disable local routing between eth0 and eth1 - iptables

I've a Linux PC with 2 NICs eth0 and eth1 configured with IP 10.0.0.1
and 20.0.0.1 respectively.

|-------------------|
eth0 (10.0.0.1) ------------| |
| L2 SWITCH |
| |
eth1 (20.0.0.1) ------------| |
|-------------------|

I want to disable local routing between eth0 and eth1 so that whenever
I ping 20.0.0.1 from PC console, ICMP packets should come out of
interface eth0 and should reach eth1 through connected switch.

Similarly, whenever I ping 10.0.0.1 from PC console, ICMP packets
should come out of interface eth1 and should reach eth0 through
connected switch.

How can I do it using iptables, if at all possible?

Thanks in advance.

Hello,

(E-Mail Removed) a écrit :
> I've a Linux PC with 2 NICs eth0 and eth1 configured with IP 10.0.0.1
> and 20.0.0.1 respectively.
>
> |-------------------|
> eth0 (10.0.0.1) ------------| |
> | L2 SWITCH |
> | |
> eth1 (20.0.0.1) ------------| |
> |-------------------|
>
> I want to disable local routing between eth0 and eth1

There is no such "local routing between eth0 and eth1". Local routing in
the Linux kernel involves only the loopback interface.

> so that whenever
> I ping 20.0.0.1 from PC console, ICMP packets should come out of
> interface eth0 and should reach eth1 through connected switch.
>
> Similarly, whenever I ping 10.0.0.1 from PC console, ICMP packets
> should come out of interface eth1 and should reach eth0 through
> connected switch.
>
> How can I do it using iptables, if at all possible?

AFAIK it is not possible to override local routing with advanced routing
on a pristine Linux kernel, because local routing has the highest
priority. However this may be possible with NAT, by changing the local
destination into a non local destination on output and vice versa on input.

On May 27, 5:44*am, astoni...@yahoo.com wrote:

> I've a Linux PC with 2 NICs eth0 and eth1 configured with IP 10.0.0.1
> and 20.0.0.1 respectively.
>
> * * * * * * * * * * * * * * * * * |-------------------|
> eth0 (10.0.0.1) ------------| * * * * * * * * * |
> * * * * * * * * * * * * * * * * * | L2 SWITCH |
> * * * * * * * * * * * * * * * * * | * * * * * * * * * |
> eth1 (20.0.0.1) ------------| * * * * * * * * * |
> * * * * * * * * * * * * * * * * * |-------------------|
>
> I want to disable local routing between eth0 and eth1 so that whenever
> I ping 20.0.0.1 from PC console, ICMP packets should come out of
> interface eth0 and should reach eth1 through connected switch.
>
> Similarly, whenever I ping 10.0.0.1 from PC console, ICMP packets
> should come out of interface eth1 and should reach eth0 through
> connected switch.
>
> How can I do it using iptables, if at all possible?
>
> Thanks in advance.

I don't believe it's sensible or possible. Linux uses a model where IP
addresses are assigned to machines, not to interfaces.

DS

David Schwartz <(E-Mail Removed)> wrote:
> On May 27, 5:44?am, astoni...@yahoo.com wrote:

> > I want to disable local routing between eth0 and eth1 so that
> > whenever I ping 20.0.0.1 from PC console, ICMP packets should come
> > out of interface eth0 and should reach eth1 through connected
> > switch.

> I don't believe it's sensible or possible. Linux uses a model where
> IP addresses are assigned to machines, not to interfaces.

It can be quite sensible - Linux's very braod application of the weak
end-system-model doesn't match all desires.

IIRC actual IP forwarding _is_ disabled by default in Linux - however,
you can check sysctl -a | grep forward to see the current setting and
what might need/want to be changed. On most (?) distros you would
then edit /etc/sysctl.conf to make that "stick" across reboots.

The weak-end-system-model that Linux employs extends to ARP. As such,
the ARP code is more than happy to send an ARP reply for any local IP
out any interface. So, if you check your local ARP tables on the
system from which you are sending pings you will probably find that
the IP for the one interface is associated with the MAC (ethernet)
address of the other.

So, when you connect two interfaces to the same switch, even if you
configure them in separate IP subnets, you have no idea which one will
be given-out in the ARP replies.

There are at least two ways to deal with the issue, you can use one,
the other, or even both.

If you sysctl -a | grep ignore and then set the default version of
that sysctl to "1," on the next ifconfig's (ie after a reboot) it
should propagate to all the interfaces. Or, if you don't want to
bounce the system you can set the interface specific ones by hand and
just put the default one into the sysctl.conf file.

The other option which could deal with this issue is to use VLAN's -
this would need to propagate through your entire broadcast domain
(sets of switches and hosts on the same (logical) side of a router).
You would then have in effect more than one LAN - in the context of
the OP's diagram it would be as if eth0 and eth1 were connected to
separate switches which were not bridged at layer two. That deals
with the problem by avoiding eth0 seeing ARPs for the IP of eth1 and
vice versa.

rick jones
--
portable adj, code that compiles under more than one compiler
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

This is all very interesting, but what does it have to do with the OP's
request ?

Rick Jones a écrit :
>
> The weak-end-system-model that Linux employs extends to ARP. As such,
> the ARP code is more than happy to send an ARP reply for any local IP
> out any interface.

Note that this may not be true with IPv6. IPv6 replaces ARP query, which
uses link layer broadcast, with ICMPv6 neighbour solicitation, which
uses link layer multicast. An interface is set to listen to link layer
multicast addresses which depend on the low order part of the IPv6
addresses assigned to it, so it may not reply to neighbour solicitation
for an IPv6 address assigned to another interface.

Pascal Hambourg <boite-a-(E-Mail Removed)> wrote:
> This is all very interesting, but what does it have to do with the OP's
> request ?

Perhaps I over-interpreted what was presented, but it sounded like the
OP wanted to make sure that pings to the IP nominally associated with
one interface were responded to on that interface. Given that IIRC IP
forwarding is already disabled by default under "Linux" the only way I
could see for him to see otherwise would be the business with ARP
responses. That both interfaces were connected to the same switch and
so the same broadcast domain convinced me further that might be at
issue.

rick jones

> Rick Jones a ?crit :
> > The weak-end-system-model that Linux employs extends to ARP. As
> > such, the ARP code is more than happy to send an ARP reply for any
> > local IP out any interface.

> Note that this may not be true with IPv6. IPv6 replaces ARP query,
> which uses link layer broadcast, with ICMPv6 neighbour solicitation,
> which uses link layer multicast. An interface is set to listen to
> link layer multicast addresses which depend on the low order part of
> the IPv6 addresses assigned to it, so it may not reply to neighbour
> solicitation for an IPv6 address assigned to another interface.

Good. This behavior of ARP in Linux has been a PITA for me for longer
than I care to recount

rick jones
--
The computing industry isn't as much a game of "Follow The Leader" as
it is one of "Ring Around the Rosy" or perhaps "Duck Duck Goose."
- Rick Jones
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

Rick Jones a écrit :
> Pascal Hambourg <boite-a-(E-Mail Removed)> wrote:
>
>>This is all very interesting, but what does it have to do with the OP's
>>request ?
>
> Perhaps I over-interpreted what was presented, but it sounded like the
> OP wanted to make sure that pings to the IP nominally associated with
> one interface were responded to on that interface.

My understanding was that the OP wanted *locally generated* traffic sent
to a local address to be sent through an ethernet interface and received
back through the other ethernet interface, instead of going through the
loopback interface.

> Given that IIRC IP
> forwarding is already disabled by default under "Linux"

Even if you're right, what does IP forwarding have to do with it ?
Received traffic for any local destination is never forwarded,
regardless of whether the weak model is in use.

>>>The weak-end-system-model that Linux employs extends to ARP. As
>>>such, the ARP code is more than happy to send an ARP reply for any
>>>local IP out any interface.
>
>>Note that this may not be true with IPv6.
>
> Good. This behavior of ARP in Linux has been a PITA for me for longer
> than I care to recount

Actually it is getting worse with IPv6, because whether the weak model
applies to neighbour discovery or not depends on the addresses. For
example, if two IPv6 addresses with the same low order part are assigned
to two different interfaces, then the two interfaces will listen to the
same link layer multicast address and thus will reply to neighbour
solicitation for either IPv6 address.

Pascal Hambourg <boite-a-(E-Mail Removed)> wrote:
> My understanding was that the OP wanted *locally generated* traffic
> sent to a local address to be sent through an ethernet interface and
> received back through the other ethernet interface, instead of going
> through the loopback interface.

"Emily Litella" (aka "Oh, never mind..."

If that is what the OP wanted then I believe it cannot be done short
of some unofficial patches that blow the routing code's mind.

> > Given that IIRC IP forwarding is already disabled by default under
> > "Linux"

> Even if you're right, what does IP forwarding have to do with it ?
> Received traffic for any local destination is never forwarded,
> regardless of whether the weak model is in use.

I got fixated by my ARP experience.

> > Good. This behavior of ARP in Linux has been a PITA for me for
> > longer than I care to recount

> Actually it is getting worse with IPv6, because whether the weak
> model applies to neighbour discovery or not depends on the
> addresses. For example, if two IPv6 addresses with the same low
> order part are assigned to two different interfaces, then the two
> interfaces will listen to the same link layer multicast address and
> thus will reply to neighbour solicitation for either IPv6 address.

Well, that will be fun...

rick jones
--
No need to believe in either side, or any side. There is no cause.
There's only yourself. The belief is in your own precision. - Jobert
these opinions are mine, all mine; HP might not want them anyway...
feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...

On May 27, 10:32*am, Rick Jones <rick.jon...@hp.com> wrote:

> > I don't believe it's sensible or possible. Linux uses a model where
> > IP addresses are assigned to machines, not to interfaces.

> It can be quite sensible - Linux's very braod application of the weak
> end-system-model doesn't match all desires.

I didn't mean to imply that it's not reasonable to want a different
model. I'm just saying that given that Linux has the model it is,
trying to do what the OP is trying to do is really not sensible. You
might be able to make some ugly hack to get it to work, but I know
others have tried and given up. Linux has deep-rooted assumptions that
this kind of thing violates.

DS

(E-Mail Removed) wrote:
> I've a Linux PC with 2 NICs eth0 and eth1 configured with IP 10.0.0.1
> and 20.0.0.1 respectively.
>
> |-------------------|
> eth0 (10.0.0.1) ------------| |
> | L2 SWITCH |
> | |
> eth1 (20.0.0.1) ------------| |
> |-------------------|
>
> I want to disable local routing between eth0 and eth1 so that whenever
> I ping 20.0.0.1 from PC console, ICMP packets should come out of
> interface eth0 and should reach eth1 through connected switch.
>
> Similarly, whenever I ping 10.0.0.1 from PC console, ICMP packets
> should come out of interface eth1 and should reach eth0 through
> connected switch.
>
> How can I do it using iptables, if at all possible?
>
> Thanks in advance.
It will use the switch if you "ping -I eth0 20.0.0.1". Ping alone is
using the loopback (127.0.0.1), since the destination is on the same
machine.