1. Home
  2. Networking Firewalls
  3. iptables, broadcast from own IP in log file?

iptables, broadcast from own IP in log file?

Hi *.*,

I want to drop all packets that originated from my own IP address but entered on eth0:

iptables -A INPUT -i eth0 -s 10.0.0.20/32 -j LOG --log-prefix "WEIRDO:" iptables -A INPUT -i eth0 -s 10.0.0.20/32 -j DROP

But I do get logged packets from my own IP to the broadcast address

10.0.0.255 (samba). Does it make sense that these packets enter the INPUT chain? And originating from eth0??? Does the NIC pick up its own, just sent, broadcast packet?

This would mean there's no way of dropping spoofed broadcasts but allowing valid broadcasts... My system only has one NIC (eth0,

10.0.0.20) BTW.

Is there some trick/logical solution to do this?

Regards, Joost Leeuwesteijn

PS. I couldn't find the right answer on the Net so I thought I'd try here.

Reply to
Joost Leeuwesteijn
Loading thread data ...

Let's think about this for a moment. A broadcast is supposed to go to every host on the (local) LAN, right? You sent something from 10.0.0.20 to everyone, so that means 10.0.0.0 (which _may_ be a legitimate address on some operating systems), 10.0.0.1, 10.0.0.2 ... 10.0.0.20, and so on. But wait a minute - that packet from 10.0.0.20 is going to 10.0.0.20... you're talking to yourself! So that means you should send it on the loopback interface.

A broadcast to the local net is sent out through the NIC for all of the hosts on the LAN, _and_ copied from/to the loopback interface as well. Look at the output of '/sbin/ifconfig -a' and you'll see traffic on that loopback interface. That's you, talking to yourself. Run a packet sniffer on the loopback (perhaps /usr/sbin/tcpdump -i lo) and see what addresses are in use. You _DON'T_ want to block 127.0.0.1, as that will break things mightily.

Assuming you haven't blocked pings (or set the kernel to ignore them), try using tcpdump as above, and look at the result of a

ping -c1 127.0.0.1 ping -c1 10.0.0.20

You should see something like:

[compton ~]$ /usr/sbin/tcpdump -i lo tcpdump: listening on lo 09:01:37.260000 localhost > localhost: icmp: echo request 09:01:37.260000 localhost > localhost: icmp: echo request 09:01:37.260000 localhost > localhost: icmp: echo reply 09:01:37.260000 localhost > localhost: icmp: echo reply 09:01:57.790000 compton.phx.az.us > compton.phx.az.us: icmp: echo request 09:01:57.790000 compton.phx.az.us > compton.phx.az.us: icmp: echo request 09:01:57.790000 compton.phx.az.us > compton.phx.az.us: icmp: echo reply 09:01:57.790000 compton.phx.az.us > compton.phx.az.us: icmp: echo reply ^C 8 packets received by filter 0 packets dropped by kernel [compton ~]$

Two copies of each - because it heard the "transmission" and the "receipt ion". (The ^C is used to exit tcpdump.)

That's fine, but this would be slightly more on topic in the group comp.os.linux.networking, and you should identify the distribution and version (cat /etc/*release etc/*version) to nail things down a bit.

Old guy

Reply to
Moe Trin

Run a sniffer and inspect those broadcast packets. Chances are that they don't have 10.0.0.20 as their source address.

A broadcast is a broadcast is a broadcast. Filter broadcast traffic at your network perimeter.

cu

59cobalt
Reply to
Ansgar -59cobalt- Wiechers

*nod* This is a form of a bogon. Dropping bogons is usually considered a good thing.

This too is normal behavior. The broadcast is a network broadcast which means any and all hosts in a network should listen to the packet and respond accordingly. Is your host a host on your network?

No, not true.

You can easily add in MAC address filtering to your mix. Your own broadcasts will be coming from your MAC address. This means that you can identify packets you send verses packets someone else sends. However, bare in mind that it is possible to spoof the MAC address.

Grant. . . .

Reply to
Taylor, Grant

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.