Very Computer

For historical reasons, three static IP addresses which I don't in
fact use are routed by my ISP to my firewall machine.  I upgraded that
machine from 2.2.17 to 2.4.16 on Saturday.  My firewall is configured
to log packets coming to any of those addresses, and drop them.

Today, I've noticed several messages appearing in my logs similar to:

Dec 24 18:07:31 pinky kernel: host 144.232.9.154/if48 ignores redirects for 216.234.199.15 to 216.234.199.15.

(216.234.199.15 is one of the IP addresses getting routed to me).
I've seen them for all of the addresses routed to me other than my
actual firewall address, and with a variety of sites identified as
ignoring redirects.  Some of those sites don't seem to have a reverse
DNS mapping (including the one in the message above); others are
things like 0.so-1-0-0.TL2.LAX9.ALTER.NET.

Anybody know what's happening?
--
Joseph J. Pfeiffer, Jr., Ph.D.       Phone -- (505) 646-1605
Department of Computer Science       FAX   -- (505) 646-1002
New Mexico State University          http://www.cs.nmsu.edu/~pfeiffer
Southwestern NM Regional Science and Engr Fair:  http://www.nmsu.edu/~scifair

Hi!,

Quote:> For historical reasons, three static IP addresses which I don't in
> fact use are routed by my ISP to my firewall machine.  I upgraded that
> machine from 2.2.17 to 2.4.16 on Saturday.  My firewall is configured
> to log packets coming to any of those addresses, and drop them.

> Today, I've noticed several messages appearing in my logs similar to:

> Dec 24 18:07:31 pinky kernel: host 144.232.9.154/if48 ignores redirects for 216.234.199.15 to 216.234.199.15.

> (216.234.199.15 is one of the IP addresses getting routed to me).
> I've seen them for all of the addresses routed to me other than my
> actual firewall address, and with a variety of sites identified as
> ignoring redirects.  Some of those sites don't seem to have a reverse
> DNS mapping (including the one in the message above); others are
> things like 0.so-1-0-0.TL2.LAX9.ALTER.NET.

> Anybody know what's happening?

Is your machine actually configured to receive these packets and reject them
(in other words are there interfaces open for these IP addresses, or are these
packets just hitting your known IP address) ?

To me it seems to suggest that iptables is telling you that it is receiving
these IP addresses, but they aren't for your machine and hence will ignore the
packets.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

The 216.234.199.14 etc. addresses have no interfaces open -- my IP
tables will spot anything coming in for them, and drop them on the
floor (unless I've got a bug I don't know about, of course!).  But
that raises the question of where the messages I'm seeing are actually
coming from -- my IP tables log messages don't use that format.  It
almost seems like the packets themselves have to have been addressed
to my firewall....  I still don't know what's going on, but that gives
me something else to look at...

Quote:> To me it seems to suggest that iptables is telling you that it is receiving
> these IP addresses, but they aren't for your machine and hence will ignore the
> packets.

Except it seems like it's the remote host getting the redirect telling
me it's ignoring it...

Quote:> See ya

Thanks
--
Joseph J. Pfeiffer, Jr., Ph.D.       Phone -- (505) 646-1605
Department of Computer Science       FAX   -- (505) 646-1002
New Mexico State University          http://www.cs.nmsu.edu/~pfeiffer
Southwestern NM Regional Science and Engr Fair:  http://www.nmsu.edu/~scifair

Hi!,

Can't say for certain, but the packets might be being dropped at the point
where the iptables module is actually interfacing with the kernel, rather than
your rules being parsed.  This would explain why your log format isn't being
followed or that your rules are not being processed.

Quote:

>> To me it seems to suggest that iptables is telling you that it is
>> receiving these IP addresses, but they aren't for your machine and hence
>> will ignore the> packets.

> Except it seems like it's the remote host getting the redirect telling
> me it's ignoring it...

It is quite possible that iptables is sending back a REJECT to the remote host
to ignore it.  One way or test to perform would be to insert a couple of
proxyarp statements on your iptables machine for the repsecitve IP addresses,
and then see whether iptables will deal with the drop internally.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+