From: Antony Stone <Antony@Soft-Solutions.co.uk>
To: netfilter <netfilter@lists.netfilter.org>
Subject: Re: Strange logs...
Date: Sun, 11 Jan 2004 12:02:40 +0000 [thread overview]
Message-ID: <200401111202.40264.Antony@Soft-Solutions.co.uk> (raw)
In-Reply-To: <002201c3d837$a6c70e90$1530a8c0@HUSH>
On Sunday 11 January 2004 11:40 am, Carlos Fernandez Sanz wrote:
> Jan 11 11:52:12 fulanito kernel: [IPTABLES DROP NAT] : IN=eth1 OUT=
> MAC=00:01:03:27:83:4c:00:0c:6e:77:a9:92:08:00 SRC=192.168.20.5
> DST=192.168.20.1 LEN=78 TOS=0x00 PREC=0x00 TTL=128 ID=13013 PROTO=UDP
> SPT=137 DPT=137 LEN=58
>
> eth1 is my external (connected to the internet router) interface,
> 192.168.20.5 is one of my window boxes, 192.168.20.1 is my linux box. These
> two boxes are connected via a switch (which has nothing else connected to
> it), and the interface is eth0.
>
> What could cause that the packet appears in eth1 instead of eth0? Of course
> that explains that it's being dropped, as I have a rule that drops
> everything coming in the external interface with private addresses....
>
> I know the obvious answer would be "someone special made that packet and
> sent it", but the packet does come from the LAN. The MAC matches the IP
> it's supposes to come from (i.e. belongs to the NIC in my windows card),
The fact that the MAC address is correct means that the packet has surely come
from the Windows machine, and has not come through any other router (because
if it had, it would have the IP address of the Windows box and the MAC
address of the router).
Tell us more about your network connections - you say you have a switch on
eth0 connected to the Windows box and nothing else; how is eth1 connected to
your Internet router? Crossover cable? Switch/hub? What?
Also, do you have a nice simple, clean subnet arrangement - something like a
single public IP on eth1, and a private class C on eth0, nothing fancy?
It would be good to try running tcpdump or ethereal on the netfilter machine,
so that when a log entry such as this appears, you can check the tcpdump or
ethereal log and see if it agrees that the packet really did only come in on
eth1.
Not a solution to your probloem, I know, but maybe a help along the way?
Antony.
--
Software development can be quick, high quality, or low cost.
The customer gets to pick any two out of three.
Please reply to the list;
please don't CC me.
next prev parent reply other threads:[~2004-01-11 12:02 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-01-11 11:40 Strange logs Carlos Fernandez Sanz
2004-01-11 12:02 ` Antony Stone [this message]
2004-01-11 12:41 ` Carlos Fernandez Sanz
2004-01-11 12:51 ` Antony Stone
2004-01-11 13:29 ` Carlos Fernandez Sanz
2004-01-11 13:40 ` Antony Stone
2004-01-11 13:59 ` Carlos Fernandez Sanz
2004-01-11 14:09 ` Antony Stone
2004-01-11 15:34 ` Unknown, Alistair Tonner
2004-01-11 21:49 ` Mark E. Donaldson
2004-01-11 21:58 ` Antony Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200401111202.40264.Antony@Soft-Solutions.co.uk \
--to=antony@soft-solutions.co.uk \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.