Fehlermeldung: martian source

Mittels Policy Routing soll HTTP und HTTPS Datenverkehr über eine DSL Leitung erfolgen. Die restlichen Pakete sollen die Standleitung verwenden. Dazu haben wir folgende Konfiguration vorgenommen:
• In der Firewall werden alle Pakete mit Port 80 und 443 mit dem Flag 0x80 gekennzeichnet
• Eine ip rule eingefügt welche dafür sorgt dass die Routing Tabelle DSL verwendet wird
• In diese DSL Routing Tabelle das DSL Interface als Standardgateway eingetragen.

Die Aufteilung der Pakete funktioniert, jedoch werden die ankommende Pakete auf der DSL Schnittstelle nicht an den Client weitergeleitet, sondern wurden an eth1 verworfen. In /var/log/messages finden sich folgende Fehlermeldungen:

Die IP Adresse 172.20.10.134 ist die IP Adresse des Anfragenden Clients im internen Netz
Die IP Adresse 207.46.250.101 ist die Adresse des Webserver im Internet

a-gate:~ # cd /var/log/
a-gate:/var/log # vi messages
Dec 11 12:37:01 a-gate winbindd[10707]: tdb(/var/lib/samba/winbindd_cache.tdb): rec_free_read bad magic 0x42424242 at offset=145636
Dec 11 12:37:01 a-gate winbindd[10706]: [2006/12/11 12:37:01, 0] nsswitch/winbindd_dual.c:async_reply_recv(198)
Dec 11 12:37:01 a-gate winbindd[10706]: PANIC: assert failed at nsswitch/winbindd_dual.c(198)
Dec 11 12:38:47 a-gate kernel: martian source 172.20.10.134 from 207.46.250.101, on dev eth1
Dec 11 12:38:47 a-gate kernel: ll header: 00:04:75:e3:3e:b4:00:04:0e:bd:5e:aa:08:00
Dec 11 12:38:50 a-gate kernel: martian source 172.20.10.134 from 207.46.250.101, on dev eth1
Dec 11 12:38:50 a-gate kernel: ll header: 00:04:75:e3:3e:b4:00:04:0e:bd:5e:aa:08:00
Dec 11 12:38:56 a-gate kernel: martian source 172.20.10.134 from 207.46.250.101, on dev eth1
Dec 11 12:38:56 a-gate kernel: ll header: 00:04:75:e3:3e:b4:00:04:0e:bd:5e:aa:08:00


Bisherige Erkenntnisse:

entfernt man die die Regel 32765: from all fwmark 0x80 lookup dsl funktioniert das ganze. Sowohl mit DSL als auch mit der Standleitung, je nach eingetragenem Default Geteway


Konfiguration:


Eth0: Interne Schnittstelle mit IP 172.20.10.34
Eth1: DSL Schnittstelle an T-Com DSL router mit DHCP. IP 192.168.1.21
Eth2: Standleitung mit IP 146.143.114.2

Routing Tabellen und Firewall Regeln

a-gate:~ # ip rule show
0: from all lookup local
32765: from all fwmark 0x80 lookup dsl
32766: from all lookup main
32767: from all lookup default

a-gate:~ # ip route show
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.21
146.143.114.0/24 dev eth2 proto kernel scope link src 146.143.114.2
169.254.0.0/16 dev eth0 scope link
172.20.0.0/16 dev eth0 proto kernel scope link src 172.20.10.34
127.0.0.0/8 dev lo scope link
default via 146.143.114.254 dev eth2

a-gate:~ # ip route show table dsl
default via 192.168.1.1 dev eth1
a-gate:~ #

a-gate:~ # iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
input_int all -- anywhere anywhere
input_ext all -- anywhere anywhere
input_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-IN-ILL-TARGET '
DROP all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
forward_int all -- anywhere anywhere
forward_ext all -- anywhere anywhere
forward_ext all -- anywhere anywhere
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING '
DROP all -- anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-OUT-ERROR '

Chain forward_ext (2 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
DROP all -- anywhere anywhere PKTTYPE = multicast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere

Chain forward_int (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
DROP all -- anywhere anywhere PKTTYPE = multicast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-FWDint-DROP-DEFLT-INV '
DROP all -- anywhere anywhere

Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
ACCEPT icmp -- anywhere anywhere icmp source-quench
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp echo-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp destination-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp time-exceeded
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp parameter-problem
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp timestamp-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp address-mask-reply
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp protocol-unreachable
ACCEPT icmp -- anywhere anywhere state RELATED,ESTABLISHED icmp redirect
reject_func tcp -- anywhere anywhere tcp dpt:ident state NEW
LOG all -- anywhere anywhere limit: avg 3/min burst 5 PKTTYPE = multicast LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
DROP all -- anywhere anywhere PKTTYPE = multicast
LOG tcp -- anywhere anywhere limit: avg 3/min burst 5 tcp flags:FIN,SYN,RST,ACK/SYN LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG icmp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG udp -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT '
LOG all -- anywhere anywhere limit: avg 3/min burst 5 state INVALID LOG level warning tcp-options ip-options prefix `SFW2-INext-DROP-DEFLT-INV '
DROP all -- anywhere anywhere

Chain input_int (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere

Chain reject_func (1 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT all -- anywhere anywhere reject-with icmp-proto-unreachable

OK, die Konfiguration ist mir zu komplex als das ich das jetzt für mich selber aufdröseln würde. Mir fallen aber zwei mögliche Gründe ein: Forwarding nicht aktiviert (eigentlich unwahrscheinlich da es ja ohne entsprechende rules läuft) oder Du solltest es mal per NAT versuchen.

http://www.linuxforen.de/forums/showthread.php?s=&threadid=18358&highlight=martian+source
war jetzt etwas wo google mich hingeführt hat, evtl. hilft es dir?

leider hilft mir das nicht, da die beschriebenen Möglichkeiten meiner Meinung nach nicht auf meine Konfiguration zu treffen. Die Fehlermeldung einfach zu unterdrücken hilft ja leider auch nicht, da die Pakete nicht am aufrufenden Client ankommen

Dein Routing isdt irgendwie Banane, und weil die Daten aus einer Quelle kommen, wo nix herkommen darf müssen sie halt vom Mars kommen (ein netter Gag aus der Fehlerbehandlung aus der Frühzeit des Nets ).
Ignorieren hilft nix, nur reparieren.

Forsche mal mit Ethereal nach, wer da spinnt.

Grüße

PS: NAT ist dein Zauberwort. Du reichst interne geschützte Adressen nach draußen, die da nix zu suchen haben, also vom Mars sein müssen...

Masquerading / NAT ist aktiv sonst würde die Anfrage des internen Clients nicht ins Internet weitergeleitet

Aber die zurück kommenden Pakete werden wohl nicht geNATted