Showing entries with tag "Routing".

Found 2 entries

Linux: Reverse path forwarding headaches

The Linux kernel has a security feature called Reverse Path Forwarding which is designed to ensure that incoming packets are valid for your network. It validates that a packet arriving via a given interface has a valid IP address for that interface. In some situations a packet can arrive on one interface, and leave on a separate interface. If you have a packet like this Reverse Path Filtering kicks in and drops that packet.

This manifests in that you can see the packet arrive (via tcpdump) but nothing after that (i.e. the packet doesn't leave). The Linux IP stack drops the packet before any routing or service can act upon the packet. To log affected packets to syslog you can run:

echo 1 > /proc/sys/net/ipv4/conf/<interfacename>/log_martians

To disable this check completely you can run the following command:

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
    echo 0 > $i 

Valid options for rp_filter are:

0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path - Each incoming packet is tested against the FIB and if the interface is not the best reverse path the packet check will fail. By default failed packets are discarded.
2 - Loose mode as defined in RFC3704 Loose Reverse Path - Each incoming packet’s source address is also tested against the FIB and if the source address is not reachable via any interface the packet check will fail.

You can view the current settings for each interface on your box with this command:

sysctl -a | grep -E "net.ipv4.*\.rp_filter"

To make any changes permanent across a reboot set them in /etc/sysctl.conf

net.ipv4.conf.eth0.rp_filter = 0

Keywords: route, loop, egress, ingress, alien

Leave A Reply

Linux and NAT Routing

I have a Linux box with two IP addresses on it (eth0 and eth0:0) which does NAT for the rest of my network. I want all the packets that NAT to go out with the source address of the eth0:0 IP address. This is done with the SNAT directive in your iptables statement. In fact you can tell it to NAT the packets with ANY IP address, including IPs not on the box. None of the packets will get back to you but it will let you configure it that way.

/sbin/iptables -t nat -A POSTROUTING --src -o eth0 -j SNAT --to-source

This tells iptables to do (source) NAT for IPs on the subnet, and to use the source address of It should be noted that this is different than the MASQUERADE option which should be used for dynamic (DHCP/Dial-up) connections where the IP address changes.

Leave A Reply