LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 10-12-2004, 03:32 AM   #1
m4dj4ck
Member
 
Registered: Aug 2004
Location: the coven
Distribution: slackies
Posts: 55

Rep: Reputation: 15
linux networking question


my server is consist of 3 network cards for LAN. For your information, the settings on the 3 LAN cards are as follows :-

eth0 - 192.168.21.254
eth1 - 192.168.23.254
eth2 - 192.168.25.254

Recently, one of the user(192.168.21.221) tried to ping the eth0(192.168.21.254) and it was successful. Then, he tried to ping 192.168.23.254 as well but it returned the ping replies. So, my question is can we set the linux server to control the user from pinging and accessing other users on different subnet?

THanks for your guys time.

-m4-
 
Old 10-12-2004, 06:35 AM   #2
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
entering this in /etc/sysconf/network
FORWARD_IPV4=false
Will turn off all forwarding.

This is carried out by this command somewhere:
echo "0" > /proc/sys/net/ipv4/ip_forward

By default, forwarding is disabled in the kernel until
echo "1" > /proc/sys/net/ipv4/ip_forward
is called by a network script.
 
Old 10-12-2004, 08:39 AM   #3
n3tw0rk
Member
 
Registered: Sep 2003
Location: Rawalpindi, Pakistan
Distribution: Slackware
Posts: 86

Rep: Reputation: 15
Quote:
entering this in /etc/sysconf/network
FORWARD_IPV4=false
Will turn off all forwarding.

This is carried out by this command somewhere:
echo "0" > /proc/sys/net/ipv4/ip_forward

By default, forwarding is disabled in the kernel until
echo "1" > /proc/sys/net/ipv4/ip_forward
is called by a network script.
That won't work! The packets that are destined to another interface on a multihomed system are not considered to be forwarded, so even if ip_forward is 0 the pings will get through.

Actually a Linux machine by default replies to ICMP echo requests even if they are not from the LAN segment directly connected to a LAN card, which is why the user on the LAN 192.168.21.0/24 is getting ICMP echo replies when he pings 192.168.23.254. If you want to disable all incoming ICMP traffic then do the following as root

iptables -I INPUT -p ICMP -j DROP

The above will drop all ICMP packets destined to this machine on any interface.

A much more convenient way is to just allow the user to ping the server address on his LAN, for example if you want the users on 192.168.21.0/24 to be able to ping only the server address 192.168.21.254 the do the following

iptables -I INPUT -p ICMP -s 192.168.21.0/24 -d 0.0.0.0/0 -j DROP
iptables -I INPUT -p ICMP -s 192.168.21.0/24 -d 192.168.21.0/24 -j ACCEPT

I hope that helps!
 
Old 10-12-2004, 04:37 PM   #4
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
Quote:
That won't work! The packets that are destined to another interface on a multihomed system are not considered to be forwarded, so even if ip_forward is 0 the pings will get through.
Are you certain that you aren't thinking about a host with multiple IP's on the same interface?

Perhaps some experimentation by m4dj4ck is in order.
 
Old 10-13-2004, 03:21 AM   #5
m4dj4ck
Member
 
Registered: Aug 2004
Location: the coven
Distribution: slackies
Posts: 55

Original Poster
Rep: Reputation: 15
alright...sorry for some missing information. This system actually is a Linux gateway with eth0(192.168.120.2) facing the Internet and eth1, eth2 and eth3 is for LAN. As expected, this box is runing shorewall firewall with of course, masquerading on it. So, if im were to disable FORWARD_IPv4=FALSE, will it disable all the ip forwarding activities including masquerading??
 
Old 10-13-2004, 09:09 AM   #6
n3tw0rk
Member
 
Registered: Sep 2003
Location: Rawalpindi, Pakistan
Distribution: Slackware
Posts: 86

Rep: Reputation: 15
yes, that will disable the forwarding activities including masquerading.
 
Old 10-13-2004, 09:21 AM   #7
scowles
Member
 
Registered: Sep 2004
Location: Texas, USA
Distribution: Fedora
Posts: 620

Rep: Reputation: 31
Quote:
So, if im were to disable FORWARD_IPv4=FALSE, will it disable all the ip forwarding activities including masquerading??
Yes

FWIW: n3tw0rk correctly addressed your problem and offered the only viable solution that I'm aware of. In short, you are trying to ping an interface of a multi-homed system, not a host on the otherside of that interface; thus the TCP/IP stack is technically not forwarding. i.e. transmitting out the other interface. If you are still confused, run tcpdump on all interfaces and then issue your ping test and take notice of which interfaces receive/transmit traffic during your test.

Since you are using shorewall, you could easily add a rule that does not allow ping traffic (or any traffic for that matter) from zone->fw. Just zone->internet. Which BTW, is basically the same solution n3tw0rk pointed out in his reply. You would just be using shorewall to configure the appropiate iptable rules based on the zones you have defined.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Slackware Linux 9.0 Networking Help (newbie question) Elimist Linux - Networking 1 11-15-2003 09:05 PM
Linux Networking Question/Problem tictocdoc Linux - Networking 4 10-17-2003 10:15 AM
Linux Networking 101 question CyberNet Linux - Networking 3 11-12-2002 06:53 AM
linux networking question knightstar Linux - Networking 1 04-29-2002 06:40 AM
linux networking question jonathandavidso Linux - Networking 3 11-13-2001 01:04 PM


All times are GMT -5. The time now is 12:05 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration