Linux – Is IGMP multicast traffic to a Xen VM host legitimate

firewalligmpiptableslinuxmulticast

I run two Xen/CentOS 6.5 based VMs, both hosted by the same company, but connected to different networks (basic /24s w/ a single gateway at .1) in different physical locations. I developed an iptables firewall on the first host, part of which logged and dropped traffic from the various reserved networks: 192.168.0.0/16, 127.0.0.0/8, etc. Included in this list is 224.0.0.0/4. On the first vm I rarely ever saw traffic to/from any of the reserved nets and could safely assume that it was forged and drop it without worry.

However, as soon as I installed the same set of iptables rules on the second vm, it started logging packets from 0.0.0.0 to 224.0.0.1 every couple of minutes.

Jan  6 21:44:43 server kernel: ipt (reserved): IN=eth0 OUT= MAC=01:00:5e:00:00:01:00:25:90:2f:69:a8:08:00 SRC=0.0.0.0 DST=224.0.0.1 LEN=32 TOS=0x00 PREC=0xC0 TTL=1 ID=0 DF PROTO=2

tcpdump has clarified that the packets are in fact IGMPv2 multicast packets.

19:44:43.779680 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
0.0.0.0 > all-systems.mcast.net: igmp query v2

The hosts knowledge of IGMP appears to be:

[root@server ~]# cat /proc/net/igmp
Idx Device    : Count Querier   Group    Users Timer    Reporter
1   lo        :     1      V3
            010000E0     1 0:00000000       0
2   eth0      :     1      V3
            010000E0     1 0:00000000       0

BTW, the src/dst MAC addresses in the iptables log line are neither from the hosts interface(s) nor the gateways interface (at least according to arp), if that makes any difference.

Questions:

  1. Is this type of traffic of legitimate use to a basic server-type (non router) host?
  2. Should my host be seeing it on its side of the router?
  3. If yes, what am I missing by dropping it?
    • Should I modify my rules to accept appropriate –pkt-type broadcast/multicast packets if they are otherwise well formed?
  4. If not, is there a way that I can notify the other end to cease delivery to my interface?

Thanks for your help.

Best Answer

info about address 224.0.0.1

    The All Hosts multicast group addresses all hosts on the same network segment.

I think is a default address multicast, you can drop traffic from this address, for more information about default multicast address http://en.wikipedia.org/wiki/Multicast_address

Related Topic