Solved

Stopping an IP on one interface

Posted on 2004-03-26
12
169 Views
Last Modified: 2010-03-18
Hi,

I have a Red Hat 9 computer that sits between two networks. Its IP address on one network exists on the other network, as shown below;

+--------------+   +--------------+   +-------------+   +-------------+  
|     Other     |    |                  |    |   Red Hat  |    |                  |  
|  Computer +---| Network1 +---| a.a.a.a-> +---| Network2 +
|    a.a.a.a    |    |                  |    | <-b.b.b.b  |    |                  |  
+--------------+   +--------------+   +-------------+   +-------------+  

The Red Hat computer keeps telling Network1 that it has a.a.a.a and so is intermittently making the other computer unavailable.

Is there any way that I can stop the Red Hat computer using/accepting a.a.a.a on Network1?

I have tried dropping packets with source a.a.a.a on the Network1 interface but it appeared to make no difference.

Thanks
Mark
0
Comment
Question by:TempleMoorHighSchool
  • 3
  • 3
  • 2
  • +1
12 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 25 total points
ID: 10689969
you can not have the same IP on 2 interface on the same logical net segment, it fools all your arp caches

iptables -A INPUT -s a.a.a.a -J DROP

will drop the packets, but it does not help in your case: you need to change the IP
0
 
LVL 40

Assisted Solution

by:jlevie
jlevie earned 25 total points
ID: 10691575
I agree with ahoffman, but I'll state it bit differently. If a.a.a.a exists on Network1 and Network2 then Network1 & Network2 are really the same network as far as the Linux kernel's networking stack is concerned. And that means that you have two computers on the same network with the same IP. The solution is to change either Network1 or Network2 so that they aren't the same network.
0
 
LVL 3

Expert Comment

by:yhetti
ID: 11185677
I'll assume you're using a >2.6.4 or >2.4.24.  

echo "1" > /proc/sys/net/ipv4/conf/all/arp_ignore

Then

echo "1" > /proc/sys/net/ipv4/conf/eth0/arp_ignore
...
echo "1" > /proc/sys/net/ipv4/conf/ethX/arp_ignore


Linux (via RFC 1122 I think) will answer arp requests on any interface that it gets the request for.  This is allowable behavior because you really should not have a system set up like you've got it going.  I have, however, done the same thing a number of times during server switchovers and building clusters.  There's generally a more elegant way, but sometimes Quick & Dirty is good enough...

arp_ignore tells the kernel *not* to answer an arp request unless it's specifically for the interface the request was received on.  In previous kernels, it was /proc/sys/net/ipv4/conf/*/hidden

There is also a corrosponding arp_filter and arp_announce. I'll let you research those : )

0
Easy, flexible multimedia distribution & control

Coming soon!  Ideal for large-scale A/V applications, ATEN's VM3200 Modular Matrix Switch is an all-in-one solution that simplifies video wall integration. Easily customize display layouts to see what you want, how you want it in 4k.

 

Author Comment

by:TempleMoorHighSchool
ID: 11424116
Thanks for the input.

The kernel version is 2.4.20-8

I have tried

for f in /proc/sys/net/ipv4/conf/*/hidden; do
      echo 1 > $f
Done

and

echo "1" > /proc/sys/net/ipv4/conf/all/arp_ignore

but the both error as "No such file or directory"

I looked again on the net and found ifconfig -arp but this seams to stop all arp requests (even on the appropriate interface).

Any ideas?
Thanks
Mark
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11428706
I don't believe arp_ignore is going to help in this case. The fundamental problem is that  Network1 and Network2 have the same IP block and netmask. As far as the kernel is concerned it is going to route traffic to the IP a.a.a.a (which exists on both networks) via "the route" to a.a.a.0/mask, which will be the first interface configured (typically eth0).
0
 
LVL 3

Expert Comment

by:yhetti
ID: 11431496
These guys are right, the routing must be a fiasco.  Paste the routing table here : )

Working on the assumption you know what you're doing, try

echo "1" > /proc/sys/net/ipv4/conf/eth0/arp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth1/arp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/arp_filter

(I'm continuing this because I've done exactly what you've described and had a very legit. reason for doing it.)

0
 

Author Comment

by:TempleMoorHighSchool
ID: 11557850
I have tried what you are suggesting but it appears not to make a difference if I connect to a.a.a.a from the network 1 I connect to the Red Hat computer.

There is nothing added to the routing tables as the Red Hat computer will never have to contact a.a.a.a on network 1. All I need is for the Red Hat computer to not respond to requests for a.a.a.a on network 1.

Thanks all for the help, any more ideas?
Mark
0
 
LVL 3

Expert Comment

by:yhetti
ID: 11561204
Okay..those proc entries really should have worked.  I have no idea why *none* of them are there, unless its another of those Stupid Redhat Kernel Version things.  At this point, I would go ahead and compile a new kernel (I'm not sure how redhat responds to 2.6 series kernels.)  Give 2.6.5 a try (.6.6 and .6.7 seem to be unstable in my limited experience).  Under the network filtering, there is an option for ARP filtering.  There's also a new tool out called arptables, which works more or less like IPTables.   Arptables will do what you need to do, but it's a lot more complicated of a setup than the /proc entries.  It will, however, actually work.

Wes
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11578548
I really don't see how you are going to do this and have the system able to use both interfaces. The kernel knows that there is a locally attached network and it must be able to answer ARP requests for that network. In this case you are confusing things by having the same network split physically and attached to different interfaces. As far as the kernel is concerned the two separate pieces are in fact the same network.

The only rational solution would be to use two Linux boxes separated by a glue network and statically NAT IP's in the "hidden" network, if you need fixed IP's. If fixed IP's from the "hidden" network aren't needed on the "public "network you could use dynamic NAT onto a single IP in the "public" network.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11579179
to repeat again what have been suggested: re-read the the very first comment in this thread!

If you want do it (same IP on 2 NIC) anyway, you need to patch the kernel yourself.
0

Featured Post

Networking for the Cloud Era

Join Microsoft and Riverbed for a discussion and demonstration of enhancements to SteelConnect:
-One-click orchestration and cloud connectivity in Azure environments
-Tight integration of SD-WAN and WAN optimization capabilities
-Scalability and resiliency equal to a data center

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
netcat nc -l reads data in socket too fast - slow it down 18 753
Veritas Asymmetric Cluster 2 360
Vmware tools installation in ubuntu 14.04 11 105
centos linux 65 159
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question