martian source errors on diffrent network segment

ratcateme · 02-27-2009, 03:27 AM

i currently run a small home net work 2 PC's a Centos box and a 4 port switch/router to connect them.
it has a typical star topology with the network 10.1.1.0/24
i recently added a new network with 2 new NIC's and a cable between my Linux box and one of my PC's and gave it 10.1.2.0/24
i am using this for simple testing of secure a network through a linux box (making http run through Squid with login and block users access to the internet and stuff).
but now i am finding in /var/log/messages i get events like:

Code:

Feb 22 06:06:47 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 22 06:06:47 ratcat kernel: ll header: 00:0c:f1:97:1b:78:00:17:31:52:41:96:08:00
Feb 22 06:06:50 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 22 06:06:50 ratcat kernel: ll header: 00:0c:f1:97:1b:78:00:17:31:52:41:96:08:00
Feb 22 06:06:57 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 22 06:06:57 ratcat kernel: ll header: 00:0c:f1:97:1b:78:00:17:31:52:41:96:08:00
Feb 22 06:39:13 ratcat smbd[5798]: [2009/02/22 06:39:13, 0] lib/util_sock.c:get_peer_addr(1232)
Feb 22 06:39:13 ratcat smbd[5798]:   getpeername failed. Error was Transport endpoint is not connected
Feb 22 06:39:13 ratcat smbd[7322]: [2009/02/22 06:39:13, 0] lib/util_sock.c:get_peer_addr(1232)
Feb 22 06:39:13 ratcat smbd[7322]:   getpeername failed. Error was Transport endpoint is not connected
Feb 22 06:39:13 ratcat smbd[7322]: [2009/02/22 06:39:13, 0] lib/util_sock.c:get_peer_addr(1232)
Feb 22 06:39:13 ratcat smbd[7322]:   getpeername failed. Error was Transport endpoint is not connected
Feb 22 06:39:13 ratcat smbd[7322]: [2009/02/22 06:39:13, 0] lib/util_sock.c:write_data(562)
Feb 22 06:39:13 ratcat smbd[7322]:   write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
Feb 22 06:39:13 ratcat smbd[7322]: [2009/02/22 06:39:13, 0] lib/util_sock.c:send_smb(769)
Feb 22 06:39:13 ratcat smbd[7322]:   Error writing 4 bytes to client. -1. (Connection reset by peer)

now doing a break down of that eth0 is the interface connected to the home router it was a mac address of 00:0c:f1:97:1b:78 and IP 10.1.1.2 (static)
the source mac in that is 00:17:31:52:41:96 which is the main interface on the PC with a IP of 10.1.1.3(static)
but 10.1.2.3 is the IP assigned through DHCP to the PC on the separate network segment.
i have absolutely no idea how these packets could be ending up on the wrong network.
i understand why i am getting a "martian source" error because 10.1.2.3 is defiantly not on the network 10.1.1.0/24 so shouldn't be coming in eth0(it sould and they do coome in on eth1)
but i don't understand why my PC(XP sp3) would be sending packets like that?

Scott.

blackhole54 · 02-28-2009, 01:21 AM

To make discussion a little easier and to verify I understand your topology correctly I am going to assign names to your computers and what I know about them:

Code:

Machine A:           eth0=10.1.1.2/00:0c:f1:97:1b:78            eth1=10.1.2.x
Machine B:           IP/MAC=10.1.1.3/00:17:31:52:41:96
Machine (XP sp3) C:  IP's:  10.1.1.x                            10.1.2.3

All three machines are connected together on 10.1.1.0/24 via your switch/router and A and B are connected together on 10.1.2.0/24? Is that correct?

It sounds to me like C thinks packets to A should be routed through B. The mystery (to me) is why, if C was going to do that, it would assign the source address as 10.1.2.3 rather than 10.1.1.x.

You might want to look at the routing table on C. IIRC (I forget more about Microsoft systems each passing day

) the command is:

route print

You also might want to run a packet sniffer on B to see if that is what is happening. One option is Wireshark which I believe runs on both Microsoft and Linux systems.

