LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-28-2014, 07:09 PM   #1
politick
LQ Newbie
 
Registered: Feb 2014
Posts: 4

Rep: Reputation: Disabled
Martian packets while NOT routing but multiple NICs.


Hi There,

What I'm looking for, my solution I think:
Make Ubuntu 12.02 accept "Martian packets".

I have an Ubuntu server connected to 3 different subnets:
- 172.22.0.0/18
- 172.22.64.0/18
- 172.22.255.0/255
BUT the Ubuntu is NOT routing between these subnets, an other CISCO router is doing this. Ubuntu is just responsible for DNS.
It is also connected to 2 remote subnets 172.23.0.0/16 and 172.24.0.0/16.


My problem is that any subnet packet reaching and other subnet, the packets are marked as Martian and they disappear into ether...
So Example, a computer with IP 172.22.0.33 tries to SSH to 172.23.0.9, the connection is never accepted because it's a "martian" trying to connect.
But in my case, I want it to accept these "martians" as my network is a set of martians...
Also I don't have access to the CISCO configs that does the DHCPd, and all subnets are set to query the same DNS 172.22.0.9. But when 172.22.255.101 computer queries the 172.22.0.9 DNS, Ubuntu logs a Martian packet and seem to "DROP" the packet into thin air. I can't see it in my firewall logs, I've added logs in the INPUT and FORWARD rules but these packets just don't make it there...???


ifconfig:
Code:
eth1      Link encap:Ethernet  HWaddr 00:0c:29:1a:f5:9b
          inet addr:172.22.0.9  Bcast:172.22.63.255  Mask:255.255.192.0
          inet6 addr: fe80::20c:29ff:fe1a:f59b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:7461 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6732 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:656546 (656.5 KB)  TX bytes:3537896 (3.5 MB)

eth2      Link encap:Ethernet  HWaddr 00:0c:29:1a:f5:a5
          inet addr:172.22.64.9  Bcast:172.22.127.255  Mask:255.255.192.0
          inet6 addr: fe80::20c:29ff:fe1a:f5a5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:200 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:26920 (26.9 KB)  TX bytes:468 (468.0 B)

eth3      Link encap:Ethernet  HWaddr 00:0c:29:1a:f5:af
          inet addr:172.22.255.9  Bcast:172.22.255.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe1a:f5af/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1077 errors:0 dropped:0 overruns:0 frame:0
          TX packets:956 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:188024 (188.0 KB)  TX bytes:126509 (126.5 KB)
iptables:
Code:
Chain INPUT (policy DROP)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             LOG level warning prefix "INPUT Packet Received:"
ACCEPT     all  --  anywhere             anywhere            
bad_packets  all  --  anywhere             anywhere            
DROP       all  --  anywhere             all-systems.mcast.net 
ACCEPT     all  --  localnet/18          anywhere            
ACCEPT     all  --  anywhere             172.22.63.255       
ACCEPT     all  --  172.22.255.0/24      anywhere            
ACCEPT     all  --  anywhere             172.22.255.255      
ACCEPT     all  --  172.22.64.0/18       anywhere            
ACCEPT     all  --  anywhere             172.22.127.255      
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootpc dpt:bootps
ACCEPT     all  --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere             PKTTYPE = broadcast
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 3 LOG level warning prefix "INPUT packet died: "

Chain FORWARD (policy DROP)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             LOG level warning prefix "FORWARDING Packet ???:"
bad_packets  all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 3 LOG level warning prefix "FORWARD packet died: "

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
LOG        icmp --  anywhere             anywhere             state INVALID LOG level warning prefix "OUTPUT Dropping invalid PING:"
DROP       icmp --  anywhere             anywhere             state INVALID
ACCEPT     all  --  localhost            anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  172.22.0.9           anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  172.22.255.9         anywhere            
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  172.22.64.9          anywhere            
ACCEPT     all  --  anywhere             anywhere            
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 3 LOG level warning prefix "OUTPUT packet died: "

Chain bad_packets (2 references)
target     prot opt source               destination         
LOG        all  --  anywhere             anywhere             state INVALID LOG level warning prefix "Invalid packet 01: "
DROP       all  --  anywhere             anywhere             state INVALID
bad_tcp_packets  tcp  --  anywhere             anywhere            
RETURN     all  --  anywhere             anywhere            

