Well said, and right on the money. I do make the assumption (wrongly I guess) that people learn Iptables the way I did, through reading the books and writing scripts themselves. I normally focus on the Internet as the biggest threat to our network, even though we could have problems from the inside. The reason behind the outside-in focus toward security is the sheer numbers of actual intrusion attempts we get from the Internet compared to the normal network problems we see, which is downloading porn and a bit of file sharing.

In my time working with Iptables I have found the following to be critical.

1. Write your own scripts!
2. If you don't understand what the script does (line by line) you cannot trust it!
3. Write a line - Test it - Write a line - Test again
3. Read the Books (I started with Red Hat Linux Firewalls which is pretty newbie friendly.
4. Use LQ when (not if) you get stuck, and always post the rule that is broken.


Chort, it is obvious to me you understand Iptables better than I, and for that I am thankful, expect future Iptables questions from me

Words to live by, especially the reading books part. You can't just copy some script and expect to know how to use a packet filter. If you don't understand the problem or the solution, there's a strong chance you're just making things worse. I would have to take issue with the comment about the Red Hat firewall, though. At least the Lokkit scripts I've seen were completely backwards (explicitly blocking ports instead of denying by default).

Hah, I'm thinking this is sarcasm because I certainly don't know iptables well at all (OpenBSD pf(4), or maybe a little PIX yes, but not iptables). I do know the fundamentals of packet filtering and building secure networks, though, and I've had a chance to see more firewalls than most people that don't do managed security or consulting (Checkpoint, PIX, Netscreen, Raptor, Gauntlet, etc).

I forgot one fundamental rule.

The words lokkit and iptables should never be used in the same sentence. Red Hat Lokkit is one of the single worst crutches I have come across in dealing with iptables. The book I was referring to actually deals with iptables rules without emphasizing lokkit, which despite the fact that I don't use Red Hat much anymore, it is still a handy book to have. It explains the rules in newbie friendly terms.

Hmmm, so I get the "don't turn off martian logging" bit, it makes sense, but no where did anyone actually say how to make the martians stop. I'm getting the following message every 4 seconds...

May 24 00:20:27 KFEN kernel: martian source 255.255.255.255 from 192.168.0.1, on dev eth1
May 24 00:20:27 KFEN kernel: ll header: ff:ff:ff:ff:ff:ff:00:20:e0:0e:42:e6:08:00

Eth1 is the external interface, so it's not a problem with my internal network at least. Strange messages such as this make my boss nervous, so I have to do something about them. If not turn off the logging, what else can I do? I already told my firewall to block packets from 255.255.255.255 and 192.168.0.1 from the external interface, and they still haven't stopped.

Any help is appreciated, and I'm sorry for digging up an old thread, but it described my concerns rather well.
-Dewar

Here's my ifconfig

eth0 Link encap:Ethernet HWaddr 00:50:8B:CC:2A:34
inet addr:192.168.0.254 Bcast:192.168.0.255 Mask:255.255.255.0
inet6 addr: fe80::250:8bff:fecc:2a34/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:10373 errors:0 dropped:0 overruns:0 frame:0
TX packets:8612 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1394522 (1.3 Mb) TX bytes:594411 (580.4 Kb)
Interrupt:11 Base address:0x2c20

eth1 Link encap:Ethernet HWaddr 00:50:BF:92:6E:77
inet addr:xxx.xxx.xxx.xxx Bcast:xxx.xxx.xxx.255 Mask:255.255.255.0
inet6 addr: fe80::250:bfff:fe92:6e77/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12922 errors:0 dropped:0 overruns:0 frame:0
TX packets:12758 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:874427 (853.9 Kb) TX bytes:1927662 (1.8 Mb)
Interrupt:5 Base address:0x4f00

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:448 (448.0 b) TX bytes:448 (448.0 b)

I think have a similar problem. My external interface is eth0 and my internal interface is eth1. My internal network is 192.168.0.0/24.

I keep getting

At this point, 192.168.0.15 can no longer access the Internet. To temporarily restore Internet access I ping 192.168.0.15 from 192.168.0.1 (firewall/router machine running Fedora Core 1). An "/etc/init.d/network restart" does the trick too. Once I do this, the martians stop for a while.

They come back after a few minutes of inactivity though, and they are always back the next morning. And no one has Internet access in the morning untill I get in to ping them from the router.

I am confused about the ll header. first of all ff:ff:ff:ff:ff:ff doesn't seem like a valid MAC address. Second, I can't find any device on my network with the MAC address of 00:30:05:2f:2d:03 (maye my ADSL modem?).

As for the 08:06, that means something, but I can't find out what.



The difference between my problem and yours is that it the problem is liste d on the internal interface. And I get a valid first ip address

There are lots of people here who know a lot more than me, however if this helps, it was worth trying. (If it is wrong, please don't shoot me down!).

Are you using a cable modem rather than ADSL?

If so, your cable modem is part of a network (all the other cable modems in your area). My understanding is that you can receive a lot of traffic from compromised machines on your network (which would explain why some people see it on eth1 too). I get them all the time from my cable connection.

Oddly enough, my limited understanding says that they are called martian because they are alien to the network adapter - ie if they pretend to come from an internal ip , such as a 10.x .x..x and are recieved on an "external" network adapter - they are on the wrong side. If you receive an internal ip (again 192.168.x.x as an example) on an internal network adapter, I don't know why that would show up as martian.

But I guess that's why I'm not a serious techie!

Good luck and hope it helped and might have been correct

As I may have mentioned, I get martian source messages all the time on my external interface at home. The Satellite modem is the cause, as it is on a cross-over cable to my firewall/proxy machine. This seems like a good time to recommend my two favorite software packages for Linux. The first is Snort, the packet-sniffer/intrusion detection system, and the second is tripwire, a file system monitor/intrusion detection system. Between the two, if set up correctly (LQ can help) you can sleep better at night. Always send the output to a different machine on your network, and only give the Snorted machine Insert rights on the SQL server if you go that way. This way if the box is compromised the attacker is less likely to be able to hide their tracks.

Does anyone know how to figure out how to decode the "ll header"? I assume that has the source ethernet address of the would-be spoofer, right?

ll=link level

So for a log martians message like this: ff:ff:ff:ff:ff:ff:00:40:05:2f:2d:03:08:06

The first 6 octets are the destination address (255.255.255.255) which is the broadcast address.

The next 6 are the MAC addresses of the sender (00:40:05:2f:2d:03)

The last 2 octets are the protocol type (08:06) which in this case is ARP (you can look these up here).