rp_filter || log_martians doesn't work as expected

Theodor Milkov <zimage@delbg.com> · Wed, 7 Feb 2001 15:50:56 +0200

Hello,

I have a simple 10BaseT network attached to a Linux router. What I want is, to
prevent packets with src address not from my net to leave the Linux router as
well as packets with dst address not destined to my network to came in.

Now I'm using ipchains to achieve this, but someone tell me, that rp_filter is
Right Thing to do.

So I read a couple of HOWTO's but without success...

My setup:

 +----------------+            +----------------+
 | Linux box  A   |            | Linux box  B   |
 +----------------+            +----------------+
          | xx.xx.xx.21                | xx.xx.xx.10
          | xx.xx.xx.17                | xx.xx.xx.9
 +----------------+ xx.xx.xx.5    +----------------+
 | Linux router-1 | <-----------> | Linux router-2 |
 +----------------+    xx.xx.xx.6 +----------------+

And now:

root@router-1:~# for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "0" > $i ;done

root@box-A:~# hping xx.xx.xx.10 -a 11.11.11.11
eth0 default routing interface selected (according to /proc)
HPING xx.xx.xx.10 (eth0 xx.xx.xx.10): NO FLAGS are set, 40 headers + 0 data bytes

root@router-2:~# tcpdump -i eth0 -p host 11.11.11.11 -n
tcpdump: listening on eth0
15:35:30.115521 11.11.11.11.1601 > xx.xx.xx.10.0: . win 512
15:35:30.115940 xx.xx.xx.10.0 > 11.11.11.11.1601: R 0:0(0) ack 1871414987 win 0

This is OK. Packets arriving from not direct connected network on router-1 pass
through.

Later:

root@router-1:~# for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "2" > $i ;done
root@router-1:~# for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo "1" > $i ;done

root@box-A:~# hping xx.xx.xx.10 -a 11.11.11.11
eth0 default routing interface selected (according to /proc)
HPING xx.xx.xx.10 (eth0 xx.xx.xx.10): NO FLAGS are set, 40 headers + 0 data bytes

root@router-center:~# tcpdump -i eth0 -p host 11.11.11.11 -n
tcpdump: listening on eth0

15:45:50.282591 11.11.11.11.2602 > xx.xx.xx.10.0: . win 512
15:45:50.283046 xx.xx.xx.10.0 > 11.11.11.11.2602: R 0:0(0) ack 152194687 win 0

I think this is wrong behavior? Why packets with source address 11.11.11.11
passes through router-1? And nothing is logged... May be there is something that
I need to pass at kernel compile time? Or other that I don't know... Help! ;-)

egards

-- 
        =- --rw------- =--=--=--=--=--=--=--=--=--=--=--=--=--=
          Theodor Milkov           Administrator IP Networks
          Davidov Electric Ltd.    Phone: +359 (2) 730158
          PGP: http://www.zimage.delbg.com/zimage.asc
        =--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=

Attachment:
pgp00015.pgp

Description: PGP signature