Private IP getting routed over Internet

routing private-ip

Solution 1:

What would let a private IP address get routed across servers?

If the routers between you and the destination do not have ingress/egress filters that block the Private address space, then it would probably get routed following the default routes. You should strongly consider setting up rules on your external router that prohibits anything destined for a private address from leaving your network.

Lots of routers just forward all traffic, and don't do any kind of filtering at all. An private address looks just like any other address. If the router doesn't have an explicitly defined route it send it to its default gateway.

You have apparently managed to reach someone else with a poorly configured router.

There are also cases where can leak private IP, and still not be have those private IPs be publicly accessible. Lets say you had a simple network like this. Lets also assume the IP addresses are all publicly routable except for the subnet between router 2 and router 3. When you run a traceroute from client 1 to client 2, you may or may not see a response from the router 3. If you have good filters in place you will not see a reply, if you don't, and no other system has filters, you would see a reply. The packet returned from a trace route will usually include the IP of the interface the trace was received on, but it will be destined for the IP of the machine that is running the traceroute. Since the destination address is valid, the packet will be delivered, even though it has a private IP as a source address.

  • client 1 connected to router1
  • router 1 connected to router 2
  • rotuer 2 connected to router 3
  • router 3 connected to client 2

In many ways this comes back to the points in this question about IP forgery. When there are no filters in place, and you don't care about the replies, the source address can be anything you want. Because traceroute implementations use ICMP, and ICMP is stateless, you may see IP addresses that you cannot directly reach, or may possibly even be invalid.

Solution 2:

It looks like your originating network is 192.168.28.0. Does your machine or your router know about the 172.30.138.x network? If not, it will just sent it out its default route like any other network it doesn't know.

You'll either need to add an interface in the 172.30.138.x network on your originating machine or add an interface in that network on your router so that it can properly direct the traffic.

Related

NoSQL databases for PHI?
How to calculate cost/benefit of hardware expenditures? (move to virtualization, upgrades, etc.)
uWSGI cannot find "application" using Flask and Virtualenv
bash sub-string extraction for specified start and end character
Remove MBR from USB flash drive using Windows
Security for university research lab systems
A-Record Failover?
nginx + php-fpm: how to specify memory limit for an application
redhat yum install - GPG key retrieval failed
Why doesn't `dig` show records?
Change varnish 4 503 error
Why can't I capture AWS EC2 CLI Output in Bash?