214 lines
4.3 KiB
HTML
214 lines
4.3 KiB
HTML
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Reverse Path Filtering</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
|
|
REL="HOME"
|
|
TITLE="Linux Advanced Routing & Traffic Control HOWTO"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Kernel network parameters "
|
|
HREF="lartc.kernel.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Kernel network parameters "
|
|
HREF="lartc.kernel.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Obscure settings"
|
|
HREF="lartc.kernel.obscure.html"></HEAD
|
|
><BODY
|
|
CLASS="SECT1"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>Linux Advanced Routing & Traffic Control HOWTO</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="lartc.kernel.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 13. Kernel network parameters</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="lartc.kernel.obscure.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="SECT1"
|
|
><H1
|
|
CLASS="SECT1"
|
|
><A
|
|
NAME="LARTC.KERNEL.RPF"
|
|
></A
|
|
>13.1. Reverse Path Filtering</H1
|
|
><P
|
|
>By default, routers route everything, even packets which 'obviously' don't
|
|
belong on your network. A common example is private IP space escaping onto
|
|
the Internet. If you have an interface with a route of 195.96.96.0/24 to it,
|
|
you do not expect packets from 212.64.94.1 to arrive there.</P
|
|
><P
|
|
>Lots of people will want to turn this feature off, so the kernel hackers
|
|
have made it easy. There are files in /proc where you can tell
|
|
the kernel to do this for you. The method is called "Reverse Path
|
|
Filtering". Basically, if the reply to this packet wouldn't go out the
|
|
interface this packet came in, then this is a bogus packet and should be
|
|
ignored.</P
|
|
><P
|
|
>The following fragment will turn this on for all current and future
|
|
interfaces.</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
># for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
|
|
> echo 2 > $i
|
|
> done</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
> </P
|
|
><P
|
|
>Going by the example above, if a packet arrived on the Linux router on eth1
|
|
claiming to come from the Office+ISP subnet, it would be dropped. Similarly,
|
|
if a packet came from the Office subnet, claiming to be from somewhere
|
|
outside your firewall, it would be dropped also.</P
|
|
><P
|
|
>The above is full reverse path filtering. The default is to only filter
|
|
based on IPs that are on directly connected networks. This is because the
|
|
full filtering breaks in the case of asymmetric routing (where packets come
|
|
in one way and go out another, like satellite traffic, or if you have
|
|
dynamic (bgp, ospf, rip) routes in your network. The data comes down
|
|
through the satellite dish and replies go back through normal land-lines).</P
|
|
><P
|
|
>If this exception applies to you (and you'll probably know if it does) you
|
|
can simply turn off the rp_filter on the interface where the
|
|
satellite data comes in. If you want to see if any packets are being
|
|
dropped, the log_martians file in the same directory will tell
|
|
the kernel to log them to your syslog.</P
|
|
><P
|
|
> <TABLE
|
|
BORDER="1"
|
|
BGCOLOR="#E0E0E0"
|
|
WIDTH="100%"
|
|
><TR
|
|
><TD
|
|
><FONT
|
|
COLOR="#000000"
|
|
><PRE
|
|
CLASS="SCREEN"
|
|
># echo 1 >/proc/sys/net/ipv4/conf/<interfacename>/log_martians</PRE
|
|
></FONT
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
> </P
|
|
><P
|
|
>FIXME: is setting the conf/{default,all}/* files enough? - martijn</P
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="lartc.kernel.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="lartc.kernel.obscure.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Kernel network parameters</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="lartc.kernel.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Obscure settings</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |