Strange network issue

[mudmanc4]

Layout brief-

server1 has IP aaa.aaa.aaa.aaa on eth0 - drop1

 

server3 has IP bbb.bbb.bbb.bbb on eth0 drop2

 

server1 eth1 cross connects with server3 on eth1 natted via 1:1 (public IP's>>private IP subnet) set from server1 for CT's on vmbr1 of server3

 

All appears to function properly. 

 

Question:

How is IP bbb.bbb.bbb.bbb pointed to eth0 on server1, making hundreds of connection attempts through LAN/ cross connect to IP aaa.aaa.aaa.aaa on eth0 of server1 via private IP subnet. 

(they are constellix requests) that I set. They report to server2 harvested off email server (server2) as well as nagios. Which is currently not happening. 

 

There is obviously more than one thing going on in the config for eth0/drop2/server3

Though I have flushed all iptables rules on server3 and removed vmbr0 - however firewall logs within (server1) show constant attempts from IP bbb.bbb.bbb.bbb to aaa.aaa.aaa.aaa and firewall is obviously blocking them. 

 

I should be able to trace this, however considering I cannot ping/tracerout , nmap use wireshark to eth0/server3 (other than the gateway and or broadcast) because there is some redirect if I may that is pointing IP bbb.bbb.bbb.bbb through the internal network. 

 

Server3 is debian based, so where would the next place to look be for this hidden IPV4 forward ?/ redirect? mapping? I've checked /etc/host /etc/hosts  /etc/sysctl.conf /etc/resolv.conf (there is no /etc/resolve/resolv.conf) and iptables -L shows a fresh wide open route. There are no ifup/ preup statements. 

 

Hope I explained this issue well enough. I must be overlooking something simple. 

[mudmanc4]

Yea I've been looking at finding where these rules are being loaded from. I scour and find nothing. Getting rather curious.