Markus you are absolutely right! Thanks a lot for the suggestion! Now everything is more clear to me...
What I thought it was a problem actually is the default behavior to reply to ARP requests in case of server with multiple interfaces in the same network!
This is also confirmed by the some tests I have made which I report below.
First of all I set up a test client in the same subnet where the server is. I did that to be able to capture the ARP traffic (in particular the ARP replies from the server) running tcpdump from the client.
So my testing configuration is:
Server
interface name: eth0
MAC: 00:50:56:9f:5c:7a
IP: xxx.xxx.xxx.216
interface name: eth1
MAC: 00:50:56:9f:10:55
IP: xxx.xxx.xxx.217
interface name: eth2
MAC: 00:50:56:9f:5b:43
IP: xxx.xxx.xxx.218
interface name: eth3
MAC: 00:50:56:9f:5e:f0
IP: xxx.xxx.xxx.219
Client
interface name: eth0
MAC: 00:50:56:9f:74:cf
IP: xxx.xxx.xxx.222
With the server in the original configuration I just run on the client first the command
and then (using another terminal) I tried to ping xxx.xxx.xxx.216. This is the output tcpdump captured:
Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
08:54:22.741072 ARP, Request who-has xxx.xxx.xxx.216 tell xxx.xxx.xxx.222, length 28
08:54:22.741570 ARP, Reply xxx.xxx.xxx.216 is-at 00:50:56:9f:10:55 (oui Unknown), length 46
08:54:22.741588 ARP, Reply xxx.xxx.xxx.216 is-at 00:50:56:9f:5b:43 (oui Unknown), length 46
08:54:22.741590 ARP, Reply xxx.xxx.xxx.216 is-at 00:50:56:9f:5c:7a (oui Unknown), length 46
08:54:22.741632 ARP, Reply xxx.xxx.xxx.216 is-at 00:50:56:9f:5e:f0 (oui Unknown), length 46
So independently from which interface is actual associated to xxx.xxx.xxx.216,
ALL the four interfaces replied to the ARP request from the client. I suppose the client just get the first one (in this case eth1) to encapsulate the ethernet packet. Probably this is done because most of the applications don't care about the information reported in the layer 2 ethernet frame and so in most of case where there are multiple interfaces in the same subnet on the same server it doesn't really matter which is the actual interface used to communicate. Anyway applications like iptables, if configured properly, can detect that (as it happens in my case
).
Finally I tried the commands suggested by Markus (with some slight modifications). So on the server I executed:
Code:
# sysctl -w net.ipv4.conf.all.arp_ignore=1
# sysctl -w net.ipv4.conf.all.arp_announce=2
I captured again the ARP traffic from the client (after having cleared the ARP cache on the client) and this is what I got:
Code:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
09:02:37.890895 ARP, Request who-has xxx.xxx.xxx.216 tell xxx.xxx.xxx.222, length 28
09:02:37.891353 ARP, Reply xxx.xxx.xxx.216 is-at 00:50:56:9f:5c:7a (oui Unknown), length 46
As you can see this time only eth0 replies and the other 3 interfaces are silent!
I think the sysctl reported above definitely fix my iptable problem!
Thanks everybody for the help and support!
Just a little hint: you could use arping (also part of the iputils package) instead of ping+tcpdump
