How can iptables distinguish between packets coming in from one route versus another?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
How can iptables distinguish between packets coming in from one route versus another?
If packets are coming in through different interfaces eth1 and eth2, iptables can distinguish them with something like
-i eth1
If they are coming in through the same interface eth1 but from different servers at 10.0.0.2 and 10.0.0.3, they can be distinguished with something like
-s 10.0.0.2/32
What if packets originate from unknown IP's and subnets and pass through different gateways and all that you know is the IP of each of the gateways, 192.168.1.1 and 192.168.1.2, and that all packets come in through eth1?
All packets sent over the internet or any network for that matter have a source and destination address. With this information every device knows how to send the packet on to it's final destination.
But we do not know the source IP, and it can be the same source IP sending packets in both paths, how can we write an iptables command line at the receiving end that distinguishes one path from another, for example to drop packets from one path? If there were two nic's at the receiving end, one for each path, we'd write -i eth1. But there is only one.
Ahhh, same server (source), different routes. If they are coming in from a different immediate upstream router, you could use the source MAC. Otherwise, you might be able to distinguish the routes by the remaining TTL when the packets are received. That's going to be hard to implement and probably unreliable, but I don't know of any other way that the same packets arriving by different routes would differ.
Not sure I understand your question 100%. What exactly are you trying to accomplish? Are you trying to block traffic from an unknown source or are you trying to only allow certain traffic from an unknown source?
Looks like buying an nic is the best option. It's kinda complicated and open-ended what I am trying to accomplish (related to load balancing and smartphones) and I wouldn't be good at explaining it.
A second NIC might not be the best option. Whatever you plan on doing on the second NIC you should be able to do on the first one too. It all comes down to what you are trying to accomplish.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.