Strange Problem - IPTables or Hardware related ????

Strange Problem - IPTables or Hardware related ????

[Rodolfo Siviero Stein]

	Hello Guys,

	I have a strange problem here that I want to share with you.

	Here it is:

	I have three NICS
	eth0 -> LAN  HWaddr 00:06:29:2E:EA:1C
	eth1 -> DMZ  HWaddr 00:A0:C9:9E:A0:7C
	eth2 -> INTERNET   HWaddr 00:50:DA:27:5A:41

	Kernel 2.4.19
	iptables v1.2.7a-20021015
	patch-o-matic-20021015 ( with pending patches applied )

	in the eth2  I have several IPs  assigned thru ifconfig running inside the 
rc.local file.

	I am receiving packets from the internet, destined to one of the aliases 
of the ETH2 as if they come from the LAN.  See the log tha follows:

Oct 13 08:42:43 firewall kernel: IP_LAN_BLOCKED:IN=eth0 OUT= 
MAC=00:06:29:2e:ea:1c:00:b0:c2:89:9d:a1:08:00 SRC=216.81.218.193 
DST=200.XXX.XXX.58 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=2388 DF PROTO=TCP 
SPT=4928 DPT=1080 SEQ=2076289920 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT 
(020405B401010402)
Oct 13 08:46:43 firewall kernel: IPT_LAN_BLOCKED:IN=eth0 OUT= 
MAC=00:06:29:2e:ea:1c:00:b0:c2:89:9d:a1:08:00 SRC=210.113.239.50 
DST=200.XXX.XXX.51 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=64046 DF PROTO=TCP 
SPT=2542 DPT=80 SEQ=3750889304 ACK=0 WINDOW=16384 RES=0x00 SYN URGP=0 OPT 
(020405B401010402)

	How a packet from internet appears to me as "IN=eth0" ????

	In the OUT=  we have an MAC address where the initial part is the ETH0 
mac.  What is the other numbers ?
	
	The machine is a IBM Netfinity 3000  with an etherexpress pro lan onboard, 
and 2 3com 3x59x boards.  And if I take out the eth0 RJ-45 cable, all the 
others NICs  stop working.

	I have tried several iptables releases in the branch 1.2.6 thu 1.2.7a.

	Anyone had a problem like this ?  Any comments ?  Is this hardware related 
or software ?

	I will appreciate some ideas.

	Thx

	Rodolfo

Re: Strange Problem - IPTables or Hardware related ????

[Joel Newkirk]

On Friday 18 October 2002 10:56 am, Rodolfo Siviero Stein wrote:
> Hello Guys,
>
> 	I have a strange problem here that I want to share with you.
>
> 	Here it is:
>
> 	I have three NICS
> 	eth0 -> LAN  HWaddr 00:06:29:2E:EA:1C
> 	eth1 -> DMZ  HWaddr 00:A0:C9:9E:A0:7C
> 	eth2 -> INTERNET   HWaddr 00:50:DA:27:5A:41
>
> 	Kernel 2.4.19
> 	iptables v1.2.7a-20021015
> 	patch-o-matic-20021015 ( with pending patches applied )
>
> 	in the eth2  I have several IPs  assigned thru ifconfig running inside the
> rc.local file.
>
> 	I am receiving packets from the internet, destined to one of the aliases
> of the ETH2 as if they come from the LAN.  See the log tha follows:
>
> Oct 13 08:42:43 firewall kernel: IP_LAN_BLOCKED:IN=eth0 OUT=
> MAC=00:06:29:2e:ea:1c:00:b0:c2:89:9d:a1:08:00 SRC=216.81.218.193
> DST=200.XXX.XXX.58 LEN=48 TOS=0x00 PREC=0x00 TTL=112 ID=2388 DF PROTO=TCP
> SPT=4928 DPT=1080 SEQ=2076289920 ACK=0 WINDOW=64240 RES=0x00 SYN URGP=0 OPT
> (020405B401010402)
> Oct 13 08:46:43 firewall kernel: IPT_LAN_BLOCKED:IN=eth0 OUT=
> MAC=00:06:29:2e:ea:1c:00:b0:c2:89:9d:a1:08:00 SRC=210.113.239.50
> DST=200.XXX.XXX.51 LEN=48 TOS=0x00 PREC=0x00 TTL=109 ID=64046 DF PROTO=TCP
> SPT=2542 DPT=80 SEQ=3750889304 ACK=0 WINDOW=16384 RES=0x00 SYN URGP=0 OPT
> (020405B401010402)
>
> 	How a packet from internet appears to me as "IN=eth0" ????

What makes you think it's inbound from the internet?  If it says "IN=eth0" 
then that is likely where it is coming in, from a machine on the LAN that is 
(for whatever reason :^) claiming an IP other than what it is supposed to 
have.

> 	In the OUT=  we have an MAC address where the initial part is the ETH0
> mac.  What is the other numbers ?

Actually, OUT="", undefined, would be more accurate, since the packet is 
currently INbound (at eth0) from MAC and SRC.  You're catching the packet 
before it reaches a routing decision for OUTPUT.

Very likely the MAC similarity is another NIC in your LAN, from the same 
source & lot.  I have two that are sequentially numbered.

> 	The machine is a IBM Netfinity 3000  with an etherexpress pro lan onboard,
> and 2 3com 3x59x boards.  And if I take out the eth0 RJ-45 cable, all the
> others NICs  stop working.
>
> 	I have tried several iptables releases in the branch 1.2.6 thu 1.2.7a.
>
> 	Anyone had a problem like this ?  Any comments ?  Is this hardware related
> or software ?

Try logging a sample of packets containing that MAC address, see if most of 
them are a machine on your LAN.  If it's a single machine inside your 
network, then find out if it's a fluke. (not likely :^) deliberate on the 
part of the user, or some trojan/bot thingy or an unsecured mail server or 
something.

j

Re: Strange Problem - IPTables or Hardware related ????

[Tom Eastep]

Rodolfo Siviero Stein wrote:

> 
>     Anyone had a problem like this ?  Any comments ?  Is this hardware 
> related or software ?
> 

Do you have multiple NICs cabled to the same HUB/switch? In my experience, 
when people see packets arriving on unexpected interfaces, that is the 
cause. The manner in which the Linux kernel handles ARP "who-has" requests 
makes this type of configuration unsuitable for firewalling since any 
interface connected to the HUB/switch can respond to "who-has" requests 
for any of the addresses assigned to one of those NICs.

-Tom
-- 
Tom Eastep    \ Shorewall - iptables made easy
AIM: tmeastep  \ http://www.shorewall.net
ICQ: #60745924  \ teastep@shorewall.net