Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
02-28-2014, 07:09 PM
|
#1
|
LQ Newbie
Registered: Feb 2014
Posts: 4
Rep:
|
Martian packets while NOT routing but multiple NICs.
Hi There,
What I'm looking for, my solution I think:
Make Ubuntu 12.02 accept "Martian packets".
I have an Ubuntu server connected to 3 different subnets:
- 172.22.0.0/18
- 172.22.64.0/18
- 172.22.255.0/255
BUT the Ubuntu is NOT routing between these subnets, an other CISCO router is doing this. Ubuntu is just responsible for DNS.
It is also connected to 2 remote subnets 172.23.0.0/16 and 172.24.0.0/16.
My problem is that any subnet packet reaching and other subnet, the packets are marked as Martian and they disappear into ether...
So Example, a computer with IP 172.22.0.33 tries to SSH to 172.23.0.9, the connection is never accepted because it's a "martian" trying to connect.
But in my case, I want it to accept these "martians" as my network is a set of martians...
Also I don't have access to the CISCO configs that does the DHCPd, and all subnets are set to query the same DNS 172.22.0.9. But when 172.22.255.101 computer queries the 172.22.0.9 DNS, Ubuntu logs a Martian packet and seem to "DROP" the packet into thin air. I can't see it in my firewall logs, I've added logs in the INPUT and FORWARD rules but these packets just don't make it there...???
ifconfig:
Code:
eth1 Link encap:Ethernet HWaddr 00:0c:29:1a:f5:9b
inet addr:172.22.0.9 Bcast:172.22.63.255 Mask:255.255.192.0
inet6 addr: fe80::20c:29ff:fe1a:f59b/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:7461 errors:0 dropped:0 overruns:0 frame:0
TX packets:6732 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:656546 (656.5 KB) TX bytes:3537896 (3.5 MB)
eth2 Link encap:Ethernet HWaddr 00:0c:29:1a:f5:a5
inet addr:172.22.64.9 Bcast:172.22.127.255 Mask:255.255.192.0
inet6 addr: fe80::20c:29ff:fe1a:f5a5/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:200 errors:0 dropped:0 overruns:0 frame:0
TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:26920 (26.9 KB) TX bytes:468 (468.0 B)
eth3 Link encap:Ethernet HWaddr 00:0c:29:1a:f5:af
inet addr:172.22.255.9 Bcast:172.22.255.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe1a:f5af/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1077 errors:0 dropped:0 overruns:0 frame:0
TX packets:956 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:188024 (188.0 KB) TX bytes:126509 (126.5 KB)
iptables:
Code:
Chain INPUT (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix "INPUT Packet Received:"
ACCEPT all -- anywhere anywhere
bad_packets all -- anywhere anywhere
DROP all -- anywhere all-systems.mcast.net
ACCEPT all -- localnet/18 anywhere
ACCEPT all -- anywhere 172.22.63.255
ACCEPT all -- 172.22.255.0/24 anywhere
ACCEPT all -- anywhere 172.22.255.255
ACCEPT all -- 172.22.64.0/18 anywhere
ACCEPT all -- anywhere 172.22.127.255
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT udp -- anywhere anywhere udp spt:bootpc dpt:bootps
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere PKTTYPE = broadcast
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warning prefix "INPUT packet died: "
Chain FORWARD (policy DROP)
target prot opt source destination
LOG all -- anywhere anywhere LOG level warning prefix "FORWARDING Packet ???:"
bad_packets all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warning prefix "FORWARD packet died: "
Chain OUTPUT (policy DROP)
target prot opt source destination
LOG icmp -- anywhere anywhere state INVALID LOG level warning prefix "OUTPUT Dropping invalid PING:"
DROP icmp -- anywhere anywhere state INVALID
