Re: strange packets on loopback

Re: strange packets on loopback

[Dharmendra T.]

Hi 

My questions to this are:

On Tue, 2004-06-22 at 21:27, Nils Juergens wrote:
> Hello,
> 
> i have a firewall setup like this:
> 
>  /--------\
> / Internet \
> \---------/
>      |
>   ___|____
>  | Router |
>  ----------
>      |
>      |
>      |ext FW interface (y.y.y.y)
>   ___|______
>  | Firewall | (also routing)
>  ------------
>      | int FW interface (z.z.z.z) (default gw for PCs on lan)
>      |
>  /---------\
> / local net \ a.a.a.0/24
> \----------/
> 
>   
> my netfilter-based firewall logs packets like this:
> 
> INPUT DROP XX: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 \
> SRC=a.a.a.a DST=y.y.y.y LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 \
> DF PROTO=TCP SPT=1249 DPT=8080 WINDOW=0 RES=0x00 RST URGP=0

Why the MAC is not displayed proerly? Getting doubt whether someone is
trying to spoof!(Possible, not too scary as the packets are getting
dropped).

If this is the valid mac just try to find out from which ip it is coming
by using arp.

> 
> where a.a.a.a is an IP on my local lan and y.y.y.y is the IP of the
external
> firewall interface.
> 
> I do have a squid proxy running on the firewall listening at
0.0.0.0:8080
> and the clients are set up to use y.y.y.y:8080 as proxy, but i find it
> rather strange that the IN-interface is listed as 'lo', while it
should be
> 'int0' (i have renamed my interfaces as int0 and ext0 using nameif).
> 
> It also seems that I only log packets with the RST flag, no others.
> 
> The service itself is running fine, and the packets are dropped
because i
> only accept packets from lo that have a source address of 127.0.0.1,
y.y.y.y
> or z.z.z.z).
> 
> So unless I understand the concept of loopback completely wrong i
think that
> IN should only by 'lo' when the source address is on of the IP
addresses of
> the local interfaces, including lo.
>  

> Is this a bug?

I dont think this is the bug. Give us the arp output that should give
more details.
> 
> I'm using iptables v1.2.6a and linux-2.4.26 with
grsecurity-2.0-2.4.26.patch
> on a Debian/Woody system.
> 
> I would be greateful for an explanation.
> 
> thx,
> 
> Nils Juergens
Dharmendra T.
Linux Security and Admin,
www.nsecure.net

This message is intended for the addressee only. It may contain privileged or confidential information. If you have received
 this message in error, please notify the sender and destroy the message immediately. Unauthorised use or reproduction of 
this message is strictly prohibited.

-- 

Re: strange packets on loopback

[Nils Juergens]

On Wed, 23.06.04, "Dharmendra T." <dharmu@nsecure.net> wrote:

> Why the MAC is not displayed proerly? Getting doubt whether someone is
> trying to spoof!(Possible, not too scary as the packets are getting
> dropped).
> 
> If this is the valid mac just try to find out from which ip it is coming
> by using arp.

Thats the first thing i checked, the PC on the local lan has a valid
MAC-Address, and there is no 00:00:00:00:00:00 MAC anywhere on the net.
I've got arpwatch running and it reports no such MAC. Neither does the
arp-table on my firewall.

I do have, however, a DNAT rule in PREROUTING that redirects all http
requests to z.z.z.z:80. It is _not_, however, redirected to the external
interface y.y.y.y but rather to the internal address z.z.z.z.

In short, http traffic from clients directly to the squid (from mozilla with
proxy setting) go to y.y.y.y:8080, http traffic from other browsers (beyond
our control) is redirected to z.z.z.z:8080.

DNAT       tcp  --  a.a.a.a.0/24      anywhere           tcp dpt:www to:z.z.z.z:8080

The 'strange' packet had DST=y.y.y.y so i was thinking the REDIRECT does not
play a role here.

Also, localy generated packets never pass through PREROUTING, so packets
from 'lo' should never be touched by this rule.

thanks,

Nils Juergens

strange packets on loopback

[Nils Juergens]

[-- Attachment #1: Type: text/plain, Size: 1655 bytes --]

Hello,

i have a firewall setup like this:

 /--------\
/ Internet \
\---------/
     |
  ___|____
 | Router |
 ----------
     |
     |
     |ext FW interface (y.y.y.y)
  ___|______
 | Firewall | (also routing)
 ------------
     | int FW interface (z.z.z.z) (default gw for PCs on lan)
     |
 /---------\
/ local net \ a.a.a.0/24
\----------/

  
my netfilter-based firewall logs packets like this:

INPUT DROP XX: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 \
SRC=a.a.a.a DST=y.y.y.y LEN=40 TOS=0x00 PREC=0x00 TTL=255 ID=0 \
DF PROTO=TCP SPT=1249 DPT=8080 WINDOW=0 RES=0x00 RST URGP=0

where a.a.a.a is an IP on my local lan and y.y.y.y is the IP of the external
firewall interface.

I do have a squid proxy running on the firewall listening at 0.0.0.0:8080
and the clients are set up to use y.y.y.y:8080 as proxy, but i find it
rather strange that the IN-interface is listed as 'lo', while it should be
'int0' (i have renamed my interfaces as int0 and ext0 using nameif).

It also seems that I only log packets with the RST flag, no others.

The service itself is running fine, and the packets are dropped because i
only accept packets from lo that have a source address of 127.0.0.1, y.y.y.y
or z.z.z.z).

So unless I understand the concept of loopback completely wrong i think that
IN should only by 'lo' when the source address is on of the IP addresses of
the local interfaces, including lo.

Is this a bug?

I'm using iptables v1.2.6a and linux-2.4.26 with grsecurity-2.0-2.4.26.patch
on a Debian/Woody system.

I would be greateful for an explanation.

thx,

Nils Juergens

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]