# syslog reports martian packets

## Jimini

Hey there,

since a few days, my syslog reports many warnings like the following:

```
[2010-09-13 12:26:48] warning kern kernel [1025570.571556] martian source 10.0.0.1 from 10.0.0.2, on dev eth1

[2010-09-13 18:59:28] warning kern kernel [1049131.048421] martian source SOME EXTERNAL IP from 10.0.0.2, on dev eth1

[2010-09-15 09:08:51] warning kern kernel [1186494.285116] martian source 10.0.0.2 from 10.0.0.2, on dev eth0

[2010-09-17 18:10:35] warning kern kernel [1391797.842075] martian source MY EXTERNAL IP from 10.0.0.2, on dev eth0
```

My router 10.0.0.1 has two interfaces:

eth0 => connection to my ISP, address is fetched via DHCP

eth1 => LAN

10.0.0.2 is one of my clients.

This problem occurs since I changed my ISP (from DSL via PPPoE to cable) - now I "dial in" by fetching my external IP-address via DHCP.

I suppose that this is no serious problem, but something seems to be wrong with my network-configuration, so I'd like to fix that.

/etc/conf.d/net

```
config_eth0=( "dhcp" )

config_eth1=( "10.0.0.1/24" )

routes_eth1=( "default via EXTERNAL IP" )

dhcp_eth0="release nodns"

dhcp_eth1="release nodns"
```

The third line should be wrong, as far as I know the gateway should be in the same net as the interface itself - but I don't know how to set the external IP address statically.

Any ideas or hints would be really appreciated.

Best regards,

Jimini

----------

## DONAHUE

home-router-howto says that /etc/conf.d/net needs only

 *Quote:*   

> config_eth0=( "dhcp" )# to wan
> 
> config_eth1=( "10.0.0.1 broadcast 10.0.0.255 netmask 255.255.255.0" )#to lan

 

the gateway for 10.0.0.0 is 10.0.0.1 so routes_eth1=( "default via EXTERNAL IP" ) seems wrong

eth1 is not using dhcp so dhcp_eth1="release nodns" seems wrong

dhcp_eth1="release nodns" just seems wrong

----------

## Jimini

Of course this entry in /etc/conf.d/net was wrong, just as you said, so I corrected it. 

I also changed my iptables-script:

```
iptables -A INPUT -i $lan -p udp --dport 67 -m state --state NEW -j ACCEPT

iptables -A OUTPUT -o $wan -d SOME_EXTERNAL_IP -p udp --dport 67 -m state --state NEW -j ACCEPT
```

I assume, that - the upper entry was missing - this script was responsible for the martian packets. I came to this conclusion by generate very detailed logging output with iptables for possible spoofed packets:

```
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:5d:aa:87:ae:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 

IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:21:5d:aa:87:ae:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 

IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:20:cf:30:9b:3a:f8:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 

IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:20:cf:30:9b:3a:f8:08:00 SRC=0.0.0.0 DST=255.255.255.255 LEN=328 TOS=0x10 PREC=0x00 TTL=128 ID=0 PROTO=UDP SPT=68 DPT=67 LEN=308 
```

Now everything seems to work fine, since 2 days no log contains errors or warnings about martian / spoofed packets.

Best regards,

Jimini

----------

## DONAHUE

well done.

----------

## Jimini

Thanks for your effort though :)