ACCEPT all -- localhost anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- 172.22.0.9 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- 172.22.255.9 anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- 172.22.64.9 anywhere
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 3 LOG level warning prefix "OUTPUT packet died: "
Chain bad_packets (2 references)
target prot opt source destination
LOG all -- anywhere anywhere state INVALID LOG level warning prefix "Invalid packet 01: "
DROP all -- anywhere anywhere state INVALID
bad_tcp_packets tcp -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain bad_tcp_packets (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere
RETURN tcp -- anywhere anywhere
LOG tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix "New not syn: "
DROP tcp -- anywhere anywhere tcpflags:! FIN,SYN,RST,ACK/SYN state NEW
LOG tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE LOG level warning prefix "Stealth scan: "
DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/NONE
LOG tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG level warning prefix "Stealth scan: "
DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level warning prefix "Stealth scan: "
DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
LOG tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG LOG level warning prefix "Stealth scan: "
DROP tcp -- anywhere anywhere tcpflags: FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
LOG tcp -- anywhere anywhere tcpflags: SYN,RST/SYN,RST LOG level warning prefix "Stealth scan: "
DROP tcp -- anywhere anywhere tcpflags: SYN,RST/SYN,RST
LOG tcp -- anywhere anywhere tcpflags: FIN,SYN/FIN,SYN LOG level warning prefix "Stealth scan: "
DROP tcp -- anywhere anywhere tcpflags: FIN,SYN/FIN,SYN
RETURN tcp -- anywhere anywhere
Chain icmp_packets (0 references)
target prot opt source destination
LOG icmp -f anywhere anywhere LOG level warning prefix "ICMP Fragment: "
DROP icmp -f anywhere anywhere
LOG icmp -- anywhere anywhere LOG level warning prefix "ICMP PING Received: "
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
RETURN icmp -- anywhere anywhere
LOG icmp -- anywhere anywhere LOG level warning prefix "ICMP PING Received: "
Chain tcp_inbound (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere tcp dpt:openvpn
RETURN tcp -- anywhere anywhere
Chain tcp_outbound (0 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere
Chain udp_inbound (0 references)
target prot opt source destination
DROP udp -- anywhere anywhere udp dpt:netbios-ns
DROP udp -- anywhere anywhere udp dpt:netbios-dgm
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp spt:bootps dpt:bootpc
RETURN udp -- anywhere anywhere
Chain udp_outbound (0 references)
target prot opt source destination
ACCEPT udp -- anywhere anywhere
I've also tried to get the right default GW on the right interface.
Code:
ip route add 172.22.255.0/24 dev eth3 src 172.22.255.9 table admin
ip route add default via 172.22.255.1 dev eth3 table admin
ip route add 172.22.64.0/18 dev eth2 src 172.22.64.9 table admin
ip route add default via 172.22.64.1 dev eth2 table admin
ip route add 172.22.0.0/18 dev eth1 src 172.22.0.9 table admin
ip route add default via 172.22.0.1 dev eth1 table admin
ip rule add from 172.22.255.0/24 table admin
ip rule add to 172.22.255.0/24 table admin
ip rule add from 172.22.64.0/18 table admin
ip rule add to 172.22.64.0/18 table admin
ip rule add from 172.22.0.0/18 table admin
ip rule add to 172.22.0.0/18 table admin
Kind Regards,
Martin Politick 2014.
Last edited by politick; 03-03-2014 at 04:56 PM.
