LinuxQuestions.org - linux networking question

- Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)

- - linux networking question (https://www.linuxquestions.org/questions/linux-networking-3/linux-networking-question-241631/)

linux networking question

my server is consist of 3 network cards for LAN. For your information, the settings on the 3 LAN cards are as follows :-

eth0 - 192.168.21.254
eth1 - 192.168.23.254
eth2 - 192.168.25.254

Recently, one of the user(192.168.21.221) tried to ping the eth0(192.168.21.254) and it was successful. Then, he tried to ping 192.168.23.254 as well but it returned the ping replies. So, my question is can we set the linux server to control the user from pinging and accessing other users on different subnet?

THanks for your guys time.

-m4-

entering this in /etc/sysconf/network
FORWARD_IPV4=false
Will turn off all forwarding.

This is carried out by this command somewhere:
echo "0" > /proc/sys/net/ipv4/ip_forward

By default, forwarding is disabled in the kernel until
echo "1" > /proc/sys/net/ipv4/ip_forward
is called by a network script.

Quote:

That won't work! The packets that are destined to another interface on a multihomed system are not considered to be forwarded, so even if ip_forward is 0 the pings will get through.

Actually a Linux machine by default replies to ICMP echo requests even if they are not from the LAN segment directly connected to a LAN card, which is why the user on the LAN 192.168.21.0/24 is getting ICMP echo replies when he pings 192.168.23.254. If you want to disable all incoming ICMP traffic then do the following as root

iptables -I INPUT -p ICMP -j DROP

The above will drop all ICMP packets destined to this machine on any interface.

A much more convenient way is to just allow the user to ping the server address on his LAN, for example if you want the users on 192.168.21.0/24 to be able to ping only the server address 192.168.21.254 the do the following

iptables -I INPUT -p ICMP -s 192.168.21.0/24 -d 0.0.0.0/0 -j DROP
iptables -I INPUT -p ICMP -s 192.168.21.0/24 -d 192.168.21.0/24 -j ACCEPT

I hope that helps!

Quote:

That won't work! The packets that are destined to another interface on a multihomed system are not considered to be forwarded, so even if ip_forward is 0 the pings will get through.

Are you certain that you aren't thinking about a host with multiple IP's on the same interface?

Perhaps some experimentation by m4dj4ck is in order.

alright...sorry for some missing information. This system actually is a Linux gateway with eth0(192.168.120.2) facing the Internet and eth1, eth2 and eth3 is for LAN. As expected, this box is runing shorewall firewall with of course, masquerading on it. So, if im were to disable FORWARD_IPv4=FALSE, will it disable all the ip forwarding activities including masquerading??

yes, that will disable the forwarding activities including masquerading.

Quote:

So, if im were to disable FORWARD_IPv4=FALSE, will it disable all the ip forwarding activities including masquerading??

Yes

FWIW: n3tw0rk correctly addressed your problem and offered the only viable solution that I'm aware of. In short, you are trying to ping an interface of a multi-homed system, not a host on the otherside of that interface; thus the TCP/IP stack is technically not forwarding. i.e. transmitting out the other interface. If you are still confused, run tcpdump on all interfaces and then issue your ping test and take notice of which interfaces receive/transmit traffic during your test.

Since you are using shorewall, you could easily add a rule that does not allow ping traffic (or any traffic for that matter) from zone->fw. Just zone->internet. Which BTW, is basically the same solution n3tw0rk pointed out in his reply. You would just be using shorewall to configure the appropiate iptable rules based on the zones you have defined.