什么是martian source记录

前段时间我我想把一个小主机放到一个路由器上做为这个博客的主机,但是我无论怎么设置都没能让外网也能访问我的主机,我把域名对应到路由器上,把路由器的80端口对应到小主机的ip上,我修改了很多次防火墙设置,按照网上的资料让selinux放行http服务,在两天的空闲时间做过诸多尝试,但均以失败告终,我想不明白为什么同样的设置在虚拟机下可以用,但在实体主机上却不能用,最后我通过观察系统的log发现了有个martian source的记录,这条记录上有一个外网ip和本机的ip,后来经过我测试,发现每当我从外网访问我的博客时,主机上都会有几条这种记录,于是我就查了下,具体在这个网页上找到了snowjay的解释。解释如下:

It’s a martian source is basically an invalid, non routeable ip. 192.168.1.255 is impossible to be someones IP address, it’s a broadcast address.

From the RFC:

5.3.7 Martian Address Filtering

An IP source address is invalid if it is a special IP address, as
defined in 4.2.2.11 or 5.3.7, or is not a unicast address.

An IP destination address is invalid if it is among those defined as
illegal destinations in 4.2.3.1, or is a Class E address (except
255.255.255.255).

A router SHOULD NOT forward any packet that has an invalid IP source
address or a source address on network 0. A router SHOULD NOT
forward, except over a loopback interface, any packet that has a
source address on network 127. A router MAY have a switch that
allows the network manager to disable these checks. If such a switch
is provided, it MUST default to performing the checks.

A router SHOULD NOT forward any packet that has an invalid IP
destination address or a destination address on network 0. A router
SHOULD NOT forward, except over a loopback interface, any packet that
has a destination address on network 127. A router MAY have a switch
that allows the network manager to disable these checks. If such a
switch is provided, it MUST default to performing the checks.

If a router discards a packet because of these rules, it SHOULD log
at least the IP source address, the IP destination address, and, if

the problem was with the source address, the physical interface on
which the packet was received and the Link Layer address of the host
or router from which the packet was received.

简单点说这种问题多半都是因为需要传递ip包的ip无法路由所致,其实也就是有个ip不能访问。

具体到我自己的问题我发现这里就只有那个外网的ip我的主机有可能不能访问,后来我一想原来是路由器把小主机的mac地址过滤了,后来我放开了对主机的mac过滤,然后就一切正常了。

我想linux下log的martian source可能也就是指未知来源的意思吧(总不能是火星源吧),遇到类似问题的朋友可以参考下上面那段英文的解释。

发表评论

邮箱地址不会被公开。 必填项已用*标注