[Mageia-discuss] Odd entry in log file

Tue May 8 01:52:02 CEST 2012

On 05/07/2012 04:47 PM, Maarten Vanraes wrote:
+> Op maandag 07 mei 2012 14:23:44 schreef Frank Griffin:
+>> On 05/07/2012 06:45 AM, Frank Griffin wrote:
+>>>> On 05/06/2012 09:15 PM, imnotpc wrote:
+>>>> 1) Is eth0 the interface facing the internet ?
+>>> No, this interface faces the LAN which has a 192.168.0.0/24 subnet.
+>> OK, so if eth0 has no outside internet access, you are correct in saying
+>> that something in your network is doing this.
+>>
+>>>> 2) Is 173.194.74.154 the IP address assigned (currently) to you by
+>>>> your ISP ?
+>>> No, that IP returns to qe-in-f154.1e100.net which appears to be a
+>>> server owned by Google.
+>> Yes.  I thought maybe Google was your ISP.
+>>
+>>>> 4) What does "traceroute 192.168.3.2" from the gateway give ?
+>>> [root at Cedar1 /]# traceroute 192.168.3.2
+>>> traceroute to 192.168.3.2 (192.168.3.2), 30 hops max, 60 byte packets
+>>>
+>>>   1  74-94-209-242-BusName-VA.hfc.comcastbusiness.net (74.94.209.242)
+>>>
+>>> 0.670 ms  1.372 ms  1.686 ms
+>>>
+>>>   2  * * *
+>>>
+>>> Well isn't that interesting. That Comcast IP is the address of the ISP
+>>> gateway I use. Both of my firewall/gateway boxes that are logging
+>>> martian packets are connected to similar Comcast routers. The routers
+>>> are configured in bridge mode so the router DHCP service has no effect
+>>> on my connection, but it might still be active on the router. Also
+>>> each ISP router also has a wireless interface and that could still be
+>>> active. My firewall doesn't block any private IPs coming from the
+>>> Internet interface since the ISP routers would never forward them, so
+>>> that explains how they get past the firewall.
+>> No, I think traceroute doesn't special-case internal IP addresses.  Your
+>> routing table is (correctly) set up to route traffic for anything other
+>> than your known subnets to the external internet, and that's exactly
+>> what traceroute is doing.  It's your ISP's job to discard internal
+>> address packets, not yours.
+>>
+>> But I think you're on to something with the ISP routers.  Is there some
+>> reason you don't just run the cable from the cable modem to the external
+>> NIC on the gateway PC ?  If you're willing to try that, and the martians
+>> disappear, it's these routers.
+>>
+>> Try going into configuration on these routers, and see what their DHCP
+>> servers are set up for, and whether the 192.168.3 subnet appears
+>> anywhere in there.  It's possible that one of your DHCP-using wireless
+>> clients is getting an answer to its broadcast from these guys before
+>> your internal router, and picking up a 192.168.3.2 IP address from them.
+>
+> my martians are mostly from: hosts in subnet of my public IP, or internal
+> ranges from modems, and mostly broadcasts or arp stuff.
+>
+> i think this 192.168.3.1 stuff is likely someone in your ISP subnet that is
+> doing bad natting and is trying to get out (much like you pinging 192.168.3.x
+> which is going outside your public ip, that'll get martians on someone elses
+> pc for instance
+
+Since it seems to be coming in on the LAN facing interface, wouldn't it 
+be more likely a bad configuration somewhere in my LAN? Everything seems 
+to point to my cheap Netgear wireless router even though I just 
+rechecked it and it's configured properly (to the best of my knowledge).
+
+Jeff
+