LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-16-2016, 08:09 PM   #1
o2blom
LQ Newbie
 
Registered: Feb 2016
Posts: 3

Rep: Reputation: Disabled
Network stack accepting packets coming in on the wrong interface


I have two vlan interfaces

eth0.256 - 192.168.1.10 / 255.255.255.0
eth0.257 - 10.0.0.10 / 255.255.0.0

The problem I'm having is that packets coming in on the eth0.256 interface with a destination IP address of 10.0.0.10 ends up getting accepted by the kernel and processed in the network stack.

This is highly undesirable and I would like those packets dropped instead.

I'm using Kernel version 3.10.17.

Any help or hints would be appreciated

Thanks

/Otto
 
Old 02-16-2016, 09:32 PM   #2
jefro
Moderator
 
Registered: Mar 2008
Posts: 20,583

Rep: Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303
Hello and welcome to LQ.

I hope I am right on this. Iptables should allow you to drop the two. They are in fact on the same physical nic. In a sense all traffic is consuming resources.
 
Old 02-17-2016, 01:51 PM   #3
o2blom
LQ Newbie
 
Registered: Feb 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
Hi there ! Thanks for your feedback, unfortunately I'm not that well-versed in iptables.. Could you give me a hint on what the rule might look like ?

To me its shocking that Linux is behaving like this as it violates the whole VLAN princlipe. Not exactly a virtual LAN if packets can cross between them
 
Old 02-17-2016, 04:14 PM   #4
jefro
Moderator
 
Registered: Mar 2008
Posts: 20,583

Rep: Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303
I'll agree that the concept of virtual is being abused sort of here. In a traditional sense a vlan ought to isolate all traffic and is generally used on switches. It might also be used in the phrasing of tunnels like vpn.

In a way your situation is more like a virtual ip address on a physical nic as opposed to a virtual private lan.

Iptables is a kind of old implementation of traffic control. There are thousands of books and web pages on it and all of them are confusing as heck in my opinion. I don't use it enough to tell you how to do it directly. If you want you might look at firewall builder for an easy program.

Might consider a new post on how to write iptables to block traffic on this config also. Someone here will for sure know how to make it.

And I am only about 90% sure on this.

I am assuming that you don't have a switch vlan tagging or 802.1q so that is mostly why this config is failing. http://www.cyberciti.biz/tips/howto-...work-vlan.html

And it may be that you can't fully fix this with ipconfig and you'll have to use the ip command instead.

Last edited by jefro; 02-17-2016 at 04:23 PM.
 
Old 02-17-2016, 04:18 PM   #5
o2blom
LQ Newbie
 
Registered: Feb 2016
Posts: 3

Original Poster
Rep: Reputation: Disabled
So I'm not the only one confused by iptables then, good

Thanks a lot for your feedback, I'll do some snooping around online and I'll post my results here if I have any luck

/Otto
 
Old 02-19-2016, 05:10 PM   #6
jefro
Moderator
 
Registered: Mar 2008
Posts: 20,583

Rep: Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303Reputation: 3303
Thanks for the update.

I'm pretty sure on my answer but if it fails and the world gets destroyed,,,, opps.
 
Old 02-19-2016, 06:37 PM   #7
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,890

Rep: Reputation: Disabled
The IP addresses may be bound to different interfaces, but they still represent the same host. Sending a packet to one address via an interface bound to a different address will indeed work, and so it should. It's not a Linux-specific issue, it's TCP/IP working as designed.

To stop this from working, you'll have to filter the packets with iptables. You can use the "-i" interface match to filter packets entering via a specific interface:
Code:
iptables -t filter -A INPUT -i eth0.256 -d 10.0.0.10/32 -j DROP
iptables -t filter -A INPUT -i eth0.257 -d 192.168.1.10/32 -j DROP
Note how you'll have to use the INPUT chain rather than the FORWARD chain, as no routing is involved in delivering packets to a different IP address on the same system. For the same reason, disabling routing will not prevent packets entering interface X from reaching an IP address bound to interface Y.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
SNMP sends packets to wrong interface Ze MoreirA Linux - Server 4 01-15-2013 02:26 AM
Network stack behavior handling packets on multiple cores zman2245 Linux - Kernel 5 03-24-2010 01:41 PM
network interface not coming up automatically at boot Kropotkin Linux - Networking 11 02-16-2010 06:15 PM
network interface not coming backup after reboot noir911 Linux - Server 2 02-11-2009 12:03 AM
Receiving Packets Simultaneously in Two Different Network Interface ? citiz3n Linux - Networking 4 05-25-2008 08:38 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:42 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration