Solved

Stopping an IP on one interface

Posted on 2004-03-26
12
167 Views
Last Modified: 2010-03-18
Hi,

I have a Red Hat 9 computer that sits between two networks. Its IP address on one network exists on the other network, as shown below;

+--------------+   +--------------+   +-------------+   +-------------+  
|     Other     |    |                  |    |   Red Hat  |    |                  |  
|  Computer +---| Network1 +---| a.a.a.a-> +---| Network2 +
|    a.a.a.a    |    |                  |    | <-b.b.b.b  |    |                  |  
+--------------+   +--------------+   +-------------+   +-------------+  

The Red Hat computer keeps telling Network1 that it has a.a.a.a and so is intermittently making the other computer unavailable.

Is there any way that I can stop the Red Hat computer using/accepting a.a.a.a on Network1?

I have tried dropping packets with source a.a.a.a on the Network1 interface but it appeared to make no difference.

Thanks
Mark
0
Comment
Question by:TempleMoorHighSchool
  • 3
  • 3
  • 2
  • +1
12 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 25 total points
ID: 10689969
you can not have the same IP on 2 interface on the same logical net segment, it fools all your arp caches

iptables -A INPUT -s a.a.a.a -J DROP

will drop the packets, but it does not help in your case: you need to change the IP
0
 
LVL 40

Assisted Solution

by:jlevie
jlevie earned 25 total points
ID: 10691575
I agree with ahoffman, but I'll state it bit differently. If a.a.a.a exists on Network1 and Network2 then Network1 & Network2 are really the same network as far as the Linux kernel's networking stack is concerned. And that means that you have two computers on the same network with the same IP. The solution is to change either Network1 or Network2 so that they aren't the same network.
0
 
LVL 3

Expert Comment

by:yhetti
ID: 11185677
I'll assume you're using a >2.6.4 or >2.4.24.  

echo "1" > /proc/sys/net/ipv4/conf/all/arp_ignore

Then

echo "1" > /proc/sys/net/ipv4/conf/eth0/arp_ignore
...
echo "1" > /proc/sys/net/ipv4/conf/ethX/arp_ignore


Linux (via RFC 1122 I think) will answer arp requests on any interface that it gets the request for.  This is allowable behavior because you really should not have a system set up like you've got it going.  I have, however, done the same thing a number of times during server switchovers and building clusters.  There's generally a more elegant way, but sometimes Quick & Dirty is good enough...

arp_ignore tells the kernel *not* to answer an arp request unless it's specifically for the interface the request was received on.  In previous kernels, it was /proc/sys/net/ipv4/conf/*/hidden

There is also a corrosponding arp_filter and arp_announce. I'll let you research those : )

0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:TempleMoorHighSchool
ID: 11424116
Thanks for the input.

The kernel version is 2.4.20-8

I have tried

for f in /proc/sys/net/ipv4/conf/*/hidden; do
      echo 1 > $f
Done

and

echo "1" > /proc/sys/net/ipv4/conf/all/arp_ignore

but the both error as "No such file or directory"

I looked again on the net and found ifconfig -arp but this seams to stop all arp requests (even on the appropriate interface).

Any ideas?
Thanks
Mark
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11428706
I don't believe arp_ignore is going to help in this case. The fundamental problem is that  Network1 and Network2 have the same IP block and netmask. As far as the kernel is concerned it is going to route traffic to the IP a.a.a.a (which exists on both networks) via "the route" to a.a.a.0/mask, which will be the first interface configured (typically eth0).
0
 
LVL 3

Expert Comment

by:yhetti
ID: 11431496
These guys are right, the routing must be a fiasco.  Paste the routing table here : )

Working on the assumption you know what you're doing, try

echo "1" > /proc/sys/net/ipv4/conf/eth0/arp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth1/arp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/arp_filter

(I'm continuing this because I've done exactly what you've described and had a very legit. reason for doing it.)

0
 

Author Comment

by:TempleMoorHighSchool
ID: 11557850
I have tried what you are suggesting but it appears not to make a difference if I connect to a.a.a.a from the network 1 I connect to the Red Hat computer.

There is nothing added to the routing tables as the Red Hat computer will never have to contact a.a.a.a on network 1. All I need is for the Red Hat computer to not respond to requests for a.a.a.a on network 1.

Thanks all for the help, any more ideas?
Mark
0
 
LVL 3

Expert Comment

by:yhetti
ID: 11561204
Okay..those proc entries really should have worked.  I have no idea why *none* of them are there, unless its another of those Stupid Redhat Kernel Version things.  At this point, I would go ahead and compile a new kernel (I'm not sure how redhat responds to 2.6 series kernels.)  Give 2.6.5 a try (.6.6 and .6.7 seem to be unstable in my limited experience).  Under the network filtering, there is an option for ARP filtering.  There's also a new tool out called arptables, which works more or less like IPTables.   Arptables will do what you need to do, but it's a lot more complicated of a setup than the /proc entries.  It will, however, actually work.

Wes
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11578548
I really don't see how you are going to do this and have the system able to use both interfaces. The kernel knows that there is a locally attached network and it must be able to answer ARP requests for that network. In this case you are confusing things by having the same network split physically and attached to different interfaces. As far as the kernel is concerned the two separate pieces are in fact the same network.

The only rational solution would be to use two Linux boxes separated by a glue network and statically NAT IP's in the "hidden" network, if you need fixed IP's. If fixed IP's from the "hidden" network aren't needed on the "public "network you could use dynamic NAT onto a single IP in the "public" network.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11579179
to repeat again what have been suggested: re-read the the very first comment in this thread!

If you want do it (same IP on 2 NIC) anyway, you need to patch the kernel yourself.
0

Featured Post

Master Your Team's Linux and Cloud Stack

Come see why top tech companies like Mailchimp and Media Temple use Linux Academy to build their employee training programs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Embeded Linux on Router 9 105
IPA - running on unsupported CentOS servers? 1 98
What are recommended OS for exim mail server? 10 109
Xymon customize http timeout 2 86
I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question