Linux internet gateway able to route to address with no route set up

Chris Smith asked:

Synopsis

I can ping and see the http config page on my cable modem at its fixed address of 192.168.100.1 from computers on the local network behind my Linux internet gateway. That gateway is the default route for machines on the network. netstat does not indicate any route to 192.168.*, but the gateway must be routing packets to 192.168.100.1 because I can reach the modem at that address from machines behind the gateway and from the gateway itself.

How does the gateway know to send those packets to the internet interface instead of saying that the network is unreachable? Is there some way to monitor/view/control other routes set up like this?

I’m using Shorewall to configure firewall rules by interface. Could hosts on the internet segment spoof other private addresses and cause internal packets to be routed outside? I’m thinking no since the rules are specified by interface, but I don’t understand the mechanism here.

Details

  • ISP<=>Modem<=>Gateway<=>Lan switch
  • ISP is Comcast
  • Modem is a Motorola SB6121
  • Gatway is a Ubuntu 12.04.1 (precise) with stock kernel 3.2.0-29-generic #46-Ubuntu SMP x86_64
  • Gateway provides firewall, NAT and VPN services
  • traceroute does not indicate any hops between the gateway and the modem at 192.168.100.1.
  • The gateway does not have an address on 192.168.*
  • ip neighbor show also does not indiciate a route to any 192.168.*

netstat -rn output:

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         71.205.176.1    0.0.0.0         UG        0 0          0 eth1
10.88.8.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.88.9.0       0.0.0.0         255.255.255.0   U         0 0          0 eth3
10.88.10.0      10.88.10.2      255.255.255.128 UG        0 0          0 tun0
10.88.10.2      0.0.0.0         255.255.255.255 UH        0 0          0 tun0
10.88.10.128    10.88.10.130    255.255.255.128 UG        0 0          0 tun1
10.88.10.130    0.0.0.0         255.255.255.255 UH        0 0          0 tun1
71.205.176.0    0.0.0.0         255.255.252.0   U         0 0          0 eth1
  • The default gateway is provided by the ISP.
  • eth1 is connected to the modem’s ethernet jack.
  • eth0 10.88.8.0/24 is the wired network.
  • eth1 10.88.9.0/24 is the wireless network.
  • tun0,tun1 10.88.10.0/24 covers the OpenVPN TUN clients. It looks odd, but that setup is required to support Windows TUN clients. I have two to support both UDP and TCP.

My answer:


You have a default route, so anything not specified in the routing table goes to the default route.


View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.