globaly prevent binding on a specific interface

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all

I seam to have a unusual problem :-)

I've got a linux box used as router (and also tunnel endpoint) with many 
interfaces of course.
One interface is the main interface (eth0) where the DNS Names point to.

There are also some services running on that box, like ntpd and bind9.

Bind knows a configuration option to bind to a specific interface or address. 
So this works more or less fine :-)

ntpd doesn't know such an option and just binds to all interfaces it can see.

Let's say I have:

eth0: 10.0.0.1 	(time.example.com)
tun-A: 192.168.0.1 (with the 192.168.1.0/24 net attached on the other side)

Now some client from the other side of the tunne sends a ntp request to 
time.example.com (10.0.0.1)
This arrives via the tunnel to the box and get's answered by ntpd who of 
courses sees that 192.168.0.1 is the right interface to send the reply out.

The client sees the ntp answer comming from 192.168.0.1 which is not where the 
request was sent to (10.0.0.1) and discards that reply.

I see this happen all the time with things such as DNS (before I restricted 
binding), snmp and especialy ntp.

I could more or less solve that for IPv4 by using SNAT to the ip of eth0 on 
all other interfaces and tunnels.

But what would a router be nowadays without IPv6 :-) And you can't NAT IPv6!

So what I'm looking for is to prevent anything to bind to an interface (or 
address).
To sort of define a 'routing only' interface.

Or doing it the other way round, to define only one interface (eth0) where 
services may bind.

I've allready searched quite a bit of the kernel docs and asked the netfilter 
people. Apparently no solution known there.

Does somebody here know a way to achive this?

Regards
-Benoit-
-- 
Benoît Panizzon, <bp@xxxxxx>
------------------------------------------------------------------------
ImproWare AG, UNIXSP & ISP                     Phone: +41 61 826 93 00
Zurlindenstrasse 29                            Fax:   +41 61 826 93 01
CH-4133 Pratteln                               Net:   http://www.imp.ch/
------------------------------------------------------------------------

Attachment: pgpzcGkmqPbO0.pgp
Description: PGP signature

[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux