Hi all,

I have router connected to public ip address eg. ggg.sss.ccc.fff on eth0 interface.

On eth1 interface is address eg 192.168.1.20/24 and all hosts inside have some of address.

In logs I can see

dhclient: DHCPREQUEST on eth0 to 192.168.1.196 port 67

I do not have above address at all. eth0 is external interface with public ip address.

I can block with iptables, dhclient to send these requests but I am wondering what is initiate such messages.

OS is centos 5.5, minimal installation

Comments are welcome, thanks in advance,

Check your DHCPARGS. Is it configured for eth0?

DHCPREQUEST is a broadcast.

If eth0 is your public facing interface, do you have port 67 enabled (e.g. DHCP server bound to this interface without a firewall)?
It looks to me like it is either a mis-configuration that causes the DHCP to log as eth0 or some form of spoofed IP address to find a vulnerability in your (public facing?) DHCP server; possibly someone has this IP behind a router with NAT and tried connecting to your DHCP server and this is what showed up in the logs.

What is interesting is that the address (192.168.1.196) only works on a LAN and you are seeing this on a public NIC, which makes me think that it is a device behind a router, identifying itself as 192.168.1.196.

Thansk for reply, where to check this ? I cannot find above string in .conf files.

Yes, I am getting static address from my ISP over dhcp protcol, so they sent me public ip I use over dhcp over eth0, but ISPs dhcp server I am getting address from is not in private set of ip addresses, it is also public address.

I had to change my eth0 MAC address to one ISP accept ( I have some router they gave me, but I do not use it, only its MAC address )

The address 192.168.1.196 is not used by any host in private network.

What here confuses me is, I am seeing in logs

dhclient: DHCPREQUEST on eth0 to 192.168.1.196 port 67

what is same as in case I run
dhclient eth0, except it send then request to 255.255.255.255 ( broadcast as some of you wrote ).

I am curious to find out what from this box initiate above dhclient request

Comments are welcome and thank you in advance,

What does the entire transaction chain look like? For example, here is one from my DHCP server:
In this case, it is correctly identifying the interface (br0), it provides the involved IP addresses, the MAC addresses and shows the chain of the events. Does this 192.168.1.196, in your case, get an IP or does it get a reject / error code of any sort?

I think I found out that wierd address

less /var/lib/dhclient/dhcliet.leases

lease {
interface "eth0";
fixed-address PUBLIC_IP;
option subnet-mask 255.255.255.0;
option dhcp-lease-time 86400;
option routers PUBLIC_IP;
option dhcp-message-type 5;
option dhcp-server-identifier 192.168.1.196;---it is here
option domain-name-servers PUBLIC-IP1,PUBLCI_IP2;
option ntp-servers PUBLIC_IP;
option domain-name "domain.com";
renew 5 2010/10/15 15:42:19;
rebind 6 2010/10/16 02:13:24;
expire 6 2010/10/16 05:13:24;
}

so based on this, it looks like my ISP use 192.168.1.196 as option when provide address back to me.