disable local routing between eth0 and eth1 - iptables

Discussion in 'Linux Networking' started by astonishs, May 27, 2008.

  1. astonishs

    astonishs Guest

    I've a Linux PC with 2 NICs eth0 and eth1 configured with IP 10.0.0.1
    and 20.0.0.1 respectively.

    |-------------------|
    eth0 (10.0.0.1) ------------| |
    | L2 SWITCH |
    | |
    eth1 (20.0.0.1) ------------| |
    |-------------------|

    I want to disable local routing between eth0 and eth1 so that whenever
    I ping 20.0.0.1 from PC console, ICMP packets should come out of
    interface eth0 and should reach eth1 through connected switch.

    Similarly, whenever I ping 10.0.0.1 from PC console, ICMP packets
    should come out of interface eth1 and should reach eth0 through
    connected switch.

    How can I do it using iptables, if at all possible?

    Thanks in advance.
     
    astonishs, May 27, 2008
    #1
    1. Advertisements

  2. Hello,

    a écrit :
    There is no such "local routing between eth0 and eth1". Local routing in
    the Linux kernel involves only the loopback interface.
    AFAIK it is not possible to override local routing with advanced routing
    on a pristine Linux kernel, because local routing has the highest
    priority. However this may be possible with NAT, by changing the local
    destination into a non local destination on output and vice versa on input.
     
    Pascal Hambourg, May 27, 2008
    #2
    1. Advertisements

  3. I don't believe it's sensible or possible. Linux uses a model where IP
    addresses are assigned to machines, not to interfaces.

    DS
     
    David Schwartz, May 27, 2008
    #3
  4. astonishs

    Rick Jones Guest

    It can be quite sensible - Linux's very braod application of the weak
    end-system-model doesn't match all desires.

    IIRC actual IP forwarding _is_ disabled by default in Linux - however,
    you can check sysctl -a | grep forward to see the current setting and
    what might need/want to be changed. On most (?) distros you would
    then edit /etc/sysctl.conf to make that "stick" across reboots.

    The weak-end-system-model that Linux employs extends to ARP. As such,
    the ARP code is more than happy to send an ARP reply for any local IP
    out any interface. So, if you check your local ARP tables on the
    system from which you are sending pings you will probably find that
    the IP for the one interface is associated with the MAC (ethernet)
    address of the other.

    So, when you connect two interfaces to the same switch, even if you
    configure them in separate IP subnets, you have no idea which one will
    be given-out in the ARP replies.

    There are at least two ways to deal with the issue, you can use one,
    the other, or even both.

    If you sysctl -a | grep ignore and then set the default version of
    that sysctl to "1," on the next ifconfig's (ie after a reboot) it
    should propagate to all the interfaces. Or, if you don't want to
    bounce the system you can set the interface specific ones by hand and
    just put the default one into the sysctl.conf file.

    The other option which could deal with this issue is to use VLAN's -
    this would need to propagate through your entire broadcast domain
    (sets of switches and hosts on the same (logical) side of a router).
    You would then have in effect more than one LAN - in the context of
    the OP's diagram it would be as if eth0 and eth1 were connected to
    separate switches which were not bridged at layer two. That deals
    with the problem by avoiding eth0 seeing ARPs for the IP of eth1 and
    vice versa.

    rick jones
     
    Rick Jones, May 27, 2008
    #4
  5. This is all very interesting, but what does it have to do with the OP's
    request ?

    Rick Jones a écrit :
    Note that this may not be true with IPv6. IPv6 replaces ARP query, which
    uses link layer broadcast, with ICMPv6 neighbour solicitation, which
    uses link layer multicast. An interface is set to listen to link layer
    multicast addresses which depend on the low order part of the IPv6
    addresses assigned to it, so it may not reply to neighbour solicitation
    for an IPv6 address assigned to another interface.
     
    Pascal Hambourg, May 27, 2008
    #5
  6. astonishs

    Rick Jones Guest

    Perhaps I over-interpreted what was presented, but it sounded like the
    OP wanted to make sure that pings to the IP nominally associated with
    one interface were responded to on that interface. Given that IIRC IP
    forwarding is already disabled by default under "Linux" the only way I
    could see for him to see otherwise would be the business with ARP
    responses. That both interfaces were connected to the same switch and
    so the same broadcast domain convinced me further that might be at
    issue.

    rick jones
    Good. This behavior of ARP in Linux has been a PITA for me for longer
    than I care to recount :)

    rick jones
    --
    The computing industry isn't as much a game of "Follow The Leader" as
    it is one of "Ring Around the Rosy" or perhaps "Duck Duck Goose."
    - Rick Jones
    these opinions are mine, all mine; HP might not want them anyway... :)
    feel free to post, OR email to rick.jones2 in hp.com but NOT BOTH...
     
    Rick Jones, May 27, 2008
    #6
  7. Rick Jones a écrit :
    My understanding was that the OP wanted *locally generated* traffic sent
    to a local address to be sent through an ethernet interface and received
    back through the other ethernet interface, instead of going through the
    loopback interface.
    Even if you're right, what does IP forwarding have to do with it ?
    Received traffic for any local destination is never forwarded,
    regardless of whether the weak model is in use.
    Actually it is getting worse with IPv6, because whether the weak model
    applies to neighbour discovery or not depends on the addresses. For
    example, if two IPv6 addresses with the same low order part are assigned
    to two different interfaces, then the two interfaces will listen to the
    same link layer multicast address and thus will reply to neighbour
    solicitation for either IPv6 address.
     
    Pascal Hambourg, May 28, 2008
    #7
  8. astonishs

    Rick Jones Guest

    "Emily Litella" (aka "Oh, never mind..." :)

    If that is what the OP wanted then I believe it cannot be done short
    of some unofficial patches that blow the routing code's mind.
    I got fixated by my ARP experience.
    Well, that will be fun...

    rick jones
     
    Rick Jones, May 28, 2008
    #8
  9. I didn't mean to imply that it's not reasonable to want a different
    model. I'm just saying that given that Linux has the model it is,
    trying to do what the OP is trying to do is really not sensible. You
    might be able to make some ugly hack to get it to work, but I know
    others have tried and given up. Linux has deep-rooted assumptions that
    this kind of thing violates.

    DS
     
    David Schwartz, May 28, 2008
    #9
  10. astonishs

    Joe Beasley Guest

    It will use the switch if you "ping -I eth0 20.0.0.1". Ping alone is
    using the loopback (127.0.0.1), since the destination is on the same
    machine.
     
    Joe Beasley, May 28, 2008
    #10
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.