关于linux日志中存在大量martian source 日志信息的原因分析与理解

在查看日常维护的一台Linux服务器的系统日志时，发现有大量的类似如下的信息：

 

Jan 17 00:33:34 test4 kernel: [ 2170.725322] martian source 192.168.10.255 from 192.168.10.10, on dev br1
Jan 17 00:33:34 test4 kernel: [ 2170.725328] ll header: ff:ff:ff:ff:ff:ff:00:0c:29:6f:cc:1f:08:00

在网上找到对于这类日志的英文解释

================================================================

A martian data packet is a network data packet that has an impossible source or destination IP, such as a packet that claims to have come from the broadcast address, 255.255.255.255. Another example of a martian packet would be if you received a packet from 192.168.0.1 through your networks external gateway.

IPs in the range of 192.168.* are not routable through gateways, so this situation should never happen. Usually martians are just the result of network misconfigurations or glitches of some sort, but they can be caused by deliberate mangling of the IP packet, such as when trying to hide the real origin of the packets during an attack against a server. If you see just a few martian packet messages then there probably isn't anything to worry about, but if you see lots of them then take a closer look.

Recent kernels print out the link level header of the packet along with the martian warning, and the header contains the destination and source MAC addresses. In the example below the destination MAC (for the server "aries") is 00:01:80:23:96:54, and the source MAC (the sender of the martian) is 00:e0:52:14:4d:9d. The "08:00″ at the end just indicates that this header is from an ipv4 over ethernet packet.

Apr 29 09:33:54 aries kernel: martian source 207.44.228.62 from 80.3.32.5, on dev eth0
Apr 29 09:33:42 aries kernel: ll header: 00:01:80:23:96:54:00:e0:52:14:4d:9d:08:00

If you do see lots of martians being logged, or have some other reason to suspect that the server is being attacked, a good place to look is in the Apache error log file. You may be able to find log entries for the martian IP addresses that record attack attempts.

For example, here is an error_log entry recording an attack attempt against the same server that logged the martian shown above.

[Mon Apr 28 20:26:18 2003] [error] [client 80.3.32.5] request failed: erroneouscharacters after protocol string: GET /images/Smilies%20gold%2018×18/shocked.gif(.x81cxf3×8axffxffxfdb4xd6a2×1171x94xd7xffxfbx92lxffx8dxe2×05x18Gvx8caP;"xxe1qx8cx1ax078Kx1cx0exb1×87

So don't worry too much about the martians, but be on guard lest they actually invade.

===============================================================

所谓martian source也就是impossible source，也就是linux根据路由表判断，认为不合理的，不应该出现的源地址。

常见的情况是源地址是诸如广播255.255.255.255或192.168.1.255之类的网络地址 或者不符合路由表规则的源地址（比如，我的机器配置两个网卡，eth0、eth1分别配置192.168.10.xxx和192.168.20.xxx 两个网段的IP，按理说，来自10网段的报文应该由eth0收到（因为eth0直连10网段），而来自20网段的报文则应由eth1收到（因为eth1直连20网段），而此时如果收到一个IP包，它的源地址是10网段的IP，但是却是从与20网段直连的eth1接收到的，那么linux就会认为这个包是个伪造包，也就是IP欺骗，从而产生martian source的日志信息）

我的情况就属于后者。

我的机器总共两张网卡，创建了两个网桥，两张网卡分别添加到这两个网桥，虚拟接口br0的 ip 为192.168.10.12，具体配置如下：

test4:~/Desktop # ifconfig
br0       Link encap:Ethernet  HWaddr 00:0C:29:83:22:AF 
          inet addr:192.168.10.12  Bcast:192.168.10.255  Mask:255.255.255.0
          inet6 addr: fe80::20c:29ff:fe83:22af/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4696 errors:0 dropped:0 overruns:0 frame:0
          TX packets:53 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:562231 (549.0 Kb)  TX bytes:4850 (4.7 Kb)

br1       Link encap:Ethernet  HWaddr 00:0C:29:83:22:B9 
          inet6 addr: fe80::20c:29ff:fe83:22b9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4649 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:558320 (545.2 Kb)  TX bytes:468 (468.0 b)