Chain bad_tcp_packets (1 references)
target     prot opt source               destination         
RETURN     tcp  --  anywhere             anywhere            
RETURN     tcp  --  anywhere             anywhere            
LOG        tcp  --  anywhere             anywhere             tcpflags:! FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix "New not syn: "
DROP       tcp  --  anywhere             anywhere             tcpflags:! FIN,SYN,RST,ACK/SYN state NEW
LOG        tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE LOG level warning prefix "Stealth scan: "
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE
LOG        tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG level warning prefix "Stealth scan: "
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG        tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level warning prefix "Stealth scan: "
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
LOG        tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG LOG level warning prefix "Stealth scan: "
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
LOG        tcp  --  anywhere             anywhere             tcpflags: SYN,RST/SYN,RST LOG level warning prefix "Stealth scan: "
DROP       tcp  --  anywhere             anywhere             tcpflags: SYN,RST/SYN,RST
LOG        tcp  --  anywhere             anywhere             tcpflags: FIN,SYN/FIN,SYN LOG level warning prefix "Stealth scan: "
DROP       tcp  --  anywhere             anywhere             tcpflags: FIN,SYN/FIN,SYN
RETURN     tcp  --  anywhere             anywhere            

Chain icmp_packets (0 references)
target     prot opt source               destination         
LOG        icmp -f  anywhere             anywhere             LOG level warning prefix "ICMP Fragment: "
DROP       icmp -f  anywhere             anywhere            
LOG        icmp --  anywhere             anywhere             LOG level warning prefix "ICMP PING Received: "
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded
RETURN     icmp --  anywhere             anywhere            
LOG        icmp --  anywhere             anywhere             LOG level warning prefix "ICMP PING Received: "

Chain tcp_inbound (0 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:openvpn
RETURN     tcp  --  anywhere             anywhere            

Chain tcp_outbound (0 references)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere            

Chain udp_inbound (0 references)
target     prot opt source               destination         
DROP       udp  --  anywhere             anywhere             udp dpt:netbios-ns
DROP       udp  --  anywhere             anywhere             udp dpt:netbios-dgm
ACCEPT     udp  --  anywhere             anywhere             udp dpt:domain
ACCEPT     udp  --  anywhere             anywhere             udp spt:bootps dpt:bootpc
RETURN     udp  --  anywhere             anywhere            

Chain udp_outbound (0 references)
target     prot opt source               destination         
ACCEPT     udp  --  anywhere             anywhere

I've also tried to get the right default GW on the right interface.

Code:
ip route add 172.22.255.0/24 dev eth3 src 172.22.255.9 table admin
ip route add default via 172.22.255.1 dev eth3 table admin

ip route add 172.22.64.0/18 dev eth2 src 172.22.64.9 table admin
ip route add default via 172.22.64.1 dev eth2 table admin

ip route add 172.22.0.0/18 dev eth1 src 172.22.0.9 table admin
ip route add default via 172.22.0.1 dev eth1 table admin



ip rule add from 172.22.255.0/24 table admin
ip rule add to   172.22.255.0/24 table admin

ip rule add from 172.22.64.0/18 table admin
ip rule add to   172.22.64.0/18 table admin

ip rule add from 172.22.0.0/18 table admin
ip rule add to   172.22.0.0/18 table admin

Kind Regards,
Martin Politick 2014.

Last edited by politick; 03-03-2014 at 04:56 PM.
 
Old 03-04-2014, 09:10 AM   #2
nikmit
Member
 
Registered: May 2011
Location: Nottingham, UK
Distribution: Debian
Posts: 178

Rep: Reputation: 34
Check the last post in http://www.linuxquestions.org/questi...ackets-937275/

rp_forward should solve it.
 
Old 03-04-2014, 12:20 PM   #3
politick
LQ Newbie
 
Registered: Feb 2014
Posts: 4

Original Poster
Rep: Reputation: Disabled
Thanks Tim but I don't have that option in my kernel:
I'm running Ubuntu 12.04:
Code:
-rw-r--r-- 1 root root 0 Feb 28 15:45 accept_local
-rw-r--r-- 1 root root 0 Feb 28 15:56 accept_redirects
-rw-r--r-- 1 root root 0 Feb 28 15:56 accept_source_route
-rw-r--r-- 1 root root 0 Feb 28 15:43 arp_accept
-rw-r--r-- 1 root root 0 Feb 28 15:43 arp_announce
-rw-r--r-- 1 root root 0 Feb 28 15:43 arp_filter
-rw-r--r-- 1 root root 0 Feb 28 15:43 arp_ignore
-rw-r--r-- 1 root root 0 Feb 28 15:43 arp_notify
-rw-r--r-- 1 root root 0 Feb 28 15:43 bootp_relay
-rw-r--r-- 1 root root 0 Feb 28 15:43 disable_policy
-rw-r--r-- 1 root root 0 Feb 28 15:43 disable_xfrm
-rw-r--r-- 1 root root 0 Feb 28 15:43 force_igmp_version
-rw-r--r-- 1 root root 0 Feb 28 15:43 forwarding
-rw-r--r-- 1 root root 0 Mar  4 09:03 log_martians
-r--r--r-- 1 root root 0 Feb 28 15:43 mc_forwarding
-rw-r--r-- 1 root root 0 Feb 28 15:43 medium_id
-rw-r--r-- 1 root root 0 Feb 28 15:43 promote_secondaries
-rw-r--r-- 1 root root 0 Feb 28 15:43 proxy_arp
-rw-r--r-- 1 root root 0 Feb 28 15:43 proxy_arp_pvlan
-rw-r--r-- 1 root root 0 Mar  4 09:02 rp_filter
-rw-r--r-- 1 root root 0 Feb 28 15:56 secure_redirects
-rw-r--r-- 1 root root 0 Feb 28 15:43 send_redirects
-rw-r--r-- 1 root root 0 Feb 28 15:43 shared_media
-rw-r--r-- 1 root root 0 Feb 28 15:43 src_valid_mark
-rw-r--r-- 1 root root 0 Feb 28 15:43 tag
root@gateway:/proc/sys/net/ipv4/conf/all#
I tried echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
that didn't fix it. There might be a few more ooptions to set to NULL before it works...
I'll continue searching.

Kind Regards,
Martin Politick.
 
Old 03-04-2014, 12:23 PM   #4
politick
LQ Newbie
 
Registered: Feb 2014
Posts: 4

Original Poster
Rep: Reputation: Disabled
I've tried to turn everything off:
Code:
cat /proc/sys/net/ipv4/conf/all/*
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Still does not accept...
 
Old 03-05-2014, 05:23 PM   #5
politick
LQ Newbie
 
Registered: Feb 2014
Posts: 4

Original Poster
Rep: Reputation: Disabled
I think the problem was with my misunderstanding of rt_tables

I created this script that I call from my firewall script.
It creates 3 table entries in the rt_table

Code:
#!/bin/sh


grep mlan /etc/iproute2/rt_tables
FOUND=$?
if [ $FOUND -eq 0 ]
then
   echo mlan table exists in rt_table
else
  echo "1 mlan" >>  /etc/iproute2/rt_tables
fi

grep wlan /etc/iproute2/rt_tables
FOUND=$?
if [ $FOUND -eq 0 ]
then
   echo wlan table exists in rt_table
else
  echo "2 wlan" >>  /etc/iproute2/rt_tables
fi

grep voip /etc/iproute2/rt_tables
FOUND=$?
if [ $FOUND -eq 0 ]
then
   echo voip table exists in rt_table
else
  echo "3 voip" >>  /etc/iproute2/rt_tables
fi




ip rule | grep 32765
FOUND=$?
if [ $FOUND -eq 0 ]
then
   echo RoutingRules already enabled
else
   ip rule add from 172.22.255.0/24 table voip
   ip rule add to   172.22.255.0/24 table voip

   ip rule add from 172.22.64.0/18  table wlan
   ip rule add to   172.22.64.0/18  table wlan

   ip rule add from 172.22.0.0/18   table mlan
   ip rule add to   172.22.0.0/18   table mlan
fi



ip route list table voip | grep default
FOUND=$?
if [ $FOUND -eq 0 ]
then
   echo Routes already defined
else
   ip route add 172.22.255.0/24 dev eth3 src 172.22.255.9 table voip
   ip route add 172.22.64.0/18  dev eth2 src 172.22.64.9  table wlan
   ip route add 172.22.0.0/18   dev eth1 src 172.22.0.9   table mlan

   ip route add default via 172.22.255.1 dev eth3 table voip
   ip route add default via 172.22.64.1  dev eth2 table wlan
   ip route add default via 172.22.0.1   dev eth1 table mlan
fi
I hope this may help someone some day.
Kind Regards,
Martin Politick.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Issues with routing and default gateways using multiple nics stevenm Linux - Newbie 4 01-27-2014 03:22 AM
Load balanced routing multiple nics swissmac Linux - Networking 6 03-30-2012 10:46 AM
routing tables, multiple NICs... linux_kung_fu Linux - Newbie 1 01-06-2012 01:03 AM
Routing issues with multiple nics on ClarkConnect 2.2 (RedHat 9) Killbot_5000 Linux - Networking 1 01-13-2005 11:58 AM
routing/forwarding between multiple (3+) nics sublime Linux - Networking 2 07-26-2004 03:22 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 03:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration