From: Aleksandar Milivojevic <amilivojevic@pbl.ca>
To: Jordi Warmenhoven <penguinsula@yahoo.com>
Cc: netfilter@lists.netfilter.org
Subject: Re: Unwanted traffic to be FORWARD-ed is dropped by filter : ARP cache problem?
Date: Mon, 18 Oct 2004 10:14:48 -0500 [thread overview]
Message-ID: <4173DDE8.1040600@pbl.ca> (raw)
In-Reply-To: <20041017075414.78289.qmail@web20021.mail.yahoo.com>
Jordi Warmenhoven wrote:
> After having set up iptables, I notice that the Linux
> box drops all lot of outside traffic (mostly MS
> broadcasts) with DST=[my WinIP] SRC=[some host]. It is
> _always_ the MS-Windows IP address that ends up in
> the FORWARD filter chain. Since I am just a simple
> client on the network, is there maybe some Proxy ARP
> gateway that keeps the two IP addresses mapped against
> my MAC?
Depending on your ISP configuration, you can have more than one computer
connected over the same link. I know for sure this is the case with
ADSL. Basically, you connect ADSL modem to Ethernet hub, and than
computers on your network can share it, each of them getting public IP
address from ISP, however bandwith will be split and not balanced (if
you have 1M ADSL, and two PCs, each will get 512k allocated to it). I
saw this works when ISP I used to work for was introducing ADSL service,
and we tested all kinds of funny setups and things "smart" users might
try out once we give them ADSL modems. If your ISP supports this
configuration, there's usually no way for ISP to tell if you have dual
boot box, or you connected ADSL modem into Ethernet hub. I'm not sure
if this is possible with cable modems, it might be. Basically, cable
modem on the higher levels of the protocol acts preatty much as if your
ethernet card is connected directly to the Ethernet hub/swtich at the
ISP end. I don't know much about internal workings of cable at ISP end,
but if there's equivalent of Ethernet swith there, it will just think
that you have two IP addresses on one interface. Back to the topic,
they might route traffic for both addresses to you, regardless of which
OS you are currently booted in. Although, I'm not sure why there are no
ARP requests to check if the address is still alive and valid on that
wire (there should be, I'm seeing a hole lot of those on my cable modem).
The traffic you are seeing dropped is most likely worms trying out
random IP addresses in search for new systems to infect. BTW, if your
box is not acting as an router, you should disable IP forwarding.
--
Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
next prev parent reply other threads:[~2004-10-18 15:14 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-17 7:54 Unwanted traffic to be FORWARD-ed is dropped by filter : ARP cache problem? Jordi Warmenhoven
2004-10-18 15:14 ` Aleksandar Milivojevic [this message]
2004-10-18 21:06 ` Jordi Warmenhoven
2004-10-19 13:20 ` Aleksandar Milivojevic
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4173DDE8.1040600@pbl.ca \
--to=amilivojevic@pbl.ca \
--cc=netfilter@lists.netfilter.org \
--cc=penguinsula@yahoo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.