EDIT: I used rather clumsy phrasing wrt Wireshark. What I meant to say is I believe Wireshark binaries are availabe for both Microsoft and Linux systems.

ratcateme · 02-28-2009, 02:03 AM

Code:

Machine (Centos)A:                                eth0=10.1.1.2/00:0c:f1:97:1b:78            eth1=10.1.2.1
Machine (XP sp3)B:                                IP/MAC=10.1.1.3/00:17:31:52:41:96          10.1.2.x
Machine (XP Laptop not really doing anything) C:  IP's:  10.1.1.10

is what it looks like now A is getting the error logs.
i have tried to do a wireshark capture but the problem is they are rather infrequent i am currently running the command

Code:

tcpdump -i eth0 -v -s 1500 -w dump.pcap not tcp port 22 and ether dst host 00:0c:f1:97:1b:78 and ether src host 00:17:31:52:41:96

on my linux box to try and catch some of these packets. is that command correct or am i going to get nothing? (not 22 because i am running the command through ssh)

Scott.

EDIT: added " and not tcp port 10000" to it because i am using webmin to watch the logs for martian source reports

blackhole54 · 02-28-2009, 02:26 AM

Your tcpdump command looks fine to me (assuming the martian packets are not on tcp/1000). Beware that I have flubbed the condtitions on tcpdump on more than one occasion! :-/

Have your looked at the routing table for machine B?

EDIT: BTW, I believe the -v option for tcpdump has not effect with the -w option. You may (or may not) wish to use -v when you play the capture back with the -r option.

ratcateme · 02-28-2009, 03:10 AM

ok so here is the output of route print on B

Code:

===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...00 05 5d d1 a8 bc ...... Realtek RTL8139 Family PCI Fast Ethernet NIC - P
acket Scheduler Miniport
0x3 ...00 17 31 52 41 96 ...... Intel(R) PRO/1000 PL Network Connection - Packet
 Scheduler Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0         10.1.1.1        10.1.1.3       20
          0.0.0.0          0.0.0.0         10.1.2.1        10.1.2.3       20
         10.1.1.0    255.255.255.0         10.1.1.3        10.1.1.3       20
         10.1.1.3  255.255.255.255        127.0.0.1       127.0.0.1       20
         10.1.2.0    255.255.255.0         10.1.2.3        10.1.2.3       20
         10.1.2.3  255.255.255.255        127.0.0.1       127.0.0.1       20
   10.255.255.255  255.255.255.255         10.1.1.3        10.1.1.3       20
   10.255.255.255  255.255.255.255         10.1.2.3        10.1.2.3       20
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      169.254.0.0      255.255.0.0         10.1.1.3        10.1.1.3       20
        224.0.0.0        240.0.0.0         10.1.1.3        10.1.1.3       20
        224.0.0.0        240.0.0.0         10.1.2.3        10.1.2.3       20
  255.255.255.255  255.255.255.255         10.1.1.3        10.1.1.3       1
  255.255.255.255  255.255.255.255         10.1.2.3        10.1.2.3       1
Default Gateway:          10.1.1.1
===========================================================================
Persistent Routes:
  None

looks ok to me
now i found this in my logs (filtered to show only lines containing "martian source")

Code:

Feb 28 17:13:22 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 28 17:13:25 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 28 17:13:31 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 28 18:17:47 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 28 18:17:51 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 28 18:17:57 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 28 19:22:15 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 28 19:22:18 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 28 19:22:24 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 28 20:26:40 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 28 20:26:43 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 28 20:26:49 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0

waited till 21:31 (there is a 1:4 min gap between them all roughly)
and found i got

Code:

Feb 28 21:31:05 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 28 21:31:05 ratcat kernel: ll header: 00:0c:f1:97:1b:78:00:17:31:52:41:96:08:00
Feb 28 21:31:08 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 28 21:31:08 ratcat kernel: ll header: 00:0c:f1:97:1b:78:00:17:31:52:41:96:08:00
Feb 28 21:31:14 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 28 21:31:14 ratcat kernel: ll header: 00:0c:f1:97:1b:78:00:17:31:52:41:96:08:00
Feb 28 21:31:26 ratcat kernel: device eth0 left promiscuous mode
Feb 28 21:31:40 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 28 21:31:40 ratcat kernel: ll header: 00:0c:f1:97:1b:78:00:17:31:52:41:96:08:00

i had the tcp dump running and i filtered it and attached the result
the three bottom packets are causing the problems
also just to explain the workgroup my pc is on is setup like

Code:

WORKGROUP name : BOB
A : CENTOS
B : BOBDESK
C : BOBLAPTOP

i dont know much about how SMB works so i am lost as how to stop/fix these messages

Scott.

ratcateme · 02-28-2009, 03:19 AM

sorry can't attach file i uploaded it to A get it here
http://ratcat.homelinux.com/show/dump.pcap

Scott.

blackhole54 · 03-01-2009, 04:56 AM

Quote:

Originally Posted by ratcateme

]i dont know much about how SMB works so i am lost as how to stop/fix these messages.

