From mboxrd@z Thu Jan 1 00:00:00 1970 From: Nils Juergens Subject: Re: strange packets on loopback Date: Wed, 23 Jun 2004 14:37:20 +0200 Sender: netfilter-admin@lists.netfilter.org Message-ID: <20040623123720.GA5390@koala7> References: <1087982478.7946.50.camel@dharmu.nsecure.net> Mime-Version: 1.0 Content-Transfer-Encoding: 7BIT Return-path: In-reply-to: <1087982478.7946.50.camel@dharmu.nsecure.net> Content-Disposition: inline Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Wed, 23.06.04, "Dharmendra T." wrote: > Why the MAC is not displayed proerly? Getting doubt whether someone is > trying to spoof!(Possible, not too scary as the packets are getting > dropped). > > If this is the valid mac just try to find out from which ip it is coming > by using arp. Thats the first thing i checked, the PC on the local lan has a valid MAC-Address, and there is no 00:00:00:00:00:00 MAC anywhere on the net. I've got arpwatch running and it reports no such MAC. Neither does the arp-table on my firewall. I do have, however, a DNAT rule in PREROUTING that redirects all http requests to z.z.z.z:80. It is _not_, however, redirected to the external interface y.y.y.y but rather to the internal address z.z.z.z. In short, http traffic from clients directly to the squid (from mozilla with proxy setting) go to y.y.y.y:8080, http traffic from other browsers (beyond our control) is redirected to z.z.z.z:8080. DNAT tcp -- a.a.a.a.0/24 anywhere tcp dpt:www to:z.z.z.z:8080 The 'strange' packet had DST=y.y.y.y so i was thinking the REDIRECT does not play a role here. Also, localy generated packets never pass through PREROUTING, so packets from 'lo' should never be touched by this rule. thanks, Nils Juergens