eth0      Link encap:Ethernet  HWaddr 00:0C:29:83:22:AF 
          inet6 addr: fe80::20c:29ff:fe83:22af/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4901 errors:0 dropped:0 overruns:0 frame:0
          TX packets:53 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:654229 (638.8 Kb)  TX bytes:4850 (4.7 Kb)

eth1      Link encap:Ethernet  HWaddr 00:0C:29:83:22:B9 
          inet6 addr: fe80::20c:29ff:fe83:22b9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4945 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:658360 (642.9 Kb)  TX bytes:468 (468.0 b)

 

 test4:~/Desktop # brctl show
bridge name bridge id  STP enabled interfaces
br0  8000.000c298322af no  eth0
br1  8000.000c298322b9 no  eth1

在没有配置网桥之前，我在10网段的另外一台机器ping整个10网段

ping -b 192.168.10.255

结果在我的机器（test4）上，/var/log/messages并未出现martian source的相关信息

然后分别创建br0、br1两个网桥，并分别添加eth0、eth1两个物理网卡，然后再去ping整个10网段，结果出现martian source日志信息

这说明与网桥配置有关

然后尝试shutdown 掉br1，martian source日志随之消失，说明与双网桥配置有关。

为什么双网桥会出现这个问题呢?

网桥其实就相当于一个虚拟的交换机，把物理网卡添加到网桥中相当于将其转换成为这个虚拟交换机的二层接口，这将使其失去三层的功能，也就是你不能再在它上面配IP了；但是可以给网桥创建虚拟的三层接口并配上IP，类似于交换机上vlan接口，上面的br0就是这样的虚拟的三层接口。

Linux 的网桥模型（根据自身理解画的）

 

如上所示，当我从外部网络的另一台10网段的主机（192.168.10.10）ping整个10网段时

ping -b 192.168.10.255

将发送源地址为192.168.10.10， 目标IP为192.168.10.255的icmp请求报文。

因为这是一个广播报文，其目标MAC地址为ff : ff : ff : ff : ff : ff

所以该报文将会在外部的物理交换机以及内部两个虚拟交换机br0、br1所有端口转发，

最终，两个虚拟接口br0、br1都会收的该报文。

正如上面讨论的一样，br0配的是10网段的IP，所以收到来自10网段的报文，系统是认为正常的

但br1配的是20网段的IP所以，所以收的源地址为10网段的IP，系统会认为是非法的（根据路由表确定来自10网段报文只应该在br0这个接口收到），从而产生martian source的日志报错信息。

 

解决办法：

1.shutdown 其中一个网桥接口

ifconfig br1 down

2.系统配置中取消源路由验证和防IP欺骗

在/etc/sysctl.conf文件中加入下面的配置：

#取消源路由验证#
 net.ipv4.conf.default.rp_filter = 0

# 关掉IP spoofing protection#

net.ipv4.conf.br0.arp_filter = 0

net.ipv4.conf.br1.arp_filter = 0

net.ipv4.conf.all.arp_filter = 0

#在接口上停止记录martian source日志#

net.ipv4.conf.default.log_martians=0

net.ipv4.conf.lo.log_martians=0

net.ipv4.conf.eth0.log_martians=0

net.ipv4.conf.eth1.log_martians=0

net.ipv4.conf.eth2.log_martians=0

net.ipv4.conf.eth3.log_martians=0

net.ipv4.conf.br0.log_martians=0

net.ipv4.conf.br1.log_martians=0

net.ipv4.conf.all.log_martians=0

然后使用sysctl -p 或 重启使设置生效

当然也可以直接修改当前的系统参数，使设置即刻生效

echo 0 >/proc/sys/net/ipv4/conf/eth0/log_martians
echo 0 >/proc/sys/net/ipv4/conf/br1/log_martians
echo 0 >/proc/sys/net/ipv4/conf/br2/log_martians
echo 0 >/proc/sys/net/ipv4/conf/br3/log_martians
echo 0 >/proc/sys/net/ipv4/conf/all/log_martians

这将停止martian日志写到/var/log/messages中