LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 08-14-2019, 12:30 AM   #1
Klaipedaville
Member
 
Registered: Mar 2013
Posts: 104

Rep: Reputation: Disabled
Martian Packets from Dedicated Allocation (networks)


Hello guys,

Could anybody advise me please, on kernel's logging martian packets oddity?

The reason is that it logs connections that come from privately allocated networks (dedicated allocation). These are not regular martians such as 0.0.0.0/8, 127.0.0.0/8 and the like but it looks like this,

Code:
martian source my-ip-address from 146.88.240.4, on dev eth0
When I check on from IP addresses whois, their NetType: always says either Direct Allocation or Direct Assignment (feel free to check on 146.88.240.4 it's the real one).

Now the question is how do I block it (iptables?) and should I be generally worried about it? I mean are there any itables or any other general rules to block it, because it will take me forever to block millions of IP addresses one by one. I can turn off martian logging of course and the problem is solved but as far as I know I am not supposed to have them bugging my server's resources.

Would also highly appreciate it if someone could possibly guide me on how to check on my network, because these martians could also be the reason for some light network configuration issues. Although it's up and running perfectly well and I do not see any problems.

Many thanks in advance!
 
Old 08-14-2019, 05:24 AM   #2
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 10,579

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
If the IP keeps changing, I don't see how you can block them. Maybe if they're directed at a port or type, you can block those ports or types you're not using.
 
Old 08-14-2019, 09:25 AM   #3
Klaipedaville
Member
 
Registered: Mar 2013
Posts: 104

Original Poster
Rep: Reputation: Disabled
These are kinda martian packets, business kid. I mean to say they are most probably spoofed as nothing can be routed back to them. You can drop or reject let's say all the SYN packets by iptables for example -A INPUT -p tcp --syn -m state --state NEW -j DROP and I was wondering if there is anything like that for martian packets, for instance -A INPUT -p tcp --martian -m state --state NEW -j DROP.. or just any other general ways to block them in bulk, not one by one.. and there isn't just one IP, there are millions of them changing all the time..
 
Old 08-14-2019, 10:52 AM   #4
business_kid
LQ Guru
 
Registered: Jan 2006
Location: Ireland
Distribution: Slackware & Android
Posts: 10,579

Rep: Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172Reputation: 1172
'Martian' isn't a packet type I came accross. What's in the header? Can you get a MAC address, and is there anything there?
 
Old 08-14-2019, 01:23 PM   #5
Klaipedaville
Member
 
Registered: Mar 2013
Posts: 104

Original Poster
Rep: Reputation: Disabled
There are no headers. It's all at the kernel level. It's not seen anywhere else unless you turn on the logging. It simply wastes your server's resources. You turn it on like this in /etc/sysctl.conf:

net.ipv4.conf.all.log_martians
net.ipv4.conf.default.log_martians

Feel free to learn about martian packets here https://www.cyberciti.biz/faq/linux-...rce-addresses/ or simply google it.

Last edited by Klaipedaville; 08-14-2019 at 02:01 PM.
 
  


Reply

Tags
iptables, kernel, logging


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Martian packets while NOT routing but multiple NICs. politick Linux - Networking 4 03-05-2014 04:23 PM
How to disable the default drop of martian packets? nikmit Linux - Networking 10 05-10-2012 07:51 AM
Martian source with two networks on same layer Aule Linux - Networking 7 02-23-2012 08:59 AM
martian source errors between networks Samtree Linux - Networking 2 05-27-2011 02:47 AM
dropping of ICMP packets from martian sources kishku Linux - Networking 2 10-19-2004 08:06 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration