|
rp_filter wont work with iproute2
Hi,
Im having a hard time getting rp_filter to work with multiple routing tables
I have two internet connections, one is for all traffic. The other internet connection is only for anything going out on port 2600. Im using this port to make openvpn connections. I see the traffic with tcpdump -i eth1, and I get replys back from the computer I am trying to connect to, but the connecting won't establish untill I set rp_filter to 0. Which I would like it on, so it check to make sure any packets comming in from eth1 are not spoofed with my private ip addresses on eth0
eth1 is the university connection which is very unsecure.
eth0 is my private network (this is also where my second connection is located)
These are the configs I have set:
#ip rule
0: from all lookup local
32764: from all fwmark 0x4 lookup 4
32765: from all fwmark 0x4 lookup main unreachable
32766: from all lookup main
32767: from all lookup default
#ip route list
172.26.16.0/24 dev eth1 proto kernel scope link src 172.26.16.172
192.168.216.0/24 dev br0 proto kernel scope link src 192.168.216.201
172.26.0.0/16 via 172.26.16.1 dev eth1
127.0.0.0/8 dev lo scope link
default via 192.168.216.200 dev br0
#ip route list table 4
172.26.16.0/24 dev eth1 proto kernel scope link src 172.26.16.172
172.26.0.0/16 via 172.26.16.1 dev eth1
127.0.0.0/8 dev lo scope link
default via 172.26.16.1 dev eth1
#iptables -vnL -t mangle
Chain PREROUTING (policy ACCEPT 26449 packets, 1875K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 unclean
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID
145 11401 DROP all -- eth1 * 0.0.0.0/0 !172.26.0.0/16
0 0 DROP all -- eth1 * 192.168.0.0/16 0.0.0.0/0
Chain INPUT (policy ACCEPT 26326 packets, 1863K bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 12 packets, 776 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 27445 packets, 2115K bytes)
pkts bytes target prot opt in out source destination
1639 208K MARK udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:2600 MARK set 0x4
Chain POSTROUTING (policy ACCEPT 27457 packets, 2116K bytes)
pkts bytes target prot opt in out source destination
#iptables -vnL -t filter
Chain INPUT (policy ACCEPT 26422 packets, 1871K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- !lo * 127.0.0.1 0.0.0.0/0
0 0 DROP all -- !lo * 0.0.0.0/0 127.0.0.1
Chain FORWARD (policy ACCEPT 12 packets, 776 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 27565 packets, 2127K bytes)
pkts bytes target prot opt in out source destination
#iptables -vnL -t nat
Chain PREROUTING (policy ACCEPT 6175 packets, 327K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 3442 packets, 140K bytes)
pkts bytes target prot opt in out source destination
18 1701 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:172.26.16.172
Chain OUTPUT (policy ACCEPT 3455 packets, 142K bytes)
pkts bytes target prot opt in out source destination
Please let me know if you guy need any more info. If anyone has any suggestions to secure this more please let me know. One of my concerns was that anyone on eth1 could set me as their default gateway and access my network though that with ip_foward on. The 3rd prerouting rule in mangle seem to take care of that. I havent been able to test my firewall by sending a packet with a spoofed source address yet, so I dont know if it blocks that.
Thanks,
MarleyGPN
|
