On 05/06/2012 08:18 PM, Frank Griffin wrote:
On 05/06/2012 06:57 PM, imnotpc wrote:
My thanks to you, Maarten, and Doug for replying. I knew that packets
in private subnets are never forwarded by routers, one of the basic
security features of the IPV4 system. I had never heard them referred
to as martian before, but the name makes sense. Based on the
destination of the packets (Google, Facebook), my assumption is that
these are not malicious, and based on my knowledge of my network, I
believe these are originating from the wireless hosts as Doug
indicated. I guess the only part I still don't understand is how
these packets are reaching the kernel of the gateway through NAT and
firewalls? Perhaps there is something I don't understand about how IP
traffic moves between hosts.
The basic idea of a gateway is that you have two NICs, one (say eth1)
connected to the same switch to which all your other wired hosts are
connected, and using an IP address of something internal, say
192.168.1.1. The other NIC (say eth0) is connected to your external
internet. Your routing table should indicate that any traffic for a
192.168.1.x address should go out eth1, and any traffic for something
other than 192,168.1.x should go out eth0. And you have NAT enabled
for anything going out eth0 so that your internal addresses get
translated to the external IP address assigned by your ISP as they
pass through the gateway.
This assumes that you're using a PC as a gateway. Your router should
play no part with the wired connections --- it and all the other wired
hosts should be plugged into the switch, i. e. you shouldn't be using
the inbound wired jacks on the router at all. The wireless goes into
the router, but beyond that plays on an equal level with the wired
guys all going into the gateway PC.
The problem you describe most likely results from trying to use the
router as the gateway in conjunction with the switch. You've got the
wired guys coming through the switch and participating in NAT and the
wireless guys coming into the router directly, and somehow bypassing NAT.
You mention the "gateway kernel", so I'm guessing that you are using a
gateway PC rather than a gateway router. If you are using a
192.168.3.x subnet, then your gateway is NAT'ing some hosts and not
others.
I apologize that I didn't give more detail when I started this thread,
but this has become more involved/detailed discussion than I envisioned.
Let me give you the topography of my network as best as I can describe:
Firewall/Gateway: Mga2 box with 3 NICs which forwards traffic from the
DMZ and the LAN to the Internet and back. The Internet facing NIC has a
public IP. The DMZ is a private subnet with all fixed IPs. The LAN
subnet also has all fixed IPs in the 192.168.0.0/24 range. Iptables
firewall logs and drops all traffic that doesn't originate from these
subnets.
LAN: All the LAN hosts have fixed IPs IN the 192.168.0.0/24 range. Linux
host firewalls block all outgoing traffic that doesn't originate from
the assigned IP address. Windows/other hosts do whatever they do.
Wireless Router Attached to the LAN: The LAN facing NIC on the wireless
router has a fixed IP of 192.168.0.100. The wireless interface is
configured to assign IPs in the 192.168.2.0/24 range to the wireless
hosts using DHCP.
Wireless Hosts: Connect to wireless router via DHCP. I believe these
hosts are generating the martian packets.
I understand the the wireless host may identify themselves using other
IPs due to other connection/configuration issues, but I can't understand
how the kernel on the Mga2 gateway is ever able to see packets
originating from 192.168.3.2 or any other unauthorized subnet. This is
my major concern since it may indicate an error in my LAN configuration.
Jeff
