martian source 255.255.255.255 from 10.64.39.106, on dev eth0

Discussion in 'Linux Networking' started by baholeoko, Mar 9, 2006.

  1. baholeoko

    baholeoko Guest

    Hello all

    So as in the topic in my /var/log/messeges i heve a lot of things like
    this one
    ----------------------------------
    martian source 255.255.255.255 from 10.64.39.106, on dev eth0
    ----------------------------------

    Im using Mandrake 10, witn 2 network cards. eth0 (provider) and eth1
    (my local nework ) . Eth0 is conected to my service provider, and i
    have my own public ip.

    I have readed lot of post but none of them explaining what is the real
    problem of this " martian source 255.255.255.255" . From time to time
    my eth0 goes down and I suspected that this information about maritian
    is a problem and i dont know how to stop it. On mandrake im runing my
    proftpd dhcpd ssh and apache and vnc.

    Any advice
     
    baholeoko, Mar 9, 2006
    #1
    1. Advertisements

  2. baholeoko

    Eric Teuber Guest

    martian sources are mostly fake ip addresses pretending an internal
    source. However it should not be unrecognized.

    Since 10.0.0.0 is a private network, make sure all traffic from these
    network coming from outside is blocked by your firewall.

    Afterwards, you can ignore these messages.

    Eric
     
    Eric Teuber, Mar 9, 2006
    #2
    1. Advertisements

  3. baholeoko

    Peter Lowrie Guest

    martian sources are mostly fake ip addresses pretending an internal
    What a load of drivel. Do this...

    echo "0" >/proc/sys/net/ipv4/conf/DEV/log_martians
     
    Peter Lowrie, Mar 10, 2006
    #3
  4. baholeoko

    Eric Teuber Guest

    This will just turn off the messages, but it will not solve the cause!

    Eric
     
    Eric Teuber, Mar 10, 2006
    #4
  5. baholeoko

    Eric Teuber Guest

    I hate replying to people who write bullshit and need more experience
    but Peter you should put a rm /var/log/messages into your crontab!

    Then you will be the most free and secure man in the world.

    Eric
     
    Eric Teuber, Mar 10, 2006
    #5
  6. baholeoko

    Eric Teuber Guest

    what do i say, Peter knows how to handle such things. Let's see what he
    is suggesting besides suppressing log messages.

    Eric
     
    Eric Teuber, Mar 10, 2006
    #6
  7. baholeoko

    baholeoko Guest

    Since 10.0.0.0 is a private network, make sure all traffic from these
    in my network eth1 there is only 192.168.... and so on.
    between my provider and my server ther is 10.0.0.... and my server
    have public ip (redirection is on the provider's server)
    so how a shoud block it
    I can in this situation?

    What else i can give to you readers to see what the problem is, im not
    so good in linux, so except messeges from /var/log where i can check
    why my interface gone down from time to time? . And again what about
    maritian, i can ignore it?
     
    baholeoko, Mar 11, 2006
    #7
  8. baholeoko

    Bit Twister Guest

    You can block using entries in /etc/shorewall/rules or in
    /etc/shorewall/blacklist, and other places using files in
    /etc/shorewall.

    You can look at the shorewall documentation.

    Click up a terminal
    locate shorewall | grep /doc | grep index
    and cut/paste something like
    /usr/share/doc/shorewall-doc-2.4.1/index.html
    into your browser.

    Yes, You can block shorewall messages by creating an entry in your
    /etc/shorewall/blacklist.

    you can use just ip address, port number, ranges......

    I'll guess 10.64.39.106 is your provider's modem for your lan.
    Try it, put
    10.64.39.106
    in /etc/shorewall/blacklist, and to load the blacklist, do a
    shorewall refresh

    Verify your network still works,
    service network restart
     
    Bit Twister, Mar 11, 2006
    #8
  9. baholeoko

    Eric Teuber Guest

    eth1 is not of interest here.
    It is quite complex to figure out, where the fake's come from. So,
    actually what you can do is blocking the 10.0.0.0 network on your eth0
    device. As i said, afterwards you can ignore martians.

    The matter of your interface going down, you need to explain a little
    closer! When does it happen? It might be a problem with your router,
    provider, your firewall box or whatever.

    If you experience it again, provide as much information as you can, such
    as last entries of /var/log/messages or the device logfile.

    Eric
     
    Eric Teuber, Mar 13, 2006
    #9
  10. baholeoko

    Peter Lowrie Guest

    Hate's a bit of a strong term isn't it?
    1st thing. You are not under attack. There's no need to DROP martian IP's
    becuase you'll spend the rest of your life just blocking them...There's
    nothing to block. Martians are simply DNS relics. As an example do a
    tcpdump -i eth0 and have alook at all the "who has, tell..." strings with
    IP numbers from here to kingdom-come.

    As for your ideas relating to messages, I detect a hint of sarcasm.
    Your /var/log dir is going to fill up over time with messages.etc.foo.gz
    files as they rollover. It's the old gz files you'd crontab.

    As to security. I think shorewall is a jerk-off and iptables is far better.
    Before iptabes was chains. Since 1992, when I started using linux, no-one
    has hacked through ssh, I've had no viruses, trojans, rootkits but it
    doesn't stop persistent hack attempts - especially from Korean
    universities. I only block the worst of them...

    -A INPUT -s 123.123.123.123/255.255.255.255 -j DROP

    for example. Obviously for internet facing connections strong passwords are
    a must.

    Hope this helps.
     
    Peter Lowrie, Mar 14, 2006
    #10
  11. baholeoko

    Eric Teuber Guest

    At first, sorry Peter for the rude reply.
    Yes, there is a lot "who has, tell..." stuff in the tcpdump output, but
    what does it have to do with the martians? These are normal DNS packets.
    Also, the "martian" packets and the related messages in the log are not
    permanent or even frequent.

    AFAIK martian sources are only logged, if there is a packet with an ip
    belonging to private networks received at the external interface. So an
    obvious step could be blocking private networks on the public interface.
    Afterwards the log messages either could be ignored ore turned off as
    you suggested.

    A while ago, i was facing this problem and the reason has been misrouted
    packages by the provider. After letting them know, the problem was gone.
    Also a spoofed packet could be the cause of a martian (if i am not
    totally wrong).
    I am also using iptables and have the same experiences as you.

    Eric
     
    Eric Teuber, Mar 14, 2006
    #11
  12. baholeoko

    Peter Lowrie Guest

    Hey Eric

    I just found another way to block those martians.

    Have a look at /etc/sysctl.conf

    You'll see the string involved, change it!
     
    Peter Lowrie, Mar 19, 2006
    #12
  13. baholeoko

    Eric Teuber Guest

    Hi Peter,

    Thanks for the hint, but i don't know what you are talking about.

    The /etc/sysctl.conf does not contain anything regarding martians (i am
    running SuSE 9.3).

    What entry did you find?

    Eric
     
    Eric Teuber, Mar 20, 2006
    #13
  14. hi i just want to link a machine running linux Ubuntu on my network using a
    4port broadband router and and also need to know how to create a dialup on
    the linux machine please help

    success
     
    Fish Printers, Mar 21, 2006
    #14
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.