[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

/proc/.../ip_forward and own interfaces

Posted on 2002-05-08
7
Medium Priority
?
7,201 Views
Last Modified: 2008-02-26
my router has:
   kernel 2.4.18
   eth0 10.0.1.1 netmask 255.255.255.0
   eth1 10.0.2.1 netmask 255.255.255.0
   echo 0 > /proc/sys/net/ipv4/ip_forward
   netroutes (with above netmasks) for both nets

Now I can see 10.0.2.1 from any 10.0.1.x . Something I don't want, for obvious reason :-)

How can I tell the kernel (/proc/sys/net/...) not to route its own IPs?
Even following does not help:
  iptables -F FORWARD
  iptables -P FORWARD DROP
0
Comment
Question by:ahoffmann
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 4

Accepted Solution

by:
MFCRich earned 400 total points
ID: 6998821
iptables -I INPUT -i eth0 -d 10.0.2.1 -j DROP

No forwarding is involved when a packet comes in on one interface destined for another interface on the same machine.
0
 
LVL 51

Author Comment

by:ahoffmann
ID: 6999461
thanks MFCRich,
this is a workaround, I'll leave the question open to see if someone knows more about:

> No forwarding is involved when a packet comes in on one interface destined for another interface on the same machine.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 6999911
I'm not sure why you're calling it a workaround - the behaviour of the linux kernel (using iptables) has fundamentally changed from the way you expect it to work - the docs say that now packets will not traverse all three chains before being delivered locally.  Period.  Therefore, I think MFC Rich's solution is the only one (or at least the most straightforward) that you're going to find.  I vote for pts for MFCRich.

I can see why the developers did this - it presumably saves a ton of time not to have to check those rules, nor invoke all the commensurate code involved with 'forwarding'.  If you had a RFC1918 LAN that accessed services on a machine in tha same LAN via it's additional public IP, you would appreciate the speed increase, methinks.  If you don't want this new 'feature', MFCRich's solution works quite nicely (and presumably does *not* take much more time than checking if forwarding is denied)

Cheers,
-Jon

0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 51

Author Comment

by:ahoffmann
ID: 7000612
Jon voted for this solution. I'll agree ;-)

Jon, I thought using the packetfilter is a workaround, 'cause I was searching for kernel-based (TCP/IP stack) solution. The netfilter is part of the 2.4 kernel, so this is a "kernel-based" solution too.

It's just curious, 'cause I've not seen other Unixs behave this way.
I'm willing to share the point if you can point me to the description of this behaviour in the the Linux docs. I'm really interested in a detailed description 'cause I think this is something you *have* to know when building firewalls.
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7000888
You make a good point about this being part of netfilter - one wonders what behaviour the old ipchains module would exhibit...

You gotta gimme a bit to come up with that reference - I came across it when looking over a bunch of docs for some VPN work I was doing - I found it interesting at the time but didn't give much thought to actual integration implications until I saw your question and thought "So *that's* what they were talking about in those docs I saw".  One of the reasons I didn't vote for myself for pts is because I don't have the reference immediately handy.  Now that I think about it, it was surely in the context of VPN - someone was complaining that they could only ping the VPN server over the IPSEC tunnel, and was referred to the docs that mention that xplicit forwarding would need to be turned on, since only local delivery works without it (and I'm pretty sure they were talking about that being new in 2.4).

Cheers,
-Jon

0
 
LVL 51

Author Comment

by:ahoffmann
ID: 7000947
hmm, in VPN context ..
I know what you mean: when using IPSEC (for example with FreeS/WAN, you remeber me?:), you cannot ping the remote endpoint of the tunnel, but anything behind.
This is a restriction in FreeS/WAN's implementation, not shure if i.g. for IPSEC (but think so).
This beahiour is kind of opposite to my question here, 'cause IPSEC restricts you to use the interface behind, while I want to avoid access to this interface behind.

But it's nice that you remember this discussion, I should have thought about it myself, 'cause I gave comments and suggestion to that question too ;-)
0
 
LVL 16

Expert Comment

by:The--Captain
ID: 7004874
I know what you're talking about wrt IPSEC, and that's not what I was talking about...  What I was talking about was the difficulty in diagnosing filter chains once the VPN is connected because the remote side can ping the VPN server's private IP and not have to endure the forwarding rulesets (sometimes causing the weird behaviour of [remote guy]: "I can ping your VPN server's private IP, but none of the other machines on that subnet...").  You'd see the same thing in any config that was setup with 2 different subnets on two different interfaces, regardless of whether there was a VPN or not...

Cheers,
-Jon

0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question