iptables overflow

lijinshi112 · 发表于 2003-9-18 10:48:19

我单位有近100个终端，通过redhat linux 8 iptables+squid上网,最近经常出现以下消息:
NET:1XXX suppressed.
Neighbour table overflow.

请教各位究竟是什么问题？QQQ!!!

lijinshi112 · 发表于 2003-9-18 11:11:17

[root@proxy0 root]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 172.16.0.0/16 anywhere
ACCEPT all -- 172.17.0.0/16 anywhere
ACCEPT all -- 172.18.0.0/16 anywhere
ACCEPT all -- 172.19.0.0/16 anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

[root@proxy0 root]# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:E0:18:BE:0B:84
      inet addr:10.10.40.6 Bcast:10.10.40.7 Mask:255.255.255.252
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      RX packets:980287 errors:0 dropped:0 overruns:0 frame:0
      TX packets:2095936 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100
      RX bytes:431959448 (411.9 Mb) TX bytes:490654896 (467.9 Mb)
      Interrupt:9 Base address:0xb000

eth1 Link encap:Ethernet HWaddr 00:50:FC:3C:9A:96
      inet addr:172.19.255.254 Bcast:172.19.255.255 Mask:255.255.0.0
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      RX packets:747530 errors:0 dropped:0 overruns:0 frame:0
      TX packets:98659 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:100
      RX bytes:73436660 (70.0 Mb) TX bytes:21136482 (20.1 Mb)
      Interrupt:9 Base address:0xe000

eth1:0 Link encap:Ethernet HWaddr 00:50:FC:3C:9A:96
      inet addr:172.18.255.254 Bcast:172.18.255.255 Mask:255.255.0.0
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      Interrupt:9 Base address:0xe000

eth2 Link encap:Ethernet HWaddr 00:00:E8:4D:25:91
      inet addr:172.16.255.254 Bcast:172.16.255.255 Mask:255.255.0.0
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      RX packets:2346301 errors:0 dropped:0 overruns:0 frame:0
      TX packets:724719 errors:6 dropped:0 overruns:0 carrier:4
      collisions:0 txqueuelen:100
      RX bytes:498869731 (475.7 Mb) TX bytes:397131865 (378.7 Mb)
      Interrupt:9 Base address:0xc000

eth2:0 Link encap:Ethernet HWaddr 00:00:E8:4D:25:91
      inet addr:172.17.255.254 Bcast:172.17.255.255 Mask:255.255.0.0
      UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
      Interrupt:9 Base address:0xc000

lo Link encap

ocal Loopback
      inet addr:127.0.0.1 Mask:255.0.0.0
      UP LOOPBACK RUNNING MTU:16436 Metric:1
      RX packets:22112 errors:0 dropped:0 overruns:0 frame:0
      TX packets:22112 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:1774090 (1.6 Mb) TX bytes:1774090 (1.6 Mb)

[root@proxy0 sysconfig]# cat iptables
# Generated by iptables-save v1.2.6a on Thu Jul 10 10:53:02 2003
*nat

REROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

OSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 172.16.0.0/255.255.0.0 -o eth0 -j SNAT --to-source 10.10.40.6
-A POSTROUTING -s 172.17.0.0/255.255.0.0 -o eth0 -j SNAT --to-source 10.10.40.6
-A POSTROUTING -s 172.18.0.0/255.255.0.0 -o eth0 -j SNAT --to-source 10.10.40.6
-A POSTROUTING -s 172.19.0.0/255.255.0.0 -o eth0 -j SNAT --to-source 10.10.40.6
COMMIT
# Completed on Thu Jul 10 10:53:02 2003
# Generated by iptables-save v1.2.6a on Thu Jul 10 10:53:02 2003
*mangle

REROUTING ACCEPT [1143:105011]
:INPUT ACCEPT [1143:105011]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1161:106319]

OSTROUTING ACCEPT [1161:106319]
COMMIT
# Completed on Thu Jul 10 10:53:02 2003
# Generated by iptables-save v1.2.6a on Thu Jul 10 10:53:02 2003
*filter
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -s 172.16.0.0/255.255.0.0 -j ACCEPT
-A FORWARD -s 172.17.0.0/255.255.0.0 -j ACCEPT
-A FORWARD -s 172.18.0.0/255.255.0.0 -j ACCEPT
-A FORWARD -s 172.19.0.0/255.255.0.0 -j ACCEPT
COMMIT
# Completed on Thu Jul 10 10:53:02 2003

dragondk · 发表于 2003-9-18 15:50:41

你的netmask太大了，你只有100台机器，用24位的netmask就可以的，否则不正常的arp会造成overflow的。我在www.linuxaid.com.cn有具体的回答，解决的方法就是使用ip/24，重新设置你的网络。

lijinshi112 · 发表于 2003-9-18 20:12:06

QQQ!!!

cx6445 · 发表于 2003-9-19 16:31:54

怎么会和netmask有关系，我更大的netmask用着还没事呢

dragondk · 发表于 2003-9-19 20:18:45

Neighbour table overflow 在正常情况下是指arp buffer overflow.arp buffer中只会缓存与接口在同一网络的mac地址, 当你的netmask不适当时,由于错误的软件或攻击会造成arp buffer中有很多未能正确解悉的地址,造成overflow.比如在双网卡的网关上,一个ip 10.0.0.1/16 一个 192.168.0.1/24.当192.168.0.x要求访问10.0.0.2-10.0.254.254的机器时,你应该可以想像有多少mac地址要缓存.如果一个攻击足够快的话,它肯定会使arp buffer overflow.你说呢.

另外不是每种linux的表现都一样,我在debian上用script实现了overflow,在我的LFS上是另一种表现.同时好象与内核中的arpd开关也有互动,有时间我会再测试一下的

cx6445 · 发表于 2003-9-20 10:42:57

那得看楼主的服务器除了这一提示有无其它不正常的表现，我不认为楼主的服务器受到攻击，否则楼主的标题就不是这个了。如果没有受到攻击，那netmask无论怎么设也不可能arp buffer overflow，况且楼主的机器的提示也没指明是arp。
　　希望dragondk兄能测试一下，把结果贴出来，谢了。

emylekao · 发表于 2003-9-20 12:15:07

改了以后楼主的问题是不是解决了呢？
希望楼主回个帖。

dragondk · 发表于 2003-9-21 18:18:42

我想攻击或是软件配置错误都是可能的,希望大家能得出一个结果来.
另:如果你的系统上有nmap程序的话,用命令 nmap -PB 172.16.0.1/16也可以看到相同的结果

dragondk · 发表于 2003-9-21 19:58:59

为什么说Neighbour table overflow与arp有关呢？我查了下kernel source，在net/ipv4/route.c ＋669L 处有这段显示Neighbour table overflow的代码。你可以看看，我认为完全可以说是由于某种原因造成的arp 表的overflow才产生了这个错误。不知你的看法？

		自动登录	找回密码
密码			注册

iptables overflow

and my eth0 &amp; iptables.conf

QQQ

and my eth0 & iptables.conf