I recently had a report from a self described “major Israeli ISP” who said their customers were unable to access my blog. After initially checking for any ‘on server’ IP based blocks (iptables) or any blocks being carried out by my ISP and coming up empty I was somewhat out of ideas. I did however setup a tcpdump log for their IP range and ask them to try accessing it again.
nohup tcpdump src net xx.xx.0.0/16 or dst net xx.xx.0.0/16 -A -w tcpdump_isp.bin&
Checking the logs in Wireshark after they again tried to access the blog I noticed something somewhat confusing. Their packets were reaching my server, but then immediately after my server was sending out an ARP broadcast to get the MAC address i.e. my server was treating them as a machine on the local network where packets can be delivered directly rather than via the default gateway, something which was obvious incorrect with them being in Israel.
This caused me to check the settings for a secondary IP address allocated to the server (/etc/sysconfig/network-scripts/ifcfg-eth0:0) where I discovered that I had failed to specify the “NETMASK=” line when setting it up which had by default caused any x.*.*.* address to be treated as local, effectively blocking any outbound traffic to that destination. Setting the Netmask to “255.255.255.255” corrected the issue.