Unwanted traffic to be FORWARD-ed is dropped by filter : ARP cache problem?

Unwanted traffic to be FORWARD-ed is dropped by filter : ARP cache problem?

[Jordi Warmenhoven]

Hi,

I realise my question is not directly related to
iptables, but since I noticed the 'problem' using
iptables I hope it's ok to pose it here.

My Linux box gets its outside IP (LinuxIP) from a DHCP
server. The IP address has been the same from the
beginning, so I guess some static mapping is done (I'm
no expert in this matter :-). It is a dual-boot
system, and when I reboot to MS-Windows, I get a
different IP (WinIP) which is also always the
same.

After having set up iptables, I notice that the Linux
box drops all lot of outside traffic (mostly MS
broadcasts) with DST=[my WinIP] SRC=[some host]. It is
_always_ the MS-Windows IP address that ends up in
the FORWARD filter chain. Since I am just a simple
client on the network, is there maybe some Proxy ARP
gateway that keeps the two IP addresses mapped against
my MAC?

It's no big deal and I just drop the specific packets
before they get logged, but I'm just curious...


--Jordi


	
	
		
___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun!  http://uk.messenger.yahoo.com

Re: Unwanted traffic to be FORWARD-ed is dropped by filter : ARP cache problem?

[Aleksandar Milivojevic]

Jordi Warmenhoven wrote:
> After having set up iptables, I notice that the Linux
> box drops all lot of outside traffic (mostly MS
> broadcasts) with DST=[my WinIP] SRC=[some host]. It is
> _always_ the MS-Windows IP address that ends up in
> the FORWARD filter chain. Since I am just a simple
> client on the network, is there maybe some Proxy ARP
> gateway that keeps the two IP addresses mapped against
> my MAC?

Depending on your ISP configuration, you can have more than one computer 
connected over the same link.  I know for sure this is the case with 
ADSL.  Basically, you connect ADSL modem to Ethernet hub, and than 
computers on your network can share it, each of them getting public IP 
address from ISP, however bandwith will be split and not balanced (if 
you have 1M ADSL, and two PCs, each will get 512k allocated to it).  I 
saw this works when ISP I used to work for was introducing ADSL service, 
and we tested all kinds of funny setups and things "smart" users might 
try out once we give them ADSL modems.  If your ISP supports this 
configuration, there's usually no way for ISP to tell if you have dual 
boot box, or you connected ADSL modem into Ethernet hub.  I'm not sure 
if this is possible with cable modems, it might be.  Basically, cable 
modem on the higher levels of the protocol acts preatty much as if your 
ethernet card is connected directly to the Ethernet hub/swtich at the 
ISP end.  I don't know much about internal workings of cable at ISP end, 
but if there's equivalent of Ethernet swith there, it will just think 
that you have two IP addresses on one interface.  Back to the topic, 
they might route traffic for both addresses to you, regardless of which 
OS you are currently booted in.  Although, I'm not sure why there are no 
ARP requests to check if the address is still alive and valid on that 
wire (there should be, I'm seeing a hole lot of those on my cable modem).

The traffic you are seeing dropped is most likely worms trying out 
random IP addresses in search for new systems to infect.  BTW, if your 
box is not acting as an router, you should disable IP forwarding.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

Re: Unwanted traffic to be FORWARD-ed is dropped by filter : ARP cache problem?

[Jordi Warmenhoven]

 --- Aleksandar Milivojevic <amilivojevic@pbl.ca>
wrote: 
> Jordi Warmenhoven wrote:
> > After having set up iptables, I notice that the
> Linux
> > box drops all lot of outside traffic (mostly MS
> > broadcasts) with DST=[my WinIP] SRC=[some host].
> It is
> > _always_ the MS-Windows IP address that ends up in
> > the FORWARD filter chain. Since I am just a simple
> > client on the network, is there maybe some Proxy
> ARP
> > gateway that keeps the two IP addresses mapped
> against
> > my MAC?
> 
> Back to the topic, 
> they might route traffic for both addresses to you,
> regardless of which 
> OS you are currently booted in.
>  Although, I'm not
> sure why there are no 
> ARP requests to check if the address is still alive
> and valid on that 
> wire (there should be, I'm seeing a hole lot of
> those on my cable modem).

Yes, seems like their ARP Proxy cache timeout is set
really long. I wonder what would happen if I do a "-j
REJECT --reset-with icmp-host-unreachable" on this
particular FORWARD traffic. Would it remove the false
entry in the ARP cache on the gateway?
 
> The traffic you are seeing dropped is most likely
> worms trying out 
> random IP addresses in search for new systems to
> infect.

Not so sure there. It's mostly MS-Windows TCP 445
connections I drop in the FORWARD chain, similar to
the traffic I drop in the INPUT chain (which could be
worms). I think worms prefer to really enter the box
instead of trying to get rerouted in my FORWARD chain.

>  BTW, if your 
> box is not acting as an router, you should disable
> IP forwarding.

Well, I masquerade a Sony Playstation behind my Linux
box, so I need forwarding from time to time :-)

-Jordi


	
	
		
___________________________________________________________ALL-NEW Yahoo! Messenger - all new features - even more fun!  http://uk.messenger.yahoo.com

Re: Unwanted traffic to be FORWARD-ed is dropped by filter : ARP cache problem?

[Aleksandar Milivojevic]

Jordi Warmenhoven wrote:
> Yes, seems like their ARP Proxy cache timeout is set
> really long. I wonder what would happen if I do a "-j
> REJECT --reset-with icmp-host-unreachable" on this
> particular FORWARD traffic. Would it remove the false
> entry in the ARP cache on the gateway?

I doubt.  But you might try.  Anyhow, even if you try, also use limit 
match.  Otherwise somebody might abuse you for DDOS attack.

> Not so sure there. It's mostly MS-Windows TCP 445
> connections I drop in the FORWARD chain, similar to
> the traffic I drop in the INPUT chain (which could be
> worms). I think worms prefer to really enter the box
> instead of trying to get rerouted in my FORWARD chain.

Worms are not attacking your box specifically.  They are just trying out 
random addresses.

-- 
Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7