Brian F. G. Bidulock wrote:
Bill,
On Tue, 13 Jun 2006, Bill Davidsen wrote:
And if you want packets with source IP a.b.c.d to go out the NIC which
bears that IP, you better start writing source routing rules, because if
you have multiple paths to the destination IP a path will be chosen at
random, which best case results in using the wrong NIC and in the worst
case having the gateway for the wrong NIC reject the packet for having a
spoofed source IP.
This will cause severe and mysterious problems for SCTP.
Fortunately, these days, there are 2 "stock" ways of fixing this. The
first is to use arp_ignore:
echo "3" >/proc/sys/net/ipv4/conf/all/arp_ignore
echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce
The 2nd is to use arptables. Something like this (could be much
cleaner, but gets the idea across):
# make ethX advertise only its own IP
# drop inbound IP_Y arp, requests and responses
arptables -A IN -i ethX -s $IP_Y -j DROP
# Don't update caches by choosing IP_Y for a response on ethX
arptables -A OUT -i ethX -s $IP_Y -j mangle --mangle-ip-s $IP_X
# make ethY advertise only its own IP
arptables -A IN -i ethY -s $IP_X -j DROP
arptables -A OUT -i ethY -s $IP_X -j mangle --mangle-ip-s $IP_Y
--Harley
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