|
|
|
03-04-2014, 09:10 AM
|
#2
|
Member
Registered: May 2011
Location: Nottingham, UK
Distribution: Debian
Posts: 178
Rep:
|
|
|
|
03-04-2014, 12:20 PM
|
#3
|
LQ Newbie
Registered: Feb 2014
Posts: 4
Original Poster
Rep:
|
Thanks Tim but I don't have that option in my kernel:
I'm running Ubuntu 12.04:
Code:
-rw-r--r-- 1 root root 0 Feb 28 15:45 accept_local
-rw-r--r-- 1 root root 0 Feb 28 15:56 accept_redirects
-rw-r--r-- 1 root root 0 Feb 28 15:56 accept_source_route
-rw-r--r-- 1 root root 0 Feb 28 15:43 arp_accept
-rw-r--r-- 1 root root 0 Feb 28 15:43 arp_announce
-rw-r--r-- 1 root root 0 Feb 28 15:43 arp_filter
-rw-r--r-- 1 root root 0 Feb 28 15:43 arp_ignore
-rw-r--r-- 1 root root 0 Feb 28 15:43 arp_notify
-rw-r--r-- 1 root root 0 Feb 28 15:43 bootp_relay
-rw-r--r-- 1 root root 0 Feb 28 15:43 disable_policy
-rw-r--r-- 1 root root 0 Feb 28 15:43 disable_xfrm
-rw-r--r-- 1 root root 0 Feb 28 15:43 force_igmp_version
-rw-r--r-- 1 root root 0 Feb 28 15:43 forwarding
-rw-r--r-- 1 root root 0 Mar 4 09:03 log_martians
-r--r--r-- 1 root root 0 Feb 28 15:43 mc_forwarding
-rw-r--r-- 1 root root 0 Feb 28 15:43 medium_id
-rw-r--r-- 1 root root 0 Feb 28 15:43 promote_secondaries
-rw-r--r-- 1 root root 0 Feb 28 15:43 proxy_arp
-rw-r--r-- 1 root root 0 Feb 28 15:43 proxy_arp_pvlan
-rw-r--r-- 1 root root 0 Mar 4 09:02 rp_filter
-rw-r--r-- 1 root root 0 Feb 28 15:56 secure_redirects
-rw-r--r-- 1 root root 0 Feb 28 15:43 send_redirects
-rw-r--r-- 1 root root 0 Feb 28 15:43 shared_media
-rw-r--r-- 1 root root 0 Feb 28 15:43 src_valid_mark
-rw-r--r-- 1 root root 0 Feb 28 15:43 tag
root@gateway:/proc/sys/net/ipv4/conf/all#
I tried echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
that didn't fix it. There might be a few more ooptions to set to NULL before it works...
I'll continue searching.
Kind Regards,
Martin Politick.
|
|
|
03-04-2014, 12:23 PM
|
#4
|
LQ Newbie
Registered: Feb 2014
Posts: 4
Original Poster
Rep:
|
I've tried to turn everything off:
Code:
cat /proc/sys/net/ipv4/conf/all/*
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
0
Still does not accept...
|
|
|
03-05-2014, 05:23 PM
|
#5
|
LQ Newbie
Registered: Feb 2014
Posts: 4
Original Poster
Rep:
|
I think the problem was with my misunderstanding of rt_tables
I created this script that I call from my firewall script.
It creates 3 table entries in the rt_table
Code:
#!/bin/sh
grep mlan /etc/iproute2/rt_tables
FOUND=$?
if [ $FOUND -eq 0 ]
then
echo mlan table exists in rt_table
else
echo "1 mlan" >> /etc/iproute2/rt_tables
fi
grep wlan /etc/iproute2/rt_tables
FOUND=$?
if [ $FOUND -eq 0 ]
then
echo wlan table exists in rt_table
else
echo "2 wlan" >> /etc/iproute2/rt_tables
fi
grep voip /etc/iproute2/rt_tables
FOUND=$?
if [ $FOUND -eq 0 ]
then
echo voip table exists in rt_table
else
echo "3 voip" >> /etc/iproute2/rt_tables
fi
ip rule | grep 32765
FOUND=$?
if [ $FOUND -eq 0 ]
then
echo RoutingRules already enabled
else
ip rule add from 172.22.255.0/24 table voip
ip rule add to 172.22.255.0/24 table voip
ip rule add from 172.22.64.0/18 table wlan
ip rule add to 172.22.64.0/18 table wlan
ip rule add from 172.22.0.0/18 table mlan
ip rule add to 172.22.0.0/18 table mlan
fi
ip route list table voip | grep default
FOUND=$?
if [ $FOUND -eq 0 ]
then
echo Routes already defined
else
ip route add 172.22.255.0/24 dev eth3 src 172.22.255.9 table voip
ip route add 172.22.64.0/18 dev eth2 src 172.22.64.9 table wlan
ip route add 172.22.0.0/18 dev eth1 src 172.22.0.9 table mlan
ip route add default via 172.22.255.1 dev eth3 table voip
ip route add default via 172.22.64.1 dev eth2 table wlan
ip route add default via 172.22.0.1 dev eth1 table mlan
fi
I hope this may help someone some day.
Kind Regards,
Martin Politick.
|
|
|
All times are GMT -5. The time now is 03:42 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|