* Unwanted traffic to be FORWARD-ed is dropped by filter : ARP cache problem? @ 2004-10-17 7:54 Jordi Warmenhoven 2004-10-18 15:14 ` Aleksandar Milivojevic 0 siblings, 1 reply; 4+ messages in thread From: Jordi Warmenhoven @ 2004-10-17 7:54 UTC (permalink / raw) To: netfilter Hi, I realise my question is not directly related to iptables, but since I noticed the 'problem' using iptables I hope it's ok to pose it here. My Linux box gets its outside IP (LinuxIP) from a DHCP server. The IP address has been the same from the beginning, so I guess some static mapping is done (I'm no expert in this matter :-). It is a dual-boot system, and when I reboot to MS-Windows, I get a different IP (WinIP) which is also always the same. After having set up iptables, I notice that the Linux box drops all lot of outside traffic (mostly MS broadcasts) with DST=[my WinIP] SRC=[some host]. It is _always_ the MS-Windows IP address that ends up in the FORWARD filter chain. Since I am just a simple client on the network, is there maybe some Proxy ARP gateway that keeps the two IP addresses mapped against my MAC? It's no big deal and I just drop the specific packets before they get logged, but I'm just curious... --Jordi ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Unwanted traffic to be FORWARD-ed is dropped by filter : ARP cache problem? 2004-10-17 7:54 Unwanted traffic to be FORWARD-ed is dropped by filter : ARP cache problem? Jordi Warmenhoven @ 2004-10-18 15:14 ` Aleksandar Milivojevic 2004-10-18 21:06 ` Jordi Warmenhoven 0 siblings, 1 reply; 4+ messages in thread From: Aleksandar Milivojevic @ 2004-10-18 15:14 UTC (permalink / raw) To: Jordi Warmenhoven; +Cc: netfilter Jordi Warmenhoven wrote: > After having set up iptables, I notice that the Linux > box drops all lot of outside traffic (mostly MS > broadcasts) with DST=[my WinIP] SRC=[some host]. It is > _always_ the MS-Windows IP address that ends up in > the FORWARD filter chain. Since I am just a simple > client on the network, is there maybe some Proxy ARP > gateway that keeps the two IP addresses mapped against > my MAC? Depending on your ISP configuration, you can have more than one computer connected over the same link. I know for sure this is the case with ADSL. Basically, you connect ADSL modem to Ethernet hub, and than computers on your network can share it, each of them getting public IP address from ISP, however bandwith will be split and not balanced (if you have 1M ADSL, and two PCs, each will get 512k allocated to it). I saw this works when ISP I used to work for was introducing ADSL service, and we tested all kinds of funny setups and things "smart" users might try out once we give them ADSL modems. If your ISP supports this configuration, there's usually no way for ISP to tell if you have dual boot box, or you connected ADSL modem into Ethernet hub. I'm not sure if this is possible with cable modems, it might be. Basically, cable modem on the higher levels of the protocol acts preatty much as if your ethernet card is connected directly to the Ethernet hub/swtich at the ISP end. I don't know much about internal workings of cable at ISP end, but if there's equivalent of Ethernet swith there, it will just think that you have two IP addresses on one interface. Back to the topic, they might route traffic for both addresses to you, regardless of which OS you are currently booted in. Although, I'm not sure why there are no ARP requests to check if the address is still alive and valid on that wire (there should be, I'm seeing a hole lot of those on my cable modem). The traffic you are seeing dropped is most likely worms trying out random IP addresses in search for new systems to infect. BTW, if your box is not acting as an router, you should disable IP forwarding. -- Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Unwanted traffic to be FORWARD-ed is dropped by filter : ARP cache problem? 2004-10-18 15:14 ` Aleksandar Milivojevic @ 2004-10-18 21:06 ` Jordi Warmenhoven 2004-10-19 13:20 ` Aleksandar Milivojevic 0 siblings, 1 reply; 4+ messages in thread From: Jordi Warmenhoven @ 2004-10-18 21:06 UTC (permalink / raw) To: Aleksandar Milivojevic; +Cc: netfilter --- Aleksandar Milivojevic <amilivojevic@pbl.ca> wrote: > Jordi Warmenhoven wrote: > > After having set up iptables, I notice that the > Linux > > box drops all lot of outside traffic (mostly MS > > broadcasts) with DST=[my WinIP] SRC=[some host]. > It is > > _always_ the MS-Windows IP address that ends up in > > the FORWARD filter chain. Since I am just a simple > > client on the network, is there maybe some Proxy > ARP > > gateway that keeps the two IP addresses mapped > against > > my MAC? > > Back to the topic, > they might route traffic for both addresses to you, > regardless of which > OS you are currently booted in. > Although, I'm not > sure why there are no > ARP requests to check if the address is still alive > and valid on that > wire (there should be, I'm seeing a hole lot of > those on my cable modem). Yes, seems like their ARP Proxy cache timeout is set really long. I wonder what would happen if I do a "-j REJECT --reset-with icmp-host-unreachable" on this particular FORWARD traffic. Would it remove the false entry in the ARP cache on the gateway? > The traffic you are seeing dropped is most likely > worms trying out > random IP addresses in search for new systems to > infect. Not so sure there. It's mostly MS-Windows TCP 445 connections I drop in the FORWARD chain, similar to the traffic I drop in the INPUT chain (which could be worms). I think worms prefer to really enter the box instead of trying to get rerouted in my FORWARD chain. > BTW, if your > box is not acting as an router, you should disable > IP forwarding. Well, I masquerade a Sony Playstation behind my Linux box, so I need forwarding from time to time :-) -Jordi ___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun! http://uk.messenger.yahoo.com ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: Unwanted traffic to be FORWARD-ed is dropped by filter : ARP cache problem? 2004-10-18 21:06 ` Jordi Warmenhoven @ 2004-10-19 13:20 ` Aleksandar Milivojevic 0 siblings, 0 replies; 4+ messages in thread From: Aleksandar Milivojevic @ 2004-10-19 13:20 UTC (permalink / raw) To: Jordi Warmenhoven; +Cc: netfilter Jordi Warmenhoven wrote: > Yes, seems like their ARP Proxy cache timeout is set > really long. I wonder what would happen if I do a "-j > REJECT --reset-with icmp-host-unreachable" on this > particular FORWARD traffic. Would it remove the false > entry in the ARP cache on the gateway? I doubt. But you might try. Anyhow, even if you try, also use limit match. Otherwise somebody might abuse you for DDOS attack. > Not so sure there. It's mostly MS-Windows TCP 445 > connections I drop in the FORWARD chain, similar to > the traffic I drop in the INPUT chain (which could be > worms). I think worms prefer to really enter the box > instead of trying to get rerouted in my FORWARD chain. Worms are not attacking your box specifically. They are just trying out random addresses. -- Aleksandar Milivojevic <amilivojevic@pbl.ca> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7 ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2004-10-19 13:20 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2004-10-17 7:54 Unwanted traffic to be FORWARD-ed is dropped by filter : ARP cache problem? Jordi Warmenhoven 2004-10-18 15:14 ` Aleksandar Milivojevic 2004-10-18 21:06 ` Jordi Warmenhoven 2004-10-19 13:20 ` Aleksandar Milivojevic
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.