[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: enable rp_filter



Mike Mestnik wrote:

Hello, I think I could use your wisdome.

So could I, I haven't been able to find it for ages.  I think I
might have left it in a taxi or something ;-P

As far as I know, you only /have/ to turn it off if you're doing
asymmetric or policy routing.  It sounds like it should be fine
for you to leave it on for all interfaces.

Ohh, you mean this is the reason this dosen't work...

        # Non-local transparent FTP and HTTP(S) proxy.
        ip rule add fwmark 3 table 201
        ip route add default via 10.0.0.110 dev $IFACE table 201
        iptables -t mangle -A PREROUTING -i $IFACE+ -p tcp\
            --src ! 10.0.0.110 --dport 80\
            -j MARK --set-mark 3
        iptables -t mangle -A PREROUTING -i $IFACE+ -p tcp\
            --src ! 10.0.0.110 --dport 443\
            -j MARK --set-mark 3

Ohhhhh :)

OK, looking at fib_validate_source(), it looks like how rp_filter
works is just that the kernel takes the packet, reverses src & dst
addrs and interfaces, and tries to do a routing lookup.  It totally
ignores marking when building the routing key, but weirdly enough,
it does check the TOS.

So what rp_filter asks is: "if I reverse the direction of this packet,
would I have routed it out this interface?".  If not, drop.

It looks like you're routing back into your internal net, so I think
you only need rp_filter turned off on the internal interface.  You'll
be seeing replies coming in from a local source, which the kernel thinks
are supposed to be coming from the 'net.

There are other gotchas with this scenario which I'm struggling to
remember.  I think you want to disable icmp redirects on the internal
interface as well.

echo 0 > /proc/sys/net/ipv4/conf/<blah>/send_redirects

Some people don't like rp_filter because it drops more or less
'invisibly'.  When it does cause problems it causes *mysterious*
ones, followed eventually by an 'aha' moment and much beating of

You can say that again, preferably on
http://wiki.debian.net/index.cgi?Firewalls.

Heh, OK, I'll have a squiz when I get in to work.

Here is where I think I could use some help.

1. Do I have to turn it off for all interfaces?  I'm running a home
network with this box as the gateway with 3nics(one is not used).

Just the internal, I think.  I've been wrong before though.

2. What is the best "Debian" way of turning this off, while still having
rp_filter set for the other interfaces?

Sorry, I'm not aware of an official 'Debian' way to do this.  Maybe
someone can enlighten me.

I would just leave the default stuff there, but put:

auto <blah>
iface <blah> inet static
    pre-up echo 0 > <blahblah>/rp_filter
    pre-up echo 0 > <blahblah>/send_redirects
    ...

In /etc/network/interfaces.  That seems logical because it's related to
the interface, right?   But it might also make sense just to put it in
your firewalling script (depending on how you do things) with a comment.

Regards,

    Blair.




Reply to: