I run two Xen/CentOS 6.5 based VMs, both hosted by the same company, but connected to different networks (basic /24s w/ a single gateway at .1) in different physical locations. I developed an iptables firewall on the first host, part of which logged and dropped traffic from the various reserved networks: 192.168.0.0/16, 127.0.0.0/8, etc. Included in this list is 224.0.0.0/4. On the first vm I rarely ever saw traffic to/from any of the reserved nets and could safely assume that it was forged and drop it without worry.
However, as soon as I installed the same set of iptables rules on the second vm, it started logging packets from 0.0.0.0 to 224.0.0.1 every couple of minutes.
Jan 6 21:44:43 server kernel: ipt (reserved): IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:25:90:2f:69:a8:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2
tcpdump has clarified that the packets are in fact IGMPv2 multicast packets.
19:44:43.779680 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
0.0.0.0 > all-systems.mcast.net: igmp query v2
The hosts knowledge of IGMP appears to be:
[root@server ~]# cat /proc/net/igmp
Idx Device : Count Querier Group Users Timer Reporter
1 lo : 1 V3
010000E0 1 0:00000000 0
2 eth0 : 1 V3
010000E0 1 0:00000000 0
BTW, the src/dst MAC addresses in the iptables log line are neither from the hosts interface(s) nor the gateways interface (at least according to arp), if that makes any difference.
Questions:
- Is this type of traffic of legitimate use to a basic server-type (non router) host?
- Should my host be seeing it on its side of the router?
- If yes, what am I missing by dropping it?
- Should I modify my rules to accept appropriate --pkt-type broadcast/multicast packets if they are otherwise well formed?
- If not, is there a way that I can notify the other end to cease delivery to my interface?
Thanks for your help.
