Synopsis
I can ping and see the http config page on my cable modem at its fixed address of 192.168.100.1
from computers on the local network behind my Linux internet gateway. That gateway is the default route for machines on the network. netstat
does not indicate any route to 192.168.*
, but the gateway must be routing packets to 192.168.100.1
because I can reach the modem at that address from machines behind the gateway and from the gateway itself.
How does the gateway know to send those packets to the internet interface instead of saying that the network is unreachable? Is there some way to monitor/view/control other routes set up like this?
I'm using Shorewall to configure firewall rules by interface. Could hosts on the internet segment spoof other private addresses and cause internal packets to be routed outside? I'm thinking no since the rules are specified by interface, but I don't understand the mechanism here.
Details
ISP<=>Modem<=>Gateway<=>Lan switch
- ISP is Comcast
- Modem is a Motorola SB6121
- Gatway is a Ubuntu 12.04.1 (precise) with stock kernel 3.2.0-29-generic #46-Ubuntu SMP x86_64
- Gateway provides firewall, NAT and VPN services
traceroute
does not indicate any hops between the gateway and the modem at192.168.100.1
.- The gateway does not have an address on
192.168.*
ip neighbor show
also does not indiciate a route to any192.168.*
netstat -rn
output:
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 71.205.176.1 0.0.0.0 UG 0 0 0 eth1
10.88.8.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.88.9.0 0.0.0.0 255.255.255.0 U 0 0 0 eth3
10.88.10.0 10.88.10.2 255.255.255.128 UG 0 0 0 tun0
10.88.10.2 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.88.10.128 10.88.10.130 255.255.255.128 UG 0 0 0 tun1
10.88.10.130 0.0.0.0 255.255.255.255 UH 0 0 0 tun1
71.205.176.0 0.0.0.0 255.255.252.0 U 0 0 0 eth1
- The default gateway is provided by the ISP.
eth1
is connected to the modem's ethernet jack.eth0 10.88.8.0/24
is the wired network.eth1 10.88.9.0/24
is the wireless network.tun0,tun1 10.88.10.0/24
covers the OpenVPN TUN clients. It looks odd, but that setup is required to support Windows TUN clients. I have two to support both UDP and TCP.
You have a default route, so anything not specified in the routing table goes to the default route.
To follow up on Michael's answer:
There are also hosts out there on the internet that appear to be answering pings for RFC1918 addresses. This isn't really supposed to be happening.
I briefly had one of my VPN routers (inadvertently) not set to blackhole the 192.168/16 networks that we weren't using. The traceroutes that were coming back from those hosts were somewhere in the US Midwest and were successfully routing ICMP Ping responses back to my network.