I restarted pollux, I do not know if this made any changes to its routing tables...
Anyway, the routes on castor (those mentioned in my first post) to the IP address range 192.168.1/24 remained untouched.
You may have noticed that pollux has no static routes to other servers (gateways) on our LAN, only to the default router. There are no static routes to pollux on other servers, too. It is because I did (do) not know how to add those routes 'on the fly' and I did not want to restart all servers just to add the routes.
Anyway, the default router has the static route to pollux, so all should be fine.
Strangely enough, the default router (and internet gateway) dmx does not have the separate routes to the IP addresses in the 192.168.1/24 subnet, either, it only has the static route to 192.168.1/32.
Now I think that you are right, and this thing may be due to samba, which does broadcasts either if a server is idle. (Both pollux and samba do the samba).
I have, however, an other question, not closely related to the original question.
I suspect that the servernet connecting all of our servers together, is not correctly configured, as one of the servers is configured to see a different netmask:
dmx 192.168.226.1/27 (this is the internet gateway and default router on our LAN)
all other servers: 192.168.226.x/29
As a result, I think dmx uses a different broadcast address than the other servers on the servernet.
Does this result in any problems?
(The network was setup by someone else who was regarded as a network guru, and I - the noob - did not dare to touch it so far)
As for our network connection: it is an mdsl connection. We have a firewall which does NAT, and I also provided it with rules against IP spoofing (e.g. incoming and outgoing private network IPs are denied, together with the oip/onetmask in via iif).
You certainly want to be cautious about any changes on a network, especially if you didn't originally set it up.
I can't see any reason that there should be a different netmask. I don't want to question a "guru", but I would have kept the netmask at /24 just to make subnetting easier. There are of enough of the 192.168. addresses to handle this.
I would think that different broadcast addresses could certainly cause some strangeness like you are reporting. HTH.