I'm not very familiar with it either.

The reason you are getting packets logged as martians is the combination of a) you have the two routes between the two computers for different subnets and b) machine B is addressing the SMB packets to machine A on one subnet while listing its source address on the other subnet. The packet is routed through the correct interface based on its destination address, but machine A then flags this as a martian because it expects packets from that source address on the other interface.

The quickest option to just get the setup running is to just turn of reverse path filtering for eth0 (as root):

Code:

echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

this will lowers your security posture a bit, but on your LAN it may not be important. The decision is yours.

The other option is to get the client machine to stop doing what it is doing. Since I am not familiar with Microsoft networking all I can do is ask questions. Is there something in the configuration that causes the client machine to choose the source address 10.1.2.3 instead of 10.1.1.3? Can that be changed? Alternatively can you make it address machine A as 10.1.2.1?

That's probably about as much help as I can give you without doing some serious googling myself.

cloud9repo · 03-01-2009, 05:32 AM

Quote:

Originally Posted by ratcateme

i currently run a small home net work 2 PC's a Centos box and a 4 port switch/router to connect them.
it has a typical star topology with the network 10.1.1.0/24
i recently added a new network with 2 new NIC's and a cable between my Linux box and one of my PC's and gave it 10.1.2.0/24
i am using this for simple testing of secure a network through a linux box (making http run through Squid with login and block users access to the internet and stuff).
but now i am finding in /var/log/messages i get events like:

Code:

Feb 22 06:06:47 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 22 06:06:47 ratcat kernel: ll header: 00:0c:f1:97:1b:78:00:17:31:52:41:96:08:00
Feb 22 06:06:50 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 22 06:06:50 ratcat kernel: ll header: 00:0c:f1:97:1b:78:00:17:31:52:41:96:08:00
Feb 22 06:06:57 ratcat kernel: martian source 10.1.1.2 from 10.1.2.3, on dev eth0
Feb 22 06:06:57 ratcat kernel: ll header: 00:0c:f1:97:1b:78:00:17:31:52:41:96:08:00
Feb 22 06:39:13 ratcat smbd[5798]: [2009/02/22 06:39:13, 0] lib/util_sock.c:get_peer_addr(1232)
Feb 22 06:39:13 ratcat smbd[5798]:   getpeername failed. Error was Transport endpoint is not connected
Feb 22 06:39:13 ratcat smbd[7322]: [2009/02/22 06:39:13, 0] lib/util_sock.c:get_peer_addr(1232)
Feb 22 06:39:13 ratcat smbd[7322]:   getpeername failed. Error was Transport endpoint is not connected
Feb 22 06:39:13 ratcat smbd[7322]: [2009/02/22 06:39:13, 0] lib/util_sock.c:get_peer_addr(1232)
Feb 22 06:39:13 ratcat smbd[7322]:   getpeername failed. Error was Transport endpoint is not connected
Feb 22 06:39:13 ratcat smbd[7322]: [2009/02/22 06:39:13, 0] lib/util_sock.c:write_data(562)
Feb 22 06:39:13 ratcat smbd[7322]:   write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
Feb 22 06:39:13 ratcat smbd[7322]: [2009/02/22 06:39:13, 0] lib/util_sock.c:send_smb(769)
Feb 22 06:39:13 ratcat smbd[7322]:   Error writing 4 bytes to client. -1. (Connection reset by peer)

now doing a break down of that eth0 is the interface connected to the home router it was a mac address of 00:0c:f1:97:1b:78 and IP 10.1.1.2 (static)
the source mac in that is 00:17:31:52:41:96 which is the main interface on the PC with a IP of 10.1.1.3(static)
but 10.1.2.3 is the IP assigned through DHCP to the PC on the separate network segment.
i have absolutely no idea how these packets could be ending up on the wrong network.
i understand why i am getting a "martian source" error because 10.1.2.3 is defiantly not on the network 10.1.1.0/24 so shouldn't be coming in eth0(it sould and they do coome in on eth1)
but i don't understand why my PC(XP sp3) would be sending packets like that?

Scott.

WOW!!! He's on an X-Box 360-spin, heads-up. And got that there StarCraft.

Seriously, when you get to these 'stars' that are man-made. Then, you just buy me that souvenir.

ratcateme · 03-05-2009, 11:36 PM

thanks for the help but i haven't really got any where and 3 packets per hour really wont have to much of a effect on anything

Scott.