Find the answer to your Linux question:
Results 1 to 6 of 6
Hi ! Maybe you could help me with this strange situation. I have a small pc running fedora 8 with iptables and 2 network cards for routing/firewall and secondary DNS. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jul 2010
    Posts
    5

    IP keeps changing between network cards


    Hi !
    Maybe you could help me with this strange situation.
    I have a small pc running fedora 8 with iptables and 2 network cards for routing/firewall and secondary DNS.
    For some time I've been alerted by the network guys that this machine was generating some alerts. The real network IP address keeps being assigned to the other interface, intended for LAN only (10.0.0.1/24).

    I've already changed the PC, installed a more recent operating system, replaced the 2 network cards and the problem persists. I have another pc running the same services (except DNS) in a very simillar way and no alert logs from that one.

    So I wonder if it is some configuration issue on my startup firewall script.
    I've also installed arpwatch and I could confirm this IP and physical address issue:

    -------------------------------------
    Arpwatch output:

    hostname: my.host.name
    ip address: my.ip.address
    ethernet address: 0:4f:4e:4:66:a0
    ethernet vendor: <unknown>
    old ethernet address: 0:10:b5:9f:19:56
    old ethernet vendor: ACCTON TECHNOLOGY CORPORATION
    timestamp: Wednesday, July 7, 2010 16:22:24 +0100
    previous timestamp: Wednesday, July 7, 2010 16:22:18 +0100
    delta: 6 seconds
    ------------------------------------------------
    Network interface addresses are configured in /etc/sysconfig/network-scripts/ifcfg-eth0 and eth1
    ------------------------------------------------
    #!/bin/sh
    #Inicialização da Firewall

    echo "A executar rc.firewall"

    #Disable forwarding
    echo 0 > /proc/sys/net/ipv4/ip_forward

    #arp overwrite
    ###-----------------------------------------------
    #echo 0 > /proc/sys/net/ipv4/ip_dynaddr

    iptables=/sbin/iptables
    LAN_IP_NET='10.0.0.0/24'
    LAN_NIC='eth1'
    WAN_IP='my.ip.here'
    WAN_NIC='eth0'

    #arp overwrite
    #FORWARD_IP='10.0.0.1' #??????????????????


    # load some modules (if needed)

    # Flush
    $iptables -F
    $iptables -t nat -F


    #Default Policies
    $iptables -P INPUT DROP
    $iptables -P FORWARD ACCEPT
    $iptables -P OUTPUT ACCEPT


    #Regras para Funcionamento do DNS como Server
    $iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p udp -m udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT
    $iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT

    # Open ports on router for server/services
    $iptables -A INPUT -p tcp -m tcp -s xxx -d xxx --dport 22 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -m tcp -s 10.0.0.252 -d xxxx --dport 22 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -m tcp -s xxxxx -d xxxxx --dport 22 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -m tcp -d xxxxx --dport 22 --syn -j LOG --log-prefix SSHD
    $iptables -A INPUT -p tcp -m tcp -d xxxxx --dport 22 --syn -j DROP
    $iptables -A INPUT -i lo -j ACCEPT

    #Regras para Funcionamento do DNS como Server
    $iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p udp -m udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT
    $iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT




    # STATE RELATED for router
    $iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


    # Enable forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    #Disable IP Spoofing
    for a in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $a
    done

    ### 2/7/2010 mudca arp overwrite
    #echo 1 > /proc/sys/net/ipv4/ip_dynaddr

    ###Arranca sempre com valores "estranhos" de routing.
    ##Elimina-los com:
    echo eliminar "Weird Routing"
    route del -net 169.254.0.0 netmask 255.255.0.0 dev eth1
    route del default gw 10.0.0.1
    route add default gw gw.di.ubi.pt
    echo "Routing Activo"

    echo "Fim de rc.firewall"
    echo

    --------------------------------------------------------------------

    Could someone help me out ?
    And don't know what else to do...
    Regards
    David

  2. #2
    Linux Engineer rcgreen's Avatar
    Join Date
    May 2006
    Location
    the hills
    Posts
    1,134
    Yes, it is a configuration issue, probably because devices
    are dynamically discovered at boot time by plug and play.
    I can't quite remember, but I had a problem on one computer
    where eth0 and eth1 kept changing places.

    The solution is in udev, if your system uses it.

    Writing udev rules

  3. #3
    Just Joined!
    Join Date
    Jul 2010
    Posts
    5
    Quote Originally Posted by dave08 View Post
    Hi !
    Maybe you could help me with this strange situation.
    I have a small pc running fedora 8 with iptables and 2 network cards for routing/firewall and secondary DNS.
    For some time I've been alerted by the network guys that this machine was generating some alerts. The real network IP address keeps being assigned to the other interface, intended for LAN only (10.0.0.1/24).

