linux martian packets

linux martian packets

[John Ratliff]

We have a couple of internal networks that we route between, 10.9/16 and 
10.246/16. But when I try to reply to ICMP requests coming into a 10.246 
IP on the host from a machine with a 10.9 IP, I can't seem to do that. I 
see the ICMP echo request packets in tcpdump, but I can't find anything 
in iptables. It seems like they're dropped before they come into the 
filter table.

Is there a way I can prevent this so that I can respond to traffic from 
another non-publicly routable IP?

Thanks.

Re: linux martian packets

[Duncan Roe]

On Wed, Feb 07, 2018 at 02:29:52PM -0500, John Ratliff wrote:
> We have a couple of internal networks that we route between, 10.9/16 and
> 10.246/16. But when I try to reply to ICMP requests coming into a 10.246 IP
> on the host from a machine with a 10.9 IP, I can't seem to do that. I see
> the ICMP echo request packets in tcpdump, but I can't find anything in
> iptables. It seems like they're dropped before they come into the filter
> table.
>
> Is there a way I can prevent this so that I can respond to traffic from
> another non-publicly routable IP?
>
> Thanks.

Yes indeed - tcpdump gets in before any of the iptables rules so you will see
incoming packets that are subsequently dropped.

You must have an iptables rule that is dropping them, so I suggest to use watch
of iptables -L to see which rule increments its counter when you ping from 10.9.

If your chains have policy drop it's possible you won't see anything - if so
then put an explicit DROP at the end of the chain so you see the counter.

It might also be worth checking the OUTPUT chain. Or, watch the entire iptables
ruleset:

> watch 'set -x;for i in filter nat mangle raw;do iptables -t $i -L -v -n --line-numbers;done;set +x;'

(set -x enable you to see which table a chain belongs to: search up for the last
iptables command).

HTH,

Cheers ... Duncan.

Re: linux martian packets

[Rob Thomas]

> Yes indeed - tcpdump gets in before any of the iptables rules so you will see
> incoming packets that are subsequently dropped.
>
> You must have an iptables rule that is dropping them, so I suggest to use watch
> of iptables -L to see which rule increments its counter when you ping from 10.9.

It's also possible that the kernel route-path filter is dropping the
traffic if it's coming in the 'wrong' intreface.

You can check /proc/sys/net/ipv4/conf/*/rp_filter and set it to 0 and
see if that fixes it.

--Rob

Re: linux martian packets

[John Ratliff]

On 2/8/2018 1:44 AM, Rob Thomas wrote:
>> Yes indeed - tcpdump gets in before any of the iptables rules so you will see
>> incoming packets that are subsequently dropped.
>>
>> You must have an iptables rule that is dropping them, so I suggest to use watch
>> of iptables -L to see which rule increments its counter when you ping from 10.9.
> 
> It's also possible that the kernel route-path filter is dropping the
> traffic if it's coming in the 'wrong' intreface.
> 
> You can check /proc/sys/net/ipv4/conf/*/rp_filter and set it to 0 and
> see if that fixes it.
> 
> --Rob
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

Thanks. This was the problem. I thought I had turned this off, but I 
must have missed an interface when I did it manually. I changed 
sysctl.conf and rebooted and it started working.