系统:Centos6

影响:

路径:/etc/sysctl.conf

rp_filter – INTEGER

0 – No source validation.
1 – Strict mode as defined in RFC3704 Strict Reverse Path Each incoming packet is tested against the FIB and if theinterface is not the best reverse path the packet check will fail.By default failed packets are discarded.
2 – Loose mode as defined in RFC3704 Loose Reverse Path Each incoming packet’s source address is also tested against theFIB and if the source address is not reachable via any interface the packet check will fail.Current recommended practice in RFC3704 is to enable strictmode to prevent IP spoofing from DDos attacks. If using asymmetricrouting or other complicated routing, then loose mode is recommended.

The max value from conf/{all,interface}/rp_filter is used when doing source validation on the {interface}.

Default value is 0. Note that some distributions enable it in startup scripts.
—–

Red Hat are (correctly) setting rp_filter to 1, strictmode.  In this case a packet coming in eth0 willhave its source address routed out on the same interface that itcame in on (because that’s the default route). However, a packet coming in on eth1 will have it source addressrouted out on a different interface to the one it came in on and itwill be discarded.  Silently.

This is basically asymmetric routing and is quite possibly not whatyou want anyway (it messes up TCP flow control) so there are twoways to fix this: stick with asymmetric routing and permit it orfix the asymmetric routing.

The first one is easiest: in /etc/sysctl.conf change rp_filter=1 torp_filter=2).  You’ll need to load that andrestart the network.  It’s probably easiest toreboot 🙂 to be sure.  I suspect that it was notrestarting enough things that prevented this change from workingbefore.

The second one may be simple as simple as adding those routes thatshould go out on eth1 to the routing table or running some routingdaemon.  It depends on your network topology,basically.  This would be the preferred solutionif it’s practicable.

 

reverse-pathfiltering,反向过滤技术,系统在接收到一个IP包后,检查该IP是不是合乎要求,不合要求的IP包会被系统丢弃。该技术就称为rpfilter。怎么样的包才算不合要求呢?例如,用户在A网口上收到一个IP包,检查其IP为B。然后考查:对于B这个IP,在发送时应该用哪个网口,“如果在不应该接收到该包的网口上接收到该IP包,则认为该IP包是hacker行为”。

 

解决方法:

系统配置文件
1. /etc/sysctl.conf
把 net.ipv4.conf.all.rp_filter和net.ipv4.conf.default.rp_filter设为0即可
net.ipv4.conf.default.rp_filter = 0
net.ipv4.conf.all.rp_filter = 0

net.ipv4.conf.eth0.rp_filter = 0
net.ipv4.conf.eth1.rp_filter = 0

net.ipv4.conf.lo.rp_filter = 0

系统启动后,会自动加载这个配置文件,内核会使用这个变量

2. 命令行
显示一个内核变量 sysctl net.ipv4.conf.all.rp_filter
设置一个内核变量 sysctl -w net.ipv4.conf.all.rp_filter=0
设置完后,会更新内核(实时的内存)中的变量的值,但不会修改sysctl.conf的值

3. 使用/proc文件系统
查看 cat /proc/sys/net/ipv4/conf/all/rp_filter
设置 echo “0”>/proc/sys/net/ipv4/conf/all/rp_filter

sysctl常用命令

sysctl -a 查看所有参数

sysctl -p 加载配置文件

发表评论

电子邮件地址不会被公开。 必填项已用*标注