i just don't understand from where theses packets (going out your server) are coming from
Okay. I will try to explain ..
A switch works under a couple of main rules:
- Whenever a packet comes in:
- Rule1: Record the source mac and the interface it came from in a table
- Rule2: Lookup the destination mac in the table created in rule 1:
- Rule2A: If the destination mac is found in table, send the packet out that interface
- Rule2B: if the destination mac is NOT found in table, flood the packet to all interfaces but the interface the packet came from
What I am seeing on my server is that get ALOT of packets not destined for me like:
No. Time Source Destination Protocol Length Info
1 0.000000 162.62.9.237 78.47.101.73 TCP 60 47741 → 43 [SYN] Seq=0 Win=65535 Len=0
Frame 1: 60 bytes on wire (480 bits), 60 bytes captured (480 bits)
Ethernet II, Src: JuniperN_47:b9:cb (f4:cc:55:47:b9:cb), Dst: IntelCor_0c:5f:c3 (00:1b:21:0c:5f:c3)
Internet Protocol Version 4, Src: 162.62.9.237, Dst: 78.47.101.73
Transmission Control Protocol, Src Port: 47741, Dst Port: 43, Seq: 0, Len: 0
This packet is from 162.62.9.237 (not me) to 78.47.101.73 (not me either). As I don't have access to the switch I'm connected to I can only assume why I'm getting this packet which is Rule2B - flood the packet. 78.47.101.73 has properly been silent for a while (or not online) meaning the switch doesn't know out of which interface its mac address is located.
In a normal server setup this packet would have been dropped coming into my servers network card as it is neither my mac address (as destination) and its not multicast/broadcast.
The problem here is that my server is also a switch (linux bridge) which means I will allow all packets coming in and filter them through my firewalls (ebtables/iptables). In iptables I have a clear Proxmox rule saying: If the packet destination port is TCP/43 (WHOIS) then reject it.
REJECT is an active reply (contrary to DROP) meaning I would send the following packets:
No. Time Source Destination Protocol Length Info
2 0.000039 78.47.101.73 162.62.9.237 TCP 54 43 → 47741 [RST, ACK] Seq=1 Ack=1 Win=0 Len=0
Frame 2: 54 bytes on wire (432 bits), 54 bytes captured (432 bits)
Ethernet II, Src: IntelCor_0c:5f:c3 (00:1b:21:0c:5f:c3), Dst: JuniperN_47:b9:cb (f4:cc:55:47:b9:cb)
Internet Protocol Version 4, Src: 78.47.101.73, Dst: 162.62.9.237
Transmission Control Protocol, Src Port: 43, Dst Port: 47741, Seq: 1, Ack: 1, Len: 0
This is were it all breaks. I'm now sending out a packet that I didn't "own". This conflicts with Heztner because of switch Rule1. Their switch will now store that the source mac (IntelCor_0c:5f:c3 (00:1b:21:0c:5f:c3)) that I sent out is now located down the interface towards my server, thereby blackholing traffic to the "real" server connected somewhere else.
So, there are ways to combat this, I choose the dropping of outbound packets not from me. You could possibly also locate all rules in iptables and make sure they either a) drops silently (not sending an active reply) and/or b) only reacts if the packet includes your servers IP addresses inbound.
Hope this makes sense.