    I've already changed the PC, installed a more recent operating system, replaced the 2 network cards and the problem persists. I have another pc running the same services (except DNS) in a very simillar way and no alert logs from that one.

    So I wonder if it is some configuration issue on my startup firewall script.
    I've also installed arpwatch and I could confirm this IP and physical address issue:

    -------------------------------------
    Arpwatch output:

    hostname: my.host.name
    ip address: my.ip.address
    ethernet address: 0:4f:4e:4:66:a0
    ethernet vendor: <unknown>
    old ethernet address: 0:10:b5:9f:19:56
    old ethernet vendor: ACCTON TECHNOLOGY CORPORATION
    timestamp: Wednesday, July 7, 2010 16:22:24 +0100
    previous timestamp: Wednesday, July 7, 2010 16:22:18 +0100
    delta: 6 seconds
    ------------------------------------------------
    Network interface addresses are configured in /etc/sysconfig/network-scripts/ifcfg-eth0 and eth1
    ------------------------------------------------
    #!/bin/sh
    #Inicialização da Firewall

    echo "A executar rc.firewall"

    #Disable forwarding
    echo 0 > /proc/sys/net/ipv4/ip_forward

    #arp overwrite
    ###-----------------------------------------------
    #echo 0 > /proc/sys/net/ipv4/ip_dynaddr

    iptables=/sbin/iptables
    LAN_IP_NET='10.0.0.0/24'
    LAN_NIC='eth1'
    WAN_IP='my.ip.here'
    WAN_NIC='eth0'

    #arp overwrite
    #FORWARD_IP='10.0.0.1' #??????????????????


    # load some modules (if needed)

    # Flush
    $iptables -F
    $iptables -t nat -F


    #Default Policies
    $iptables -P INPUT DROP
    $iptables -P FORWARD ACCEPT
    $iptables -P OUTPUT ACCEPT


    #Regras para Funcionamento do DNS como Server
    $iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p udp -m udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT
    $iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT

    # Open ports on router for server/services
    $iptables -A INPUT -p tcp -m tcp -s xxx -d xxx --dport 22 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -m tcp -s 10.0.0.252 -d xxxx --dport 22 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -m tcp -s xxxxx -d xxxxx --dport 22 --syn -j ACCEPT
    $iptables -A INPUT -p tcp -m tcp -d xxxxx --dport 22 --syn -j LOG --log-prefix SSHD
    $iptables -A INPUT -p tcp -m tcp -d xxxxx --dport 22 --syn -j DROP
    $iptables -A INPUT -i lo -j ACCEPT

    #Regras para Funcionamento do DNS como Server
    $iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p udp -m udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
    $iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT
    $iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT




    # STATE RELATED for router
    $iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


    # Enable forwarding
    echo 1 > /proc/sys/net/ipv4/ip_forward
    #Disable IP Spoofing
    for a in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $a
    done

    ### 2/7/2010 mudca arp overwrite
    #echo 1 > /proc/sys/net/ipv4/ip_dynaddr

    ###Arranca sempre com valores "estranhos" de routing.
    ##Elimina-los com:
    echo eliminar "Weird Routing"
    route del -net 169.254.0.0 netmask 255.255.0.0 dev eth1
    route del default gw 10.0.0.1
    route add default gw gw.di.ubi.pt
    echo "Routing Activo"

    echo "Fim de rc.firewall"
    echo

    --------------------------------------------------------------------

    Could someone help me out ?
    And don't know what else to do...
    Regards
    David
    Thanks for the reply. Maybe I was not clear enough.
    This doesn't occur at boot tim but when the machine is running.
    It is not regular and it is only for a few seconds as I could notice while using ARPWATCH.
    Any ideas ?
    Regards

  4. #4
    Just Joined!
    Join Date
    Jul 2010
    Posts
    5
    Quote Originally Posted by rcgreen View Post
    Yes, it is a configuration issue, probably because devices
    are dynamically discovered at boot time by plug and play.
    I can't quite remember, but I had a problem on one computer
    where eth0 and eth1 kept changing places.

    The solution is in udev, if your system uses it.
    Thanks for the reply. Maybe I was not clear enough.
    This doesn't occur at boot tim but when the machine is running.
    It is not regular and it is only for a few seconds as I could notice while using ARPWATCH.
    Any ideas ?
    Regards

  5. #5
    Linux Engineer rcgreen's Avatar
    Join Date
    May 2006
    Location
    the hills
    Posts
    1,134

  6. #6
    Just Joined!
    Join Date
    Jul 2010
    Posts
    5
    Quote Originally Posted by rcgreen View Post
    Maybe you have a hacker.
    thanks for the reply.
    Almost certainly not. This machine serves about 20 people for "regular" use (e-mail, internet, dns...).
    maybe configuration, but what ?
    Regards
    David

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •