4

These are the outputs I see when I run dmesg

[1373335.656608] device eth0 entered promiscuous mode
[1373364.891962] device eth1 entered promiscuous mode
[1374537.599978] IPv4: martian source 10.5.0.2 from 203.115.192.116, on dev eth0
[1374562.256536] device eth1 left promiscuous mode
[1375229.342282] device eth1 entered promiscuous mode
[1376178.967446] device eth0 left promiscuous mode
[1376182.455498] device eth0 entered promiscuous mode
  • Q1) I know that martian packets have source addresses that are using non-routable IPs. This host is a Google compute instance with an ephemeral public IP. What does "martian source 10.5.0.2 from 203.115.192.116" mean ?
  • Q2) Should I iptables filter these (for security sake) ?
Bon Ami
  • 883
  • 2
  • 10
  • 14

2 Answers2

4

A packet arriving on an interface is considered "martian" if a hypothetical reply packet would be routed through a different interface. In your case 203.115.192.116 sent a packet to 10.5.0.2, which arrived on your eth0 interface. If 10.5.0.2 is your address, ip route get 203.115.192.116 correctly reports an interface different from eth0, and you actually intend to do such asymmetric routing, then these martian logs should be disabled like

echo 0 > /proc/sys/net/ipv4/conf/eth0/log_martians

and rp_filter must be disabled as well. Otherwise (and this seems much more probable) there is a routing problem somewhere which should be fixed. If it can't be fixed (quite possible in a hosted cloud environment), you can disable logging altogether like above or drop more selectively by iptables (the filter chain may be too late for that, though).

Ferenc Wágner
  • 5,027
  • 17
  • 25
  • ``$ ip route get 203.115.192.116`` returns eth0 (not asymmetric). – Bon Ami Sep 10 '18 at 00:45
  • And still you get martian reports from that IP on eth0? I'm baffled. Is 10.5.0.2 your address at least? Please include the `ll header` line following the martian report and the output of the `ip a`, `ping -c3 203.115.192.116`, `ip route get 203.115.192.116` and `ip neigh show to 203.115.192.116` commands (in this order) into your question. – Ferenc Wágner Sep 10 '18 at 11:00
3

Martian packets are when an expected local address is seen in that interface (e.g. packets local to the network with a different network of that packet).

While it is not an advised network design, it can happen some networks have "martian" packets by design (e.g. VLANs/physical networks with several logical networks).

If you are using iptables in a server, it might not be a bad idea filtering out packets that you should not see.

Note that however, while I would have martian logging in a pre-production setting, I would prefer to not log martian as that usually it generates a lot of logs, and taxes your I/O operations.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227