Re: Martian packets
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Mark Devin wrote:
| Mark Devin wrote:
| | I am confused about a routing issue. The kernel is logging packets
| | destined to my client subnet as Martians and dropping them.
| |
| | The firewall has a single ethernet card facing a router. The router has
| | three ports, one to the firewall, one to the clients, and one to the
| | internet. The ethernet port on the firewall is configured with a public
| | IP address and I have added some routing rules to the routing table to
| | cater for the client IP address range of 192.168.17.2 so that they
| | should be routed out eth0 on the firewall back to the router.
| |
| | If I try and ping 192.168.17.2 from the firewall then the kernel marks
| | these packets as martians. If I try and ping from the 192.168.17.2
| | machine then the firewall receives the packets OK (confirmed with
| | tcpdump) and tries to respond with an echo-reply (confirmed with
| | tcpdump). However when trying to go out eth0 these reply packets are
| | marked as martians and not transmitted by the kernel.
| |
| | The network looks like this:
| |
| | ~ Firewall
| | ~ |eth0(203.xxx.xxx.42)
| | ~ |
| | ~ |203.xxx.xxx.41
| | ~ Router-----Internet
| | ~ |
| | ~ |
| | ~ |192.168.17.x
| | ~ Clients
| |
| | I have the following routes in my routing table:
| | route -n
| | 203.xxx.xxx.40 0.0.0.0 255.255.255.252 U 0 0 0 eth0
| | 192.168.17.0 203.xxx.xxx.41 255.255.255.0 UG 0 0 0 eth0
| | 127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
| | 0.0.0.0 203.xxx.xxx.41 0.0.0.0 UG 0 0 0 eth0
| |
| | My syslog shows:
| | Jun 4 09:46:26 oprah kernel: martian source 192.168.17.2 from
| | 203.xxx.xxx.42, on dev eth0
| | Jun 4 09:46:26 oprah kernel: ll header:
| | 00:08:6b:58:f1:25:00:09:b7:58:4d:a2:07:00
| | Jun 4 09:46:50 oprah kernel: martian source 192.168.17.2 from
| | 203.xxx.xxx.42, on dev eth0
| |
| | I don't know what I have to do to route these packets destined for
| | 192.168.17.x back to the router so that they can be forwarded back to
| | the clients. The kernel on the firewall is marking them as martians
| | despite me adding a routing table rule for them.
| |
| | Can anyone help me with this?
| |
| Oh. By the way, I have tried both with and without the explicit routing
| table entry for 192.168.17.0 network. I didn't think I should need to
| add an explicit routing rule for the 192.168.17.0 network since the
| default rule is to send everything out eth0 via the router - Which
| should work. Except the kernel marks the outgoing packets from the
| firewall back to 192.168.17.0 network as martians with / without the
| routing table entry.
|
If anyone is following this thread then I figured out the answer. The
router was configured wrongly and was sending all packets with
destination address of 192.168.17.0/24 back to the firewall. So when I
was pinging 192.168.17.2 from the firewall, these packets were being
sent to the router and then the router was sending them back to the
firewall which was then marking them as martians.
I guess I can understand why that wouldn't work :-)
Now that the router is reconfigured to send these packets onto the
clients, everything works.
Regards.
Mark.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQE+3VzwL/zYpWVgapgRAiArAKCj0tqtawWyxUOhoOkmUf9Xa/blPwCglawn
qCdn32YblibpC5rkl5WW7hc=
=YrkP
-----END PGP SIGNATURE-----
Reply to: