Solved

Stopping an IP on one interface

Posted on 2004-03-26
12
165 Views
Last Modified: 2010-03-18
Hi,

I have a Red Hat 9 computer that sits between two networks. Its IP address on one network exists on the other network, as shown below;

+--------------+   +--------------+   +-------------+   +-------------+  
|     Other     |    |                  |    |   Red Hat  |    |                  |  
|  Computer +---| Network1 +---| a.a.a.a-> +---| Network2 +
|    a.a.a.a    |    |                  |    | <-b.b.b.b  |    |                  |  
+--------------+   +--------------+   +-------------+   +-------------+  

The Red Hat computer keeps telling Network1 that it has a.a.a.a and so is intermittently making the other computer unavailable.

Is there any way that I can stop the Red Hat computer using/accepting a.a.a.a on Network1?

I have tried dropping packets with source a.a.a.a on the Network1 interface but it appeared to make no difference.

Thanks
Mark
0
Comment
Question by:TempleMoorHighSchool
  • 3
  • 3
  • 2
  • +1
12 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 25 total points
ID: 10689969
you can not have the same IP on 2 interface on the same logical net segment, it fools all your arp caches

iptables -A INPUT -s a.a.a.a -J DROP

will drop the packets, but it does not help in your case: you need to change the IP
0
 
LVL 40

Assisted Solution

by:jlevie
jlevie earned 25 total points
ID: 10691575
I agree with ahoffman, but I'll state it bit differently. If a.a.a.a exists on Network1 and Network2 then Network1 & Network2 are really the same network as far as the Linux kernel's networking stack is concerned. And that means that you have two computers on the same network with the same IP. The solution is to change either Network1 or Network2 so that they aren't the same network.
0
 
LVL 3

Expert Comment

by:yhetti
ID: 11185677
I'll assume you're using a >2.6.4 or >2.4.24.  

echo "1" > /proc/sys/net/ipv4/conf/all/arp_ignore

Then

echo "1" > /proc/sys/net/ipv4/conf/eth0/arp_ignore
...
echo "1" > /proc/sys/net/ipv4/conf/ethX/arp_ignore


Linux (via RFC 1122 I think) will answer arp requests on any interface that it gets the request for.  This is allowable behavior because you really should not have a system set up like you've got it going.  I have, however, done the same thing a number of times during server switchovers and building clusters.  There's generally a more elegant way, but sometimes Quick & Dirty is good enough...

arp_ignore tells the kernel *not* to answer an arp request unless it's specifically for the interface the request was received on.  In previous kernels, it was /proc/sys/net/ipv4/conf/*/hidden

There is also a corrosponding arp_filter and arp_announce. I'll let you research those : )

0
 

Author Comment

by:TempleMoorHighSchool
ID: 11424116
Thanks for the input.

The kernel version is 2.4.20-8

I have tried

for f in /proc/sys/net/ipv4/conf/*/hidden; do
      echo 1 > $f
Done

and

echo "1" > /proc/sys/net/ipv4/conf/all/arp_ignore

but the both error as "No such file or directory"

I looked again on the net and found ifconfig -arp but this seams to stop all arp requests (even on the appropriate interface).

Any ideas?
Thanks
Mark
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11428706
I don't believe arp_ignore is going to help in this case. The fundamental problem is that  Network1 and Network2 have the same IP block and netmask. As far as the kernel is concerned it is going to route traffic to the IP a.a.a.a (which exists on both networks) via "the route" to a.a.a.0/mask, which will be the first interface configured (typically eth0).
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 3

Expert Comment

by:yhetti
ID: 11431496
These guys are right, the routing must be a fiasco.  Paste the routing table here : )

Working on the assumption you know what you're doing, try

echo "1" > /proc/sys/net/ipv4/conf/eth0/arp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth1/arp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/arp_filter

(I'm continuing this because I've done exactly what you've described and had a very legit. reason for doing it.)

0
 

Author Comment

by:TempleMoorHighSchool
ID: 11557850
I have tried what you are suggesting but it appears not to make a difference if I connect to a.a.a.a from the network 1 I connect to the Red Hat computer.

There is nothing added to the routing tables as the Red Hat computer will never have to contact a.a.a.a on network 1. All I need is for the Red Hat computer to not respond to requests for a.a.a.a on network 1.

Thanks all for the help, any more ideas?
Mark
0
 
LVL 3

Expert Comment

by:yhetti
ID: 11561204
Okay..those proc entries really should have worked.  I have no idea why *none* of them are there, unless its another of those Stupid Redhat Kernel Version things.  At this point, I would go ahead and compile a new kernel (I'm not sure how redhat responds to 2.6 series kernels.)  Give 2.6.5 a try (.6.6 and .6.7 seem to be unstable in my limited experience).  Under the network filtering, there is an option for ARP filtering.  There's also a new tool out called arptables, which works more or less like IPTables.   Arptables will do what you need to do, but it's a lot more complicated of a setup than the /proc entries.  It will, however, actually work.

Wes
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11578548
I really don't see how you are going to do this and have the system able to use both interfaces. The kernel knows that there is a locally attached network and it must be able to answer ARP requests for that network. In this case you are confusing things by having the same network split physically and attached to different interfaces. As far as the kernel is concerned the two separate pieces are in fact the same network.

The only rational solution would be to use two Linux boxes separated by a glue network and statically NAT IP's in the "hidden" network, if you need fixed IP's. If fixed IP's from the "hidden" network aren't needed on the "public "network you could use dynamic NAT onto a single IP in the "public" network.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 11579179
to repeat again what have been suggested: re-read the the very first comment in this thread!

If you want do it (same IP on 2 NIC) anyway, you need to patch the kernel yourself.
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now