LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
Reload this Page martian source messages
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 08-26-2004, 10:48 AM   #1
win32sux
Moderator
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 367Reputation: 367Reputation: 367Reputation: 367

hi guys. i was searching the forums about a very similar martian issue i'm having and i found this thread so i'm posting here...

my issue is with a simple slackware 9.1 gateway: iptables, dhcpd, dnsmasq, sshd, and squid (transparent)...

eth0 = (internet) 207.46.250.119

eth1 = (lan) 192.168.0.1


the martians in my logfile look like this:

Quote:
Aug 26 08:41:30 britney kernel: martian source 207.46.250.119 from 127.0.0.1, on dev eth0
Aug 26 08:41:30 britney kernel: ll header: 00:e0:7d:fb:f6:a2:00:c0:69:0b:65:dc:08:00
i'm getting a few of those every now and then... notice that the source ip is that of my internet interface... yet the packet seems to be coming from the loopback interface??

i'm still not sure what to think here... any input is greatly appreciated...

=)
 
Old 08-26-2004, 05:31 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
It's probably a spoofed packet. There are a number of possible ways these could be generated. If you could capture a few packets with tcpdump, it might be possible to identify why you're seeing them.

In general though, you should always have your firewall configured to log and drop these packets. This includes any of the IANA private or reserved IP addresses (like 192.168.X.X, 10.X.X.X) as these should never be coming into your external interface under normal conditions. Seeing them indicates either something is miss-configured or something malicious is occurring, so flat out dropping them or turning off the rp_filter are ill-advised.
 
Old 08-26-2004, 05:33 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Moderator note: I'm splitting this into a new thread, as it looks like a different issue.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
getting martian source messages linuxboy69 Linux - Security 16 10-08-2005 12:08 PM
martian source from my own IP? yapp Linux - Security 4 03-30-2005 06:36 PM
martian source saavik Linux - Networking 0 07-02-2003 02:47 AM
ongoing messages in the message log martian source saavik Linux - Networking 4 09-23-2002 06:52 AM
what does martian source mean? saavik Linux - Security 4 06-04-2002 08:34 AM


All times are GMT -5. The time now is 04:26 PM.

Contact Us - Advertising Info - Rules - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
 
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: @linuxquestions
Open Source Consulting | Domain Registration