Linux Routing - Networking

This is a discussion on Linux Routing - Networking ; Hello, I have a little problem on a linux computer that I will named L1. This computer have two network interfaces connected to two different networks : - eth0 : 192.168.0.1/24 - eth1 : 192.168.1.1/24 I don't want any routing ...

+ Reply to Thread
Results 1 to 6 of 6

Thread: Linux Routing

  1. Linux Routing

    Hello,

    I have a little problem on a linux computer that I will named L1.
    This computer have two network interfaces connected to two different
    networks :
    - eth0 : 192.168.0.1/24
    - eth1 : 192.168.1.1/24

    I don't want any routing between this two networks. So a computer
    (named C1) from the first network cannot ping a computer (named C2)
    from the other network.
    I have no iptables rules set on my L1 computer. The /proc/sys/net/ipv4/
    ip_forward parameter is set to 0.
    For the moment, everything is ok.

    My problem is that C1 is able to ping the 192.168.1.1 IP address of L1
    even if it is not in the same network. (The default gateway of C1 is
    L1).
    My goal is to hide maximum information from L1 to others computers
    (without iptables). So I would that L1 does not reply to IP packet
    destinated to 192.168.1.1 if they arrive on eth0 interface and L1 does
    not reply to IP packet destinated to 192.168.0.1 if they arrive on
    eth1.

    I thought that rp_filter kernel parameter (http://www.mjmwired.net/
    kernel/Documentation/networking/ip-sysctl.txt#692) would have helped
    me, but it seems to does nothing for my problem.

    I have of course two solutions to solve it :
    - The first is to set iptables rules, but I would like to do without.
    - The second is to delete default gateways of C1/C2, but this
    computers don't belong to me, so I can't.

    If you have a third solution, it would be very helpfull.

    Thank you in advance !

  2. Re: Linux Routing

    Hello,

    billdangerous@gmail.com a écrit :
    >
    > My problem is that C1 is able to ping the 192.168.1.1 IP address of L1
    > even if it is not in the same network. (The default gateway of C1 is
    > L1).


    That's because Linux enforces the "weak" model. It means that it treats
    local addresses the same regardless of the interface they were assigned
    to. For more detail wikipedia is your friend.

    > My goal is to hide maximum information from L1 to others computers
    > (without iptables). So I would that L1 does not reply to IP packet
    > destinated to 192.168.1.1 if they arrive on eth0 interface and L1 does
    > not reply to IP packet destinated to 192.168.0.1 if they arrive on
    > eth1.
    >
    > I thought that rp_filter kernel parameter (http://www.mjmwired.net/
    > kernel/Documentation/networking/ip-sysctl.txt#692) would have helped
    > me, but it seems to does nothing for my problem.


    Indeed. rp_filter only checks the source address is valid with respect
    to the input interface. And it is.

    > I have of course two solutions to solve it :
    > - The first is to set iptables rules, but I would like to do without.
    > - The second is to delete default gateways of C1/C2, but this
    > computers don't belong to me, so I can't.


    That would be the best solution as L1 is not a gateway.

    > If you have a third solution, it would be very helpfull.


    You could use routing rules to make the subnets unrechable from each
    other. It requires the "ip" command from the iproute package.

    # make 192.168.0.0/24 unreachable from eth1
    ip rule add to 192.168.0.0/24 iif eth1 unreachable

    # make 192.168.1.0/24 unreachable from eth0
    ip rule add to 192.168.1.0/24 iif eth0 unreachable

  3. Re: Linux Routing

    Pascal Hambourg a écrit :
    >
    > You could use routing rules to make the subnets unrechable from each
    > other. It requires the "ip" command from the iproute package.
    >
    > # make 192.168.0.0/24 unreachable from eth1
    > ip rule add to 192.168.0.0/24 iif eth1 unreachable
    >
    > # make 192.168.1.0/24 unreachable from eth0
    > ip rule add to 192.168.1.0/24 iif eth0 unreachable


    Note : "unreachable" will send an ICMP "destination unreachable" error
    back to the sender. If you prefer not to send any ICMP error message,
    replace "unreachable" with "blackhole".

  4. Re: Linux Routing

    Thanks a lot for all these great informations !

  5. Re: Linux Routing

    billdangerous@gmail.com wrote:

    > - eth0 : 192.168.0.1/24
    > - eth1 : 192.168.1.1/24


    Is your subnet mask set to 255.255.255.0 on all devices?

    Mark.

    --
    Mark Hobley,
    393 Quinton Road West,
    Quinton, BIRMINGHAM.
    B32 1QE.

  6. Re: Linux Routing

    >
    > Is your subnet mask set to 255.255.255.0 on all devices?
    >


    Yes it is.
    More information about host model can be found here :
    http://en.wikipedia.org/wiki/Host_model
    It seems that it is not possible to change linux behavior into a
    strong (strict ?) model, in opposition to *bsd and other unix like
    solaris and hpux.

+ Reply to Thread