rp_filter || log_martians doesn't work as expected

From: Theodor Milkov (zimage@delbg.com)
Date: Wed Feb 07 2001 - 08:50:56 EST


Hello,

I have a simple 10BaseT network attached to a Linux router. What I want is, to
prevent packets with src address not from my net to leave the Linux router as
well as packets with dst address not destined to my network to came in.

Now I'm using ipchains to achieve this, but someone tell me, that rp_filter is
Right Thing to do.

So I read a couple of HOWTO's but without success...

My setup:

 +----------------+ +----------------+
 | Linux box A | | Linux box B |
 +----------------+ +----------------+
          | xx.xx.xx.21 | xx.xx.xx.10
          | xx.xx.xx.17 | xx.xx.xx.9
 +----------------+ xx.xx.xx.5 +----------------+
 | Linux router-1 | <-----------> | Linux router-2 |
 +----------------+ xx.xx.xx.6 +----------------+

And now:

root@router-1:~# for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "0" > $i ;done

root@box-A:~# hping xx.xx.xx.10 -a 11.11.11.11
eth0 default routing interface selected (according to /proc)
HPING xx.xx.xx.10 (eth0 xx.xx.xx.10): NO FLAGS are set, 40 headers + 0 data bytes

root@router-2:~# tcpdump -i eth0 -p host 11.11.11.11 -n
tcpdump: listening on eth0
15:35:30.115521 11.11.11.11.1601 > xx.xx.xx.10.0: . win 512
15:35:30.115940 xx.xx.xx.10.0 > 11.11.11.11.1601: R 0:0(0) ack 1871414987 win 0

This is OK. Packets arriving from not direct connected network on router-1 pass
through.

Later:

root@router-1:~# for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "2" > $i ;done
root@router-1:~# for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo "1" > $i ;done

root@box-A:~# hping xx.xx.xx.10 -a 11.11.11.11
eth0 default routing interface selected (according to /proc)
HPING xx.xx.xx.10 (eth0 xx.xx.xx.10): NO FLAGS are set, 40 headers + 0 data bytes

root@router-center:~# tcpdump -i eth0 -p host 11.11.11.11 -n
tcpdump: listening on eth0

15:45:50.282591 11.11.11.11.2602 > xx.xx.xx.10.0: . win 512
15:45:50.283046 xx.xx.xx.10.0 > 11.11.11.11.2602: R 0:0(0) ack 152194687 win 0

I think this is wrong behavior? Why packets with source address 11.11.11.11
passes through router-1? And nothing is logged... May be there is something that
I need to pass at kernel compile time? Or other that I don't know... Help! ;-)

egards

-- 
        =- --rw------- =--=--=--=--=--=--=--=--=--=--=--=--=--=
          Theodor Milkov           Administrator IP Networks
          Davidov Electric Ltd.    Phone: +359 (2) 730158
          PGP: http://www.zimage.delbg.com/zimage.asc
        =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=


- To unsubscribe from this list: send the line "unsubscribe linux-net" in the body of a message to majordomo@vger.kernel.org



This archive was generated by hypermail 2b29 : Wed Feb 07 2001 - 21:00:31 EST