Network stack accepting packets coming in on the wrong interface
 

I have two vlan interfaces

eth0.256 - 192.168.1.10 / 255.255.255.0
eth0.257 - 10.0.0.10 / 255.255.0.0

The problem I'm having is that packets coming in on the eth0.256 interface with a destination IP address of 10.0.0.10 ends up getting accepted by the kernel and processed in the network stack.

This is highly undesirable and I would like those packets dropped instead.

I'm using Kernel version 3.10.17.

Any help or hints would be appreciated

Thanks

/Otto

Hello and welcome to LQ.

I hope I am right on this. Iptables should allow you to drop the two. They are in fact on the same physical nic. In a sense all traffic is consuming resources.

Hi there ! Thanks for your feedback, unfortunately I'm not that well-versed in iptables.. Could you give me a hint on what the rule might look like ?

To me its shocking that Linux is behaving like this as it violates the whole VLAN princlipe. Not exactly a virtual LAN if packets can cross between them

I'll agree that the concept of virtual is being abused sort of here. In a traditional sense a vlan ought to isolate all traffic and is generally used on switches. It might also be used in the phrasing of tunnels like vpn.

In a way your situation is more like a virtual ip address on a physical nic as opposed to a virtual private lan.

Iptables is a kind of old implementation of traffic control. There are thousands of books and web pages on it and all of them are confusing as heck in my opinion. I don't use it enough to tell you how to do it directly. If you want you might look at firewall builder for an easy program.

Might consider a new post on how to write iptables to block traffic on this config also. Someone here will for sure know how to make it.

And I am only about 90% sure on this. :)

I am assuming that you don't have a switch vlan tagging or 802.1q so that is mostly why this config is failing. http://www.cyberciti.biz/tips/howto-...work-vlan.html

And it may be that you can't fully fix this with ipconfig and you'll have to use the ip command instead.

So I'm not the only one confused by iptables then, good ;)

Thanks a lot for your feedback, I'll do some snooping around online and I'll post my results here if I have any luck

/Otto

Thanks for the update.

I'm pretty sure on my answer but if it fails and the world gets destroyed,,,, opps. :)

The IP addresses may be bound to different interfaces, but they still represent the same host. Sending a packet to one address via an interface bound to a different address will indeed work, and so it should. It's not a Linux-specific issue, it's TCP/IP working as designed.

To stop this from working, you'll have to filter the packets with iptables. You can use the "-i" interface match to filter packets entering via a specific interface:Note how you'll have to use the INPUT chain rather than the FORWARD chain, as no routing is involved in delivering packets to a different IP address on the same system. For the same reason, disabling routing will not prevent packets entering interface X from reaching an IP address bound to interface Y.