Network stack accepting packets coming in on the wrong interface
I have two vlan interfaces
eth0.256 - 192.168.1.10 / 255.255.255.0 eth0.257 - 10.0.0.10 / 255.255.0.0 The problem I'm having is that packets coming in on the eth0.256 interface with a destination IP address of 10.0.0.10 ends up getting accepted by the kernel and processed in the network stack. This is highly undesirable and I would like those packets dropped instead. I'm using Kernel version 3.10.17. Any help or hints would be appreciated Thanks /Otto |
Hello and welcome to LQ.
I hope I am right on this. Iptables should allow you to drop the two. They are in fact on the same physical nic. In a sense all traffic is consuming resources. |
Hi there ! Thanks for your feedback, unfortunately I'm not that well-versed in iptables.. Could you give me a hint on what the rule might look like ?
To me its shocking that Linux is behaving like this as it violates the whole VLAN princlipe. Not exactly a virtual LAN if packets can cross between them |
I'll agree that the concept of virtual is being abused sort of here. In a traditional sense a vlan ought to isolate all traffic and is generally used on switches. It might also be used in the phrasing of tunnels like vpn.
In a way your situation is more like a virtual ip address on a physical nic as opposed to a virtual private lan. Iptables is a kind of old implementation of traffic control. There are thousands of books and web pages on it and all of them are confusing as heck in my opinion. I don't use it enough to tell you how to do it directly. If you want you might look at firewall builder for an easy program. Might consider a new post on how to write iptables to block traffic on this config also. Someone here will for sure know how to make it. And I am only about 90% sure on this. :) I am assuming that you don't have a switch vlan tagging or 802.1q so that is mostly why this config is failing. http://www.cyberciti.biz/tips/howto-...work-vlan.html And it may be that you can't fully fix this with ipconfig and you'll have to use the ip command instead. |
So I'm not the only one confused by iptables then, good ;)
Thanks a lot for your feedback, I'll do some snooping around online and I'll post my results here if I have any luck /Otto |
Thanks for the update.
I'm pretty sure on my answer but if it fails and the world gets destroyed,,,, opps. :) |
The IP addresses may be bound to different interfaces, but they still represent the same host. Sending a packet to one address via an interface bound to a different address will indeed work, and so it should. It's not a Linux-specific issue, it's TCP/IP working as designed.
To stop this from working, you'll have to filter the packets with iptables. You can use the "-i" interface match to filter packets entering via a specific interface: Code:
iptables -t filter -A INPUT -i eth0.256 -d 10.0.0.10/32 -j DROP |
All times are GMT -5. The time now is 12:56 AM. |