IP keeps changing between network cards

Hi !
Maybe you could help me with this strange situation.
I have a small pc running fedora 8 with iptables and 2 network cards for routing/firewall and secondary DNS.
For some time I've been alerted by the network guys that this machine was generating some alerts. The real network IP address keeps being assigned to the other interface, intended for LAN only (10.0.0.1/24).

I've already changed the PC, installed a more recent operating system, replaced the 2 network cards and the problem persists. I have another pc running the same services (except DNS) in a very simillar way and no alert logs from that one.

So I wonder if it is some configuration issue on my startup firewall script.
I've also installed arpwatch and I could confirm this IP and physical address issue:

-------------------------------------
Arpwatch output:

hostname: my.host.name
ip address: my.ip.address
ethernet address: 0:4f:4e:4:66:a0
ethernet vendor: <unknown>
old ethernet address: 0:10:b5:9f:19:56
old ethernet vendor: ACCTON TECHNOLOGY CORPORATION
timestamp: Wednesday, July 7, 2010 16:22:24 +0100
previous timestamp: Wednesday, July 7, 2010 16:22:18 +0100
delta: 6 seconds
------------------------------------------------
Network interface addresses are configured in /etc/sysconfig/network-scripts/ifcfg-eth0 and eth1
------------------------------------------------
#!/bin/sh
#Inicialização da Firewall

echo "A executar rc.firewall"

#Disable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

#arp overwrite
###-----------------------------------------------
#echo 0 > /proc/sys/net/ipv4/ip_dynaddr

iptables=/sbin/iptables
LAN_IP_NET='10.0.0.0/24'
LAN_NIC='eth1'
WAN_IP='my.ip.here'
WAN_NIC='eth0'

#arp overwrite
#FORWARD_IP='10.0.0.1' #??????????????????


# load some modules (if needed)

# Flush
$iptables -F
$iptables -t nat -F


#Default Policies
$iptables -P INPUT DROP
$iptables -P FORWARD ACCEPT
$iptables -P OUTPUT ACCEPT


#Regras para Funcionamento do DNS como Server
$iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p udp -m udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT
$iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT

# Open ports on router for server/services
$iptables -A INPUT -p tcp -m tcp -s xxx -d xxx --dport 22 --syn -j ACCEPT
$iptables -A INPUT -p tcp -m tcp -s 10.0.0.252 -d xxxx --dport 22 --syn -j ACCEPT
$iptables -A INPUT -p tcp -m tcp -s xxxxx -d xxxxx --dport 22 --syn -j ACCEPT
$iptables -A INPUT -p tcp -m tcp -d xxxxx --dport 22 --syn -j LOG --log-prefix SSHD
$iptables -A INPUT -p tcp -m tcp -d xxxxx --dport 22 --syn -j DROP
$iptables -A INPUT -i lo -j ACCEPT

#Regras para Funcionamento do DNS como Server
$iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p udp -m udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT
$iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT




# STATE RELATED for router
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#Disable IP Spoofing
for a in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $a
done

### 2/7/2010 mudca arp overwrite
#echo 1 > /proc/sys/net/ipv4/ip_dynaddr

###Arranca sempre com valores "estranhos" de routing.
##Elimina-los com:
echo eliminar "Weird Routing"
route del -net 169.254.0.0 netmask 255.255.0.0 dev eth1
route del default gw 10.0.0.1
route add default gw gw.di.ubi.pt
echo "Routing Activo"

echo "Fim de rc.firewall"
echo

--------------------------------------------------------------------

Could someone help me out ?
And don't know what else to do...
Regards
David

Yes, it is a configuration issue, probably because devices
are dynamically discovered at boot time by plug and play.
I can't quite remember, but I had a problem on one computer
where eth0 and eth1 kept changing places.

The solution is in udev, if your system uses it.

Writing udev rules

Quote:

---

Originally Posted by dave08

Hi !
Maybe you could help me with this strange situation.
I have a small pc running fedora 8 with iptables and 2 network cards for routing/firewall and secondary DNS.
For some time I've been alerted by the network guys that this machine was generating some alerts. The real network IP address keeps being assigned to the other interface, intended for LAN only (10.0.0.1/24).

I've already changed the PC, installed a more recent operating system, replaced the 2 network cards and the problem persists. I have another pc running the same services (except DNS) in a very simillar way and no alert logs from that one.

So I wonder if it is some configuration issue on my startup firewall script.
I've also installed arpwatch and I could confirm this IP and physical address issue:

-------------------------------------
Arpwatch output:

hostname: my.host.name
ip address: my.ip.address
ethernet address: 0:4f:4e:4:66:a0
ethernet vendor: <unknown>
old ethernet address: 0:10:b5:9f:19:56
old ethernet vendor: ACCTON TECHNOLOGY CORPORATION
timestamp: Wednesday, July 7, 2010 16:22:24 +0100
previous timestamp: Wednesday, July 7, 2010 16:22:18 +0100
delta: 6 seconds
------------------------------------------------
Network interface addresses are configured in /etc/sysconfig/network-scripts/ifcfg-eth0 and eth1
------------------------------------------------
#!/bin/sh
#Inicialização da Firewall

echo "A executar rc.firewall"

#Disable forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

#arp overwrite
###-----------------------------------------------
#echo 0 > /proc/sys/net/ipv4/ip_dynaddr

iptables=/sbin/iptables
LAN_IP_NET='10.0.0.0/24'
LAN_NIC='eth1'
WAN_IP='my.ip.here'
WAN_NIC='eth0'

#arp overwrite
#FORWARD_IP='10.0.0.1' #??????????????????


# load some modules (if needed)

# Flush
$iptables -F
$iptables -t nat -F


#Default Policies
$iptables -P INPUT DROP
$iptables -P FORWARD ACCEPT
$iptables -P OUTPUT ACCEPT


#Regras para Funcionamento do DNS como Server
$iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p udp -m udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT
$iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT

# Open ports on router for server/services
$iptables -A INPUT -p tcp -m tcp -s xxx -d xxx --dport 22 --syn -j ACCEPT
$iptables -A INPUT -p tcp -m tcp -s 10.0.0.252 -d xxxx --dport 22 --syn -j ACCEPT
$iptables -A INPUT -p tcp -m tcp -s xxxxx -d xxxxx --dport 22 --syn -j ACCEPT
$iptables -A INPUT -p tcp -m tcp -d xxxxx --dport 22 --syn -j LOG --log-prefix SSHD
$iptables -A INPUT -p tcp -m tcp -d xxxxx --dport 22 --syn -j DROP
$iptables -A INPUT -i lo -j ACCEPT

#Regras para Funcionamento do DNS como Server
$iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p udp -m udp -s 0/0 --sport 1024:65535 -d 0/0 --dport 53 -j ACCEPT
$iptables -A INPUT -p tcp -m tcp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT
$iptables -A INPUT -p udp -m udp -s 0/0 --sport 53 -d 0/0 --dport 1024:65535 -j ACCEPT




# STATE RELATED for router
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT


# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#Disable IP Spoofing
for a in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $a
done

### 2/7/2010 mudca arp overwrite
#echo 1 > /proc/sys/net/ipv4/ip_dynaddr

###Arranca sempre com valores "estranhos" de routing.
##Elimina-los com:
echo eliminar "Weird Routing"
route del -net 169.254.0.0 netmask 255.255.0.0 dev eth1
route del default gw 10.0.0.1
route add default gw gw.di.ubi.pt
echo "Routing Activo"

echo "Fim de rc.firewall"
echo

--------------------------------------------------------------------

Could someone help me out ?
And don't know what else to do...
Regards
David

---

Thanks for the reply. Maybe I was not clear enough.
This doesn't occur at boot tim but when the machine is running.
It is not regular and it is only for a few seconds as I could notice while using ARPWATCH.
Any ideas ?
Regards

Quote:

---

Originally Posted by rcgreen

Yes, it is a configuration issue, probably because devices
are dynamically discovered at boot time by plug and play.
I can't quite remember, but I had a problem on one computer
where eth0 and eth1 kept changing places.

The solution is in udev, if your system uses it.

---

Thanks for the reply. Maybe I was not clear enough.
This doesn't occur at boot tim but when the machine is running.
It is not regular and it is only for a few seconds as I could notice while using ARPWATCH.
Any ideas ?
Regards

Maybe you have a hacker.

Anatomy of an ARP Poisoning Attack | WatchGuard

Quote:

---

Originally Posted by rcgreen

Maybe you have a hacker.

---

thanks for the reply.
Almost certainly not. This machine serves about 20 people for "regular" use (e-mail, internet, dns...).
maybe configuration, but what ?
Regards
David