Best regards,

Jimini

----------

## Jimini

Damn. Again, my logfile reports martian packets:

```
[2010-09-25 01:06:39] warning kern kernel [2021562.127400] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0

[2010-09-25 01:06:39] warning kern kernel [2021562.127400] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0

[2010-09-25 01:06:39] warning kern kernel [2021562.127406] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00

[2010-09-25 01:06:39] warning kern kernel [2021562.127406] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00

[2010-09-25 01:08:26] warning kern kernel [2021668.953334] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0

[2010-09-25 01:08:26] warning kern kernel [2021668.953334] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0

[2010-09-25 01:08:26] warning kern kernel [2021668.953340] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00

[2010-09-25 01:08:26] warning kern kernel [2021668.953340] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00

[2010-09-25 01:10:26] warning kern kernel [2021788.957795] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0

[2010-09-25 01:10:26] warning kern kernel [2021788.957795] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0

[2010-09-25 01:10:26] warning kern kernel [2021788.957801] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00

[2010-09-25 01:10:26] warning kern kernel [2021788.957801] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00

[2010-09-25 01:12:26] warning kern kernel [2021908.960198] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0

[2010-09-25 01:12:26] warning kern kernel [2021908.960198] martian source MY_EXTERNAL_IP from 10.0.0.2, on dev eth0

[2010-09-25 01:12:26] warning kern kernel [2021908.960205] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00

[2010-09-25 01:12:26] warning kern kernel [2021908.960205] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00

[2010-09-25 03:41:53] warning kern kernel [2030876.265789] martian source 10.0.0.2 from 10.0.0.1, on dev eth0

[2010-09-25 03:41:53] warning kern kernel [2030876.265789] martian source 10.0.0.2 from 10.0.0.1, on dev eth0

[2010-09-25 03:41:53] warning kern kernel [2030876.265795] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00

[2010-09-25 03:41:53] warning kern kernel [2030876.265795] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00
```

As far as I know, the ll header contains the destination MAC address and the source MAC address. But in my network I don't have a NIC with one of these addresses. I figured out, that these packets must be Bittorrent-related traffic:

```
IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=118.233.40.159 DST=MY_EXTERNAL_IP LEN=126 TOS=0x00 PREC=0x00 TTL=109 ID=15541 PROTO=UDP SPT=12716 DPT=51413 LEN=106 

IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=60.8.64.78 DST=MY_EXTERNAL_IP LEN=90 TOS=0x00 PREC=0x00 TTL=108 ID=53745 PROTO=UDP SPT=41555 DPT=51413 LEN=70 

IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=123.5.243.43 DST=MY_EXTERNAL_IP LEN=126 TOS=0x00 PREC=0x00 TTL=110 ID=19309 PROTO=UDP SPT=1054 DPT=51413 LEN=106 

IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=114.37.17.121 DST=MY_EXTERNAL_IP LEN=326 TOS=0x00 PREC=0x00 TTL=99 ID=12999 PROTO=UDP SPT=7777 DPT=51413 LEN=306 
```

But I don't understand, why the header of these four packets is the same, although the source is different. Who can explain that?

Best regards,

Jimini

----------

## Jimini

Perhaps I found the reason for the martian packets: during the last days, iptables blocked input from various IP addresses - but the MAC address was always the same:

```
[2010-09-28 00:01:50] notice [2276873.595094] [FW] DROPPED INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=217.202.147.157 DST=MY_EXTERNAL_IP LEN=40 TOS=0x00 PREC=0x00 TTL=46 ID=7145 DF PROTO=TCP SPT=43429 DPT=40098 WINDOW=0 RES=0x00 ACK RST URGP=0 

[2010-09-28 00:02:38] notice [2276921.570109] [FW] DROPPED INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=59.98.208.27 DST=MY_EXTERNAL_IP LEN=40 TOS=0x00 PREC=0x20 TTL=45 ID=4355 PROTO=TCP SPT=51413 DPT=56728 WINDOW=0 RES=0x00 ACK RST FIN URGP=0 

[2010-09-28 00:11:08] notice [2277430.993225] [FW] DROPPED INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=151.53.234.201 DST=MY_EXTERNAL_IP LEN=64 TOS=0x00 PREC=0x00 TTL=116 ID=55318 DF PROTO=TCP SPT=14433 DPT=48344 WINDOW=65535 RES=0x00 ACK SYN URGP=0 

[2010-09-28 00:11:11] notice [2277433.963360] [FW] DROPPED INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=151.53.234.201 DST=MY_EXTERNAL_IP LEN=64 TOS=0x00 PREC=0x00 TTL=116 ID=55474 DF PROTO=TCP SPT=14433 DPT=48344 WINDOW=65535 RES=0x00 ACK SYN URGP=0 

[2010-09-28 00:11:17] notice [2277439.974015] [FW] DROPPED INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=151.53.234.201 DST=MY_EXTERNAL_IP LEN=64 TOS=0x00 PREC=0x00 TTL=116 ID=55840 DF PROTO=TCP SPT=14433 DPT=48344 WINDOW=65535 RES=0x00 ACK SYN URGP=0 

[2010-09-28 00:11:19] notice [2277442.573717] [FW] DROPPED INPUT: IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=122.177.145.30 DST=MY_EXTERNAL_IP LEN=40 TOS=0x00 PREC=0x00 TTL=244 ID=46204 PROTO=TCP SPT=26098 DPT=34580 WINDOW=0 RES=0x00 ACK RST URGP=0
```

What is going on there? 

Edit: I'm blocking all traffic from 00:01:5C:31:19:40 now, we'll see what happens.

Best regards,

Jimini

----------

## DONAHUE

From the RFC:

5.3.7 Martian Address Filtering

An IP source address is invalid if it is a special IP address, as

defined in 4.2.2.11 or 5.3.7, or is not a unicast address.

An IP destination address is invalid if it is among those defined as

illegal destinations in 4.2.3.1, or is a Class E address (except

255.255.255.255).

A router SHOULD NOT forward any packet that has an invalid IP source

address or a source address on network 0. A router SHOULD NOT

forward, except over a loopback interface, any packet that has a

source address on network 127. A router MAY have a switch that

allows the network manager to disable these checks. If such a switch

is provided, it MUST default to performing the checks.

A router SHOULD NOT forward any packet that has an invalid IP

destination address or a destination address on network 0. A router

SHOULD NOT forward, except over a loopback interface, any packet that

has a destination address on network 127. A router MAY have a switch

that allows the network manager to disable these checks. If such a

switch is provided, it MUST default to performing the checks.

If a router discards a packet because of these rules, it SHOULD log

at least the IP source address, the IP destination address, and, if

the problem was with the source address, the physical interface on

which the packet was received and the Link Layer address of the host

or router from which the packet was received.

----------

## Jimini

I hope I get you right - I've been blocking these packets for some time now, I had added some "anti spoofing rules":

```
iptables -A INPUT ! -i $lan -s $intern -j DROP

iptables -A FORWARD ! -i $lan -s $intern -j DROP

iptables -A INPUT ! -i lo -s 127.0.0.1 -j DROP

iptables -A FORWARD ! -i lo -s 127.0.0,1 -j DROP

iptables -A INPUT ! -i $wan -s $extip -j DROP

iptables -A FORWARD ! -i $wan -s $extip -j DROP
```

I've also been logging this traffic, before it was dropped (I hope my procedure was RFC-compliant?).

I found out, that I have made a mistake with the involved MAC addresses - the target address is eth0 on my router (the interface which is connected to the outside). But what I still don't understand is the fact, that the source address seems to be always the same:

```
IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=91.65.198.7 DST=MY_EXTERNAL_IP LEN=48 TOS=0x00 PREC=0x00 TTL=121 ID=21140 DF PROTO=TCP SPT=4067 DPT=2967 WINDOW=64240 RES=0x00 SYN URGP=0

IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=91.65.8.22 DST=MY_EXTERNAL_IP LEN=64 TOS=0x00 PREC=0x00 TTL=41 ID=50785 DF PROTO=TCP SPT=3223 DPT=445 WINDOW=53760 RES=0x00 SYN URGP=0

IN=eth0 OUT= MAC=00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00 SRC=175.41.139.175 DST=MY_EXTERNAL_IP LEN=44 TOS=0x00 PREC=0x00 TTL=50 ID=39294 PROTO=TCP SPT=80 DPT=49239 WINDOW=16384 RES=0x00 ACK SYN URGP=0
```

Conclusion: although the traffic has its source in different IP addresses, the source MAC address (00:27:0E:08:F1:8D) is always the same. 

Yesterday, I tried to block this traffic:

```
iptables -A INPUT -m mac --mac-source 00:01:5C:31:19:40 -j DROP
```

Which first seemed to help. 

But my syslog still reported martian packets:

```
[2310921.160091] martian source 10.0.0.2 from 10.0.0.1, on dev eth0

[2310921.160091] martian source 10.0.0.2 from 10.0.0.1, on dev eth0

[2310921.160097] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00

[2310921.160097] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00

[2333192.613987] martian source 91.65.144.59 from 10.0.0.2, on dev eth0

[2333192.613987] martian source 91.65.144.59 from 10.0.0.2, on dev eth0

[2333192.613994] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00

[2333192.613994] ll header: 00:27:0e:08:f1:8d:00:01:5c:31:19:40:08:00

...
```

...I still don't get it.

Best regards,

Jimini

----------

