Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
Recently, one of the user(192.168.21.221) tried to ping the eth0(192.168.21.254) and it was successful. Then, he tried to ping 192.168.23.254 as well but it returned the ping replies. So, my question is can we set the linux server to control the user from pinging and accessing other users on different subnet?
entering this in /etc/sysconf/network
Will turn off all forwarding.
This is carried out by this command somewhere:
echo "0" > /proc/sys/net/ipv4/ip_forward
By default, forwarding is disabled in the kernel until
echo "1" > /proc/sys/net/ipv4/ip_forward
is called by a network script.
That won't work! The packets that are destined to another interface on a multihomed system are not considered to be forwarded, so even if ip_forward is 0 the pings will get through.
Actually a Linux machine by default replies to ICMP echo requests even if they are not from the LAN segment directly connected to a LAN card, which is why the user on the LAN 192.168.21.0/24 is getting ICMP echo replies when he pings 192.168.23.254. If you want to disable all incoming ICMP traffic then do the following as root
iptables -I INPUT -p ICMP -j DROP
The above will drop all ICMP packets destined to this machine on any interface.
A much more convenient way is to just allow the user to ping the server address on his LAN, for example if you want the users on 192.168.21.0/24 to be able to ping only the server address 192.168.21.254 the do the following
alright...sorry for some missing information. This system actually is a Linux gateway with eth0(192.168.120.2) facing the Internet and eth1, eth2 and eth3 is for LAN. As expected, this box is runing shorewall firewall with of course, masquerading on it. So, if im were to disable FORWARD_IPv4=FALSE, will it disable all the ip forwarding activities including masquerading??
So, if im were to disable FORWARD_IPv4=FALSE, will it disable all the ip forwarding activities including masquerading??
FWIW: n3tw0rk correctly addressed your problem and offered the only viable solution that I'm aware of. In short, you are trying to ping an interface of a multi-homed system, not a host on the otherside of that interface; thus the TCP/IP stack is technically not forwarding. i.e. transmitting out the other interface. If you are still confused, run tcpdump on all interfaces and then issue your ping test and take notice of which interfaces receive/transmit traffic during your test.
Since you are using shorewall, you could easily add a rule that does not allow ping traffic (or any traffic for that matter) from zone->fw. Just zone->internet. Which BTW, is basically the same solution n3tw0rk pointed out in his reply. You would just be using shorewall to configure the appropiate iptable rules based on the zones you have defined.