On Mon, Dec 10, 2001 at 12:22:44PM +0000, Tim Haynes wrote:
> Plato <tom@redant.freeserve.co.uk> writes:
>
> > > > echo 1 > /proc/sys/net/ipv4/conf/*/rp_filter
> > > > with echo 1 > /proc/sys/net/ipv4/conf/*/log_martians
> > > > for logging/fun purposes.
> > >
> > > rp_filter will not help with that.
> >
> > I thought that rp_filter was for precisely this. Doesn't it stop packets
> > which appear on interfaces with invalid IP addresses for that interface
> > from getting through?
>
> It's a return-path filter; if flipping the src/dest IP#s wouldn't send it
> back out the same interface, it doesn't come in at all.
>
> So a specially routed packet from a.b.c.d -> 127.0.0.1 coming in on eth0
> becomes a packet from 127.0.0.1 -> a.b.c.d going back out
>
> That certainly looks wrong to me, although I'm not /sure/ it would produce
> the required interface conflict for rp_filter.
>
Hmmm. I don't know.
On the test I ran in another part of this thread
where I put a rule into my routing table to make packets destined for
192.168.0.2 get sent via loopback. Then made sshd bind to address
192.168.0.2. Then I was able to ssh into my box via the loopback
interface by doing this: ssh 192.168.0.2 Even though: ssh 127.0.0.1 was
refused.
All this was done while my iptables firewall was loaded and it does have
the following in it:
# Enable IP spoofing protection - turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
However, the difference is that the packets that were being sent
actually have destination address 192.168.0.2 and source address
192.168.0.2. And this didn't cause any problem for the return path
filter. Whereas it might if it was trying to send back packets with a
source of 127.0.0.1 and a destination of a.b.c.d.
I can't test this at present since I don't have another computer I can
network with this one for a couple of days. But a test could be run
similar to the one I did earlier to check.
Cheers.
Mark.
Attachment:
pgpM9kh2dI9wj.pgp
Description: PGP signature