disable local routing between eth0 and eth1 - iptables - Networking

This is a discussion on disable local routing between eth0 and eth1 - iptables - Networking ; I've a Linux PC with 2 NICs eth0 and eth1 configured with IP 10.0.0.1 and 20.0.0.1 respectively. |-------------------| eth0 (10.0.0.1) ------------| | | L2 SWITCH | | | eth1 (20.0.0.1) ------------| | |-------------------| I want to disable local routing between ...

+ Reply to Thread
Results 1 to 10 of 10

Thread: disable local routing between eth0 and eth1 - iptables

  1. disable local routing between eth0 and eth1 - iptables

    I've a Linux PC with 2 NICs eth0 and eth1 configured with IP 10.0.0.1
    and 20.0.0.1 respectively.

    |-------------------|
    eth0 (10.0.0.1) ------------| |
    | L2 SWITCH |
    | |
    eth1 (20.0.0.1) ------------| |
    |-------------------|

    I want to disable local routing between eth0 and eth1 so that whenever
    I ping 20.0.0.1 from PC console, ICMP packets should come out of
    interface eth0 and should reach eth1 through connected switch.

    Similarly, whenever I ping 10.0.0.1 from PC console, ICMP packets
    should come out of interface eth1 and should reach eth0 through
    connected switch.

    How can I do it using iptables, if at all possible?

    Thanks in advance.

  2. Re: disable local routing between eth0 and eth1 - iptables

    Hello,

    astonishs@yahoo.com a écrit :
    > I've a Linux PC with 2 NICs eth0 and eth1 configured with IP 10.0.0.1
    > and 20.0.0.1 respectively.
    >
    > |-------------------|
    > eth0 (10.0.0.1) ------------| |
    > | L2 SWITCH |
    > | |
    > eth1 (20.0.0.1) ------------| |
    > |-------------------|
    >
    > I want to disable local routing between eth0 and eth1


    There is no such "local routing between eth0 and eth1". Local routing in
    the Linux kernel involves only the loopback interface.

    > so that whenever
    > I ping 20.0.0.1 from PC console, ICMP packets should come out of
    > interface eth0 and should reach eth1 through connected switch.
    >
    > Similarly, whenever I ping 10.0.0.1 from PC console, ICMP packets
    > should come out of interface eth1 and should reach eth0 through
    > connected switch.
    >
    > How can I do it using iptables, if at all possible?


    AFAIK it is not possible to override local routing with advanced routing
    on a pristine Linux kernel, because local routing has the highest
    priority. However this may be possible with NAT, by changing the local
    destination into a non local destination on output and vice versa on input.

  3. Re: disable local routing between eth0 and eth1 - iptables

    On May 27, 5:44*am, astoni...@yahoo.com wrote:

    > I've a Linux PC with 2 NICs eth0 and eth1 configured with IP 10.0.0.1
    > and 20.0.0.1 respectively.
    >
    > * * * * * * * * * * * * * * * * * |-------------------|
    > eth0 (10.0.0.1) ------------| * * * * * * * * * |
    > * * * * * * * * * * * * * * * * * | L2 SWITCH |
    > * * * * * * * * * * * * * * * * * | * * * * * * * * * |
    > eth1 (20.0.0.1) ------------| * * * * * * * * * |
    > * * * * * * * * * * * * * * * * * |-------------------|
    >
    > I want to disable local routing between eth0 and eth1 so that whenever
    > I ping 20.0.0.1 from PC console, ICMP packets should come out of
    > interface eth0 and should reach eth1 through connected switch.
    >
    > Similarly, whenever I ping 10.0.0.1 from PC console, ICMP packets
    > should come out of interface eth1 and should reach eth0 through
    > connected switch.
    >
    > How can I do it using iptables, if at all possible?
    >
    > Thanks in advance.


    I don't believe it's sensible or possible. Linux uses a model where IP
    addresses are assigned to machines, not to interfaces.

    DS

  4. Re: disable local routing between eth0 and eth1 - iptables

    David Schwartz wrote:
    > On May 27, 5:44?am, astoni...@yahoo.com wrote:


    > > I want to disable local routing between eth0 and eth1 so that
    > > whenever I ping 20.0.0.1 from PC console, ICMP packets should come
    > > out of interface eth0 and should reach eth1 through connected
    > > switch.


    > I don't believe it's sensible or possible. Linux uses a model where
    > IP addresses are assigned to machines, not to interfaces.


    It can be quite sensible - Linux's very braod application of the weak
    end-system-model doesn't match all desires.

    IIRC actual IP forwarding _is_ disabled by default in Linux - however,
    you can check sysctl -a | grep forward to see the current setting and
    what might need/want to be changed. On most (?) distros you would
    then edit /etc/sysctl.conf to make that "stick" across reboots.

    The weak-end-system-model that Linux employs extends to ARP. As such,
    the ARP code is more than happy to send an ARP reply for any local IP
    out any interface. So, if you check your local ARP tables on the
    system from which you are sending pings you will probably find that
    the IP for the one interface is associated with the MAC (ethernet)
    address of the other.

    So, when you connect two interfaces to the same switch, even if you
    configure them in separate IP subnets, you have no idea which one will
    be given-out in the ARP replies.

    There are at least two ways to deal with the issue, you can use one,
    the other, or even both.

    If you sysctl -a | grep ignore and then set the default version of
    that sysctl to "1," on the next ifconfig's (ie after a reboot) it
    should propagate to all the interfaces. Or, if you don't want to
    bounce the system you can set the interface specific ones by hand and
    just put the default one into the sysctl.conf file.

    The other option which could deal with this issue is to use VLAN's -
    this would need to propagate through your entire broadcast domain
    (sets of switches and hosts on the same (logical) side of a router).
    You would then have in effect more than one LAN - in the context of
    the OP's diagram it would be as if eth0 and eth1 were connected to
    separate switches which were not bridged at layer two. That deals
    with the problem by avoiding eth0 seeing ARPs for the IP of eth1 and
    vice versa.

    rick jones
    --
    portable adj, code that compiles under more than one compiler
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  5. Re: disable local routing between eth0 and eth1 - iptables

    This is all very interesting, but what does it have to do with the OP's
    request ?

    Rick Jones a écrit :
    >
    > The weak-end-system-model that Linux employs extends to ARP. As such,
    > the ARP code is more than happy to send an ARP reply for any local IP
    > out any interface.


    Note that this may not be true with IPv6. IPv6 replaces ARP query, which
    uses link layer broadcast, with ICMPv6 neighbour solicitation, which
    uses link layer multicast. An interface is set to listen to link layer
    multicast addresses which depend on the low order part of the IPv6
    addresses assigned to it, so it may not reply to neighbour solicitation
    for an IPv6 address assigned to another interface.

  6. Re: disable local routing between eth0 and eth1 - iptables

    Pascal Hambourg wrote:
    > This is all very interesting, but what does it have to do with the OP's
    > request ?


    Perhaps I over-interpreted what was presented, but it sounded like the
    OP wanted to make sure that pings to the IP nominally associated with
    one interface were responded to on that interface. Given that IIRC IP
    forwarding is already disabled by default under "Linux" the only way I
    could see for him to see otherwise would be the business with ARP
    responses. That both interfaces were connected to the same switch and
    so the same broadcast domain convinced me further that might be at
    issue.

    rick jones

    > Rick Jones a ?crit :
    > > The weak-end-system-model that Linux employs extends to ARP. As
    > > such, the ARP code is more than happy to send an ARP reply for any
    > > local IP out any interface.


    > Note that this may not be true with IPv6. IPv6 replaces ARP query,
    > which uses link layer broadcast, with ICMPv6 neighbour solicitation,
    > which uses link layer multicast. An interface is set to listen to
    > link layer multicast addresses which depend on the low order part of
    > the IPv6 addresses assigned to it, so it may not reply to neighbour
    > solicitation for an IPv6 address assigned to another interface.


    Good. This behavior of ARP in Linux has been a PITA for me for longer
    than I care to recount

    rick jones
    --
    The computing industry isn't as much a game of "Follow The Leader" as
    it is one of "Ring Around the Rosy" or perhaps "Duck Duck Goose."
    - Rick Jones
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  7. Re: disable local routing between eth0 and eth1 - iptables

    Rick Jones a écrit :
    > Pascal Hambourg wrote:
    >
    >>This is all very interesting, but what does it have to do with the OP's
    >>request ?

    >
    > Perhaps I over-interpreted what was presented, but it sounded like the
    > OP wanted to make sure that pings to the IP nominally associated with
    > one interface were responded to on that interface.


    My understanding was that the OP wanted *locally generated* traffic sent
    to a local address to be sent through an ethernet interface and received
    back through the other ethernet interface, instead of going through the
    loopback interface.

    > Given that IIRC IP
    > forwarding is already disabled by default under "Linux"


    Even if you're right, what does IP forwarding have to do with it ?
    Received traffic for any local destination is never forwarded,
    regardless of whether the weak model is in use.

    >>>The weak-end-system-model that Linux employs extends to ARP. As
    >>>such, the ARP code is more than happy to send an ARP reply for any
    >>>local IP out any interface.

    >
    >>Note that this may not be true with IPv6.

    >
    > Good. This behavior of ARP in Linux has been a PITA for me for longer
    > than I care to recount


    Actually it is getting worse with IPv6, because whether the weak model
    applies to neighbour discovery or not depends on the addresses. For
    example, if two IPv6 addresses with the same low order part are assigned
    to two different interfaces, then the two interfaces will listen to the
    same link layer multicast address and thus will reply to neighbour
    solicitation for either IPv6 address.

  8. Re: disable local routing between eth0 and eth1 - iptables

    Pascal Hambourg wrote:
    > My understanding was that the OP wanted *locally generated* traffic
    > sent to a local address to be sent through an ethernet interface and
    > received back through the other ethernet interface, instead of going
    > through the loopback interface.


    "Emily Litella" (aka "Oh, never mind..."

    If that is what the OP wanted then I believe it cannot be done short
    of some unofficial patches that blow the routing code's mind.

    > > Given that IIRC IP forwarding is already disabled by default under
    > > "Linux"


    > Even if you're right, what does IP forwarding have to do with it ?
    > Received traffic for any local destination is never forwarded,
    > regardless of whether the weak model is in use.


    I got fixated by my ARP experience.

    > > Good. This behavior of ARP in Linux has been a PITA for me for
    > > longer than I care to recount


    > Actually it is getting worse with IPv6, because whether the weak
    > model applies to neighbour discovery or not depends on the
    > addresses. For example, if two IPv6 addresses with the same low
    > order part are assigned to two different interfaces, then the two
    > interfaces will listen to the same link layer multicast address and
    > thus will reply to neighbour solicitation for either IPv6 address.


    Well, that will be fun...

    rick jones
    --
    No need to believe in either side, or any side. There is no cause.
    There's only yourself. The belief is in your own precision. - Jobert
    these opinions are mine, all mine; HP might not want them anyway...
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

  9. Re: disable local routing between eth0 and eth1 - iptables

    On May 27, 10:32*am, Rick Jones wrote:

    > > I don't believe it's sensible or possible. Linux uses a model where
    > > IP addresses are assigned to machines, not to interfaces.


    > It can be quite sensible - Linux's very braod application of the weak
    > end-system-model doesn't match all desires.


    I didn't mean to imply that it's not reasonable to want a different
    model. I'm just saying that given that Linux has the model it is,
    trying to do what the OP is trying to do is really not sensible. You
    might be able to make some ugly hack to get it to work, but I know
    others have tried and given up. Linux has deep-rooted assumptions that
    this kind of thing violates.

    DS

  10. Re: disable local routing between eth0 and eth1 - iptables

    astonishs@yahoo.com wrote:
    > I've a Linux PC with 2 NICs eth0 and eth1 configured with IP 10.0.0.1
    > and 20.0.0.1 respectively.
    >
    > |-------------------|
    > eth0 (10.0.0.1) ------------| |
    > | L2 SWITCH |
    > | |
    > eth1 (20.0.0.1) ------------| |
    > |-------------------|
    >
    > I want to disable local routing between eth0 and eth1 so that whenever
    > I ping 20.0.0.1 from PC console, ICMP packets should come out of
    > interface eth0 and should reach eth1 through connected switch.
    >
    > Similarly, whenever I ping 10.0.0.1 from PC console, ICMP packets
    > should come out of interface eth1 and should reach eth0 through
    > connected switch.
    >
    > How can I do it using iptables, if at all possible?
    >
    > Thanks in advance.

    It will use the switch if you "ping -I eth0 20.0.0.1". Ping alone is
    using the loopback (127.0.0.1), since the destination is on the same
    machine.

+ Reply to Thread