Re: SRC and DST

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Saturday 31 July 2004 8:42 am, dee3lmo wrote:

> Hello,
>
> I'm quite new to netfilter and I'm using iptables for a short time and till
> now I'm loving it. But I have a question about the SRC and DST addresses.
>
> I know you can filter on the source and destination addresses. On my box I
> receive a packet with the following addresses: SRC=62.234.65.26
> DST=62.234.111.0
>
> The strange thing is that both the addresses are not mine! I always thought
> that either the SRC or DST address must be the IP of my box or am I missing
> something.

Imagine the following setup:

You are sitting at home with your computer connected to your ISP.
Your ISP is running a firewall to protect you and all its customers from nasty 
things on the Internet.
You connect to a website, through your connection to the ISP.

Then the ISPs firewall system sees a packet where the source address = your 
computer; destination address = remote web server; neither of these = ISPs 
firewall.

Similarly the reply packet comes back from the web server: source address = 
remote web server; destination address = your computer; neither of these = 
firewall.

> An other strange thing is that the DST ip address is a network
> address?

How do you know that?   Just because it ends in .0?   That is not necessarily 
a rule for a network address.

For example, if you have a small 8-IP address block range from the DSL 
provider, the network address might be a.b.c.24, usable addresses a.b.c.25 to 
a.b.c.30, broadcast address a.b.c.31

Similarly a big organisation with a full Class B range might have a network 
address a.b.0.0, usable addresses a.b.0.1 to a.b.255.254, broadcast address 
a.b.255.255.   The usable range includes a.b.5.0 and a.b.100.0 for example, 
as well as a.b.5.255 and other things whcih might look at first glance like 
netowkr or broadcast addresses, but aren't.

The onyl way to know whether an address is a network address or a broadcast 
address is to know the netmask, and that is inaccessible to all machines 
except the ones on the local destination subnet.

> Isn't this quite strange? A network address is not a computer so
> how to know where package is send to?

Once you start playing with firewalls you will see quite a lot of packets 
which can never get to a sensible destination - it's surprising what is out 
there on a network when you really start looking.

Therefore it's possible that the above address *is* a network address - but 
that doesn't stop somebody using it as the destination IP of a packet if they 
want to.

Hope this helps,

Regards,

Antony.

-- 
If at first you don't succeed, destroy all the evidence that you tried.

                                                     Please reply to the list;
                                                           please don't CC me.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux