Linux Routing

Hello,

I have a little problem on a linux computer that I will named L1.
This computer have two network interfaces connected to two different
networks :
- eth0 : 192.168.0.1/24
- eth1 : 192.168.1.1/24

I don't want any routing between this two networks. So a computer
(named C1) from the first network cannot ping a computer (named C2)
from the other network.
I have no iptables rules set on my L1 computer. The /proc/sys/net/ipv4/
ip_forward parameter is set to 0.
For the moment, everything is ok.

My problem is that C1 is able to ping the 192.168.1.1 IP address of L1
even if it is not in the same network. (The default gateway of C1 is
L1).
My goal is to hide maximum information from L1 to others computers
(without iptables). So I would that L1 does not reply to IP packet
destinated to 192.168.1.1 if they arrive on eth0 interface and L1 does
not reply to IP packet destinated to 192.168.0.1 if they arrive on
eth1.

I thought that rp_filter kernel parameter (http://www.mjmwired.net/
kernel/Documentation/networking/ip-sysctl.txt#692) would have helped
me, but it seems to does nothing for my problem.

I have of course two solutions to solve it :
- The first is to set iptables rules, but I would like to do without.
- The second is to delete default gateways of C1/C2, but this
computers don't belong to me, so I can't.

If you have a third solution, it would be very helpfull.

Thank you in advance !

Hello,

(E-Mail Removed) a écrit :
>
> My problem is that C1 is able to ping the 192.168.1.1 IP address of L1
> even if it is not in the same network. (The default gateway of C1 is
> L1).

That's because Linux enforces the "weak" model. It means that it treats
local addresses the same regardless of the interface they were assigned
to. For more detail wikipedia is your friend.

> My goal is to hide maximum information from L1 to others computers
> (without iptables). So I would that L1 does not reply to IP packet
> destinated to 192.168.1.1 if they arrive on eth0 interface and L1 does
> not reply to IP packet destinated to 192.168.0.1 if they arrive on
> eth1.
>
> I thought that rp_filter kernel parameter (http://www.mjmwired.net/
> kernel/Documentation/networking/ip-sysctl.txt#692) would have helped
> me, but it seems to does nothing for my problem.

Indeed. rp_filter only checks the source address is valid with respect
to the input interface. And it is.

> I have of course two solutions to solve it :
> - The first is to set iptables rules, but I would like to do without.
> - The second is to delete default gateways of C1/C2, but this
> computers don't belong to me, so I can't.

That would be the best solution as L1 is not a gateway.

> If you have a third solution, it would be very helpfull.

You could use routing rules to make the subnets unrechable from each
other. It requires the "ip" command from the iproute package.

# make 192.168.0.0/24 unreachable from eth1
ip rule add to 192.168.0.0/24 iif eth1 unreachable

# make 192.168.1.0/24 unreachable from eth0
ip rule add to 192.168.1.0/24 iif eth0 unreachable

Pascal Hambourg a écrit :
>
> You could use routing rules to make the subnets unrechable from each
> other. It requires the "ip" command from the iproute package.
>
> # make 192.168.0.0/24 unreachable from eth1
> ip rule add to 192.168.0.0/24 iif eth1 unreachable
>
> # make 192.168.1.0/24 unreachable from eth0
> ip rule add to 192.168.1.0/24 iif eth0 unreachable

Note : "unreachable" will send an ICMP "destination unreachable" error
back to the sender. If you prefer not to send any ICMP error message,
replace "unreachable" with "blackhole".

Thanks a lot for all these great informations !

(E-Mail Removed) wrote:

> - eth0 : 192.168.0.1/24
> - eth1 : 192.168.1.1/24

Is your subnet mask set to 255.255.255.0 on all devices?

Mark.

--
Mark Hobley,
393 Quinton Road West,
Quinton, BIRMINGHAM.
B32 1QE.

>
> Is your subnet mask set to 255.255.255.0 on all devices?
>

Yes it is.
More information about host model can be found here :
http://en.wikipedia.org/wiki/Host_model
It seems that it is not possible to change linux behavior into a
strong (strict ?) model, in opposition to *bsd and other unix like
solaris and hpux.