physical vs. logical network interfaces

Hello

I have the following configuration:

(1) A router (R), that has 2 physical network interfaces: eth0 and eth1.
eth0 is connected to my ISP and receives IPv4 address via DHCP, eth1 is
a local network interface with static IPv4 address.

This router is a normal PC computer with GNU/Linux on it (Fedora).

(2) Rest of my local network (N) (only 1 computer currently).

I noticed, that if I connect from within the network (N) to the router
(R) using its public IPv4 address (the one received from ISP on eth0)
then the following happens on router (R):

(a) the packets are seen as if coming on interface eth0; I think so,
because POP3 service is then unreachable, while when using Router's eth1
static IPv4 address everything works fine; so I think they must be
firewalled out.

(b) tcpdump detects the packets on physical interface eth1, NOT eth0.

So, it seems that packets coming on physical eth1 are "on the way"
assigned to "logical eth0" and then get firewalled. On tcpdump level
they are on "eth1", while on iptables level it is already "eth0".

The questions are:

(Q1) Where can I find more information about this distinction between
physical and logical network interfaces in GNU/Linux?

(Q2) Where does this "on the way" logical interface assignment happen?

(Q3) Is it possible for an attacker to send IPv4 packets to Router's
eth0, spoofing IPv4 source address so that it looks like coming from the
local network (N), and this way make those packets assigned to logical
eth1 and get through?

Thanks.

Stanislaw

Hello,

stf a écrit :
>
> I have the following configuration:
>
> (1) A router (R), that has 2 physical network interfaces: eth0 and eth1.
> eth0 is connected to my ISP and receives IPv4 address via DHCP, eth1 is
> a local network interface with static IPv4 address.
>
> This router is a normal PC computer with GNU/Linux on it (Fedora).
>
> (2) Rest of my local network (N) (only 1 computer currently).
>
> I noticed, that if I connect from within the network (N) to the router
> (R) using its public IPv4 address (the one received from ISP on eth0)
> then the following happens on router (R):
>
> (a) the packets are seen as if coming on interface eth0; I think so,

No, they're not.

> because POP3 service is then unreachable, while when using Router's eth1
> static IPv4 address everything works fine; so I think they must be
> firewalled out.

This does not mean that packets are "seen as if coming on interface
eth0". It could be just that the POP3 service only listens on the static
LAN address, or the firewall drops incoming traffic for the WAN address
received on the LAN interface, or drops outgoing traffic on the LAN
interface with the WAN source address, etc. etc. It all depends on the
ruleset.

> (b) tcpdump detects the packets on physical interface eth1, NOT eth0.

Of course it does.

> So, it seems that packets coming on physical eth1 are "on the way"
> assigned to "logical eth0"

No.

> and then get firewalled.

Maybe.

> (Q1) Where can I find more information about this distinction between
> physical and logical network interfaces in GNU/Linux?

There are not such "logical vs. physical interfaces". There are just
network interfaces.

> (Q3) Is it possible for an attacker to send IPv4 packets to Router's
> eth0, spoofing IPv4 source address so that it looks like coming from the
> local network (N), and this way make those packets assigned to logical
> eth1

There is no such "logical eth1".

> and get through?

Yes, but proper kernel settings (rp_filter) or source address checking
in iptables rules should prevent it.

stf <(E-Mail Removed)> writes:

>Hello

>I have the following configuration:

>(1) A router (R), that has 2 physical network interfaces: eth0 and eth1.
>eth0 is connected to my ISP and receives IPv4 address via DHCP, eth1 is
>a local network interface with static IPv4 address.

>This router is a normal PC computer with GNU/Linux on it (Fedora).

>(2) Rest of my local network (N) (only 1 computer currently).

>I noticed, that if I connect from within the network (N) to the router
>(R) using its public IPv4 address (the one received from ISP on eth0)
>then the following happens on router (R):

Unless you set it up that way, that is NOT its address on the internal
network, so your system will have no way to connect. Why do you want to do
that? Just give your "router" its own static address (10.0.0.1) on eth1,
and use it as the gateway with IP masquarading ( using the firewall
software) Make sure you enable ip forwarding on that machine.



>(a) the packets are seen as if coming on interface eth0; I think so,
>because POP3 service is then unreachable, while when using Router's eth1
>static IPv4 address everything works fine; so I think they must be
>firewalled out.

So use what works. That is how it is supposed to work.


>(b) tcpdump detects the packets on physical interface eth1, NOT eth0.

>So, it seems that packets coming on physical eth1 are "on the way"
>assigned to "logical eth0" and then get firewalled. On tcpdump level
>they are on "eth1", while on iptables level it is already "eth0".

Sure. The packet gets delivered to the router. The router looks at the
address and recognizes it as its own address on eth0, so delivers it to
itself.


>The questions are:

>(Q1) Where can I find more information about this distinction between
>physical and logical network interfaces in GNU/Linux?

There is none. You have the wrong concept.
a) IP addresses are not machine addresses, they are addresses for that
machine on a specific connection. a single machine can have 10000 addresses
if it has 10000 connections.
b) The software is smart enough to recognize its own address and thus
delivers the packet to itself without going onto the wire.



>(Q2) Where does this "on the way" logical interface assignment happen?

No idea what this means.


>(Q3) Is it possible for an attacker to send IPv4 packets to Router's
>eth0, spoofing IPv4 source address so that it looks like coming from the
>local network (N), and this way make those packets assigned to logical
>eth1 and get through?

Get through where? They are addresses to that machine. That is their
destination. When your system tries to answer it will answer to those
addresses which are internal addresses.


>Thanks.

>Stanislaw

stf a écrit :
>
> On tcpdump level
> they are on "eth1", while on iptables level it is already "eth0".

Oops I skipped this part, replying now.
Both tcpdump and netfilter/iptables see the packets coming from the
interface they actually come from, i.e. eth1.

The iptables ruleset may contain rules filtering source|destination
addresses that don't match the outgoing|incoming interface, such as :

iptables -A INPUT -i eth1 -d ! $eth1_addr -j DROP
iptables -A OUTPUT -o eth1 -s ! $eth1_addr -j DROP