physical vs. logical network interfaces

Discussion in 'Linux Networking' started by stf, Feb 9, 2008.

  1. stf

    stf Guest

    Hello

    I have the following configuration:

    (1) A router (R), that has 2 physical network interfaces: eth0 and eth1.
    eth0 is connected to my ISP and receives IPv4 address via DHCP, eth1 is
    a local network interface with static IPv4 address.

    This router is a normal PC computer with GNU/Linux on it (Fedora).

    (2) Rest of my local network (N) (only 1 computer currently).

    I noticed, that if I connect from within the network (N) to the router
    (R) using its public IPv4 address (the one received from ISP on eth0)
    then the following happens on router (R):

    (a) the packets are seen as if coming on interface eth0; I think so,
    because POP3 service is then unreachable, while when using Router's eth1
    static IPv4 address everything works fine; so I think they must be
    firewalled out.

    (b) tcpdump detects the packets on physical interface eth1, NOT eth0.

    So, it seems that packets coming on physical eth1 are "on the way"
    assigned to "logical eth0" and then get firewalled. On tcpdump level
    they are on "eth1", while on iptables level it is already "eth0".

    The questions are:

    (Q1) Where can I find more information about this distinction between
    physical and logical network interfaces in GNU/Linux?

    (Q2) Where does this "on the way" logical interface assignment happen?

    (Q3) Is it possible for an attacker to send IPv4 packets to Router's
    eth0, spoofing IPv4 source address so that it looks like coming from the
    local network (N), and this way make those packets assigned to logical
    eth1 and get through?

    Thanks.

    Stanislaw
     
    stf, Feb 9, 2008
    #1
    1. Advertisements

  2. Hello,

    stf a écrit :
    No, they're not.
    This does not mean that packets are "seen as if coming on interface
    eth0". It could be just that the POP3 service only listens on the static
    LAN address, or the firewall drops incoming traffic for the WAN address
    received on the LAN interface, or drops outgoing traffic on the LAN
    interface with the WAN source address, etc. etc. It all depends on the
    ruleset.
    Of course it does.
    There are not such "logical vs. physical interfaces". There are just
    network interfaces.
    There is no such "logical eth1".
    Yes, but proper kernel settings (rp_filter) or source address checking
    in iptables rules should prevent it.
     
    Pascal Hambourg, Feb 9, 2008
    #2
    1. Advertisements

  3. stf

    Unruh Guest

    Unless you set it up that way, that is NOT its address on the internal
    network, so your system will have no way to connect. Why do you want to do
    that? Just give your "router" its own static address (10.0.0.1) on eth1,
    and use it as the gateway with IP masquarading ( using the firewall
    software) Make sure you enable ip forwarding on that machine.


    So use what works. That is how it is supposed to work.

    Sure. The packet gets delivered to the router. The router looks at the
    address and recognizes it as its own address on eth0, so delivers it to
    itself.

    There is none. You have the wrong concept.
    a) IP addresses are not machine addresses, they are addresses for that
    machine on a specific connection. a single machine can have 10000 addresses
    if it has 10000 connections.
    b) The software is smart enough to recognize its own address and thus
    delivers the packet to itself without going onto the wire.


    No idea what this means.

    Get through where? They are addresses to that machine. That is their
    destination. When your system tries to answer it will answer to those
    addresses which are internal addresses.
     
    Unruh, Feb 9, 2008
    #3
  4. stf a écrit :
    Oops I skipped this part, replying now.
    Both tcpdump and netfilter/iptables see the packets coming from the
    interface they actually come from, i.e. eth1.

    The iptables ruleset may contain rules filtering source|destination
    addresses that don't match the outgoing|incoming interface, such as :

    iptables -A INPUT -i eth1 -d ! $eth1_addr -j DROP
    iptables -A OUTPUT -o eth1 -s ! $eth1_addr -j DROP
     
    Pascal Hambourg, Feb 9, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.