lug-bg: rp_filter || log_martians
- Subject: lug-bg: rp_filter || log_martians
- From: zimage@xxxxxxxxx (Theodor Milkov)
- Date: Mon, 12 Feb 2001 12:16:13 +0200
Çäðàâåéòå,
òîÿ âúïðîñ ãî çàäàâàõ íàñêîðî â linux-net, àìà òàêà ñè è îñòàíà áåç îòãîâîð.
Äàíî íÿêîè îò âàñ êîèòî íå ÷åòå linux-net äà èìà îïèò ñúñ çàäà÷êàòà. Ñèòóàöèÿòà
å ñëåäíàòà:
+----------------+
| Linux box A |
+----------------+
| xx.xx.xx.21
|
| xx.xx.xx.17
+----------------+ xx.xx.xx.5 +----------------+
| Linux router-1 | <-----------------> | Linux router-2 |
+----------------+ xx.xx.xx.6 +----------------+
Êàòî íà÷àëî, rp_filter å 0 è íå ñå î÷àêâà äà ôèëòðèðà ïàêåòè èäâàùè îò ãðåøåí
èíòåðôåéñ.
root@router-1:~# for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "0" > $i ;done
root@router-2:~# hping xx.xx.xx.21 --icmp -a xx.xx.xx.19 -c 3
root@box-a:~# tcpdump -p icmp
tcpdump: listening on eth0
22:40:15.458399 xx.xx.xx.19 > xx.xx.xx.21: icmp: echo request
22:40:16.455486 xx.xx.xx.19 > xx.xx.xx.21: icmp: echo request
22:40:17.455806 xx.xx.xx.19 > xx.xx.xx.21: icmp: echo request
So far so good... íå å âêëþ÷åí è íå ðàáîòè. Òî÷íî ïî ïëàí ;-)
root@router-1:~# for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "1" > $i ;done
root@router-1:~# for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo "1" > $i ;done
root@router-2:~# hping xx.xx.xx.21 --icmp -a xx.xx.xx.19 -c 3
root@box-a:~# tcpdump -p icmp
tcpdump: listening on eth0
22:44:52.515555 xx.xx.xx.19 > xx.xx.xx.21: icmp: echo request
22:44:53.509648 xx.xx.xx.19 > xx.xx.xx.21: icmp: echo request
22:44:54.509775 xx.xx.xx.19 > xx.xx.xx.21: icmp: echo request
Òóêà îáà÷å rp_filter âå÷å å 1, íî ïðîäúëæàâà äà íå ðàáîòè... ;/
Ìîæå áè òðÿáâà äà íóëèðàìå ðóòèíã êåø-à?
root@router-1:~# ip route flush cache
root@router-2:~# hping xx.xx.xx.21 --icmp -a xx.xx.xx.19 -c 3
root@box-a:~# tcpdump -p icmp
tcpdump: listening on eth0
Âçå ÷å ñòàíà. Îáà÷å ñå ïðåäïîëàãà ôèëòðèðàíèòå ïàêåòè äà ñå çàïèñâàò â syslog.
Ñàìî ÷å íå ñå. Îïèòàõ ñ ÿäðî 2.2.17 è 2.2.18, êàêòî è ñ ðàçëè÷íè âåðñèè íà
iproute2 è syslogd/klogd. Ðåçóëòàòà çà ñúæàëåíèå áåøå ñúùèÿò. Íÿêîè ìîæå ëè äà
äàäå êîìåíòàð ïî ñëó÷àÿ?
egards
--
=- --rw------- =--=--=--=--=--=--=--=--=--=--=--=--=--=
Theodor Milkov Administrator IP Networks
Davidov Electric Ltd. Phone: +359 (2) 730158
PGP: http://www.xx.xx.xx.21/zimage.asc
=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=
-- --> Translated message begin <-- --
Zdraveite,
toia vupros go zadavah naskoro v linux-net, ama taka si i ostana bez otgovor.
Dano niakoi ot vas koito ne chete linux-net da ima opit sus zadachkata. Situaciiata
e slednata:
+----------------+
| Linux box A |
+----------------+
| xx.xx.xx.21
|
| xx.xx.xx.17
+----------------+ xx.xx.xx.5 +----------------+
| Linux router-1 | <-----------------> | Linux router-2 |
+----------------+ xx.xx.xx.6 +----------------+
Kato nachalo, rp_filter e 0 i ne se ochakva da filtrira paketi idvashti ot greshen
interfeis.
root@router-1:~# for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "0" > $i ;done
root@router-2:~# hping xx.xx.xx.21 --icmp -a xx.xx.xx.19 -c 3
root@box-a:~# tcpdump -p icmp
tcpdump: listening on eth0
22:40:15.458399 xx.xx.xx.19 > xx.xx.xx.21: icmp: echo request
22:40:16.455486 xx.xx.xx.19 > xx.xx.xx.21: icmp: echo request
22:40:17.455806 xx.xx.xx.19 > xx.xx.xx.21: icmp: echo request
So far so good... ne e vkliuchen i ne raboti. Tochno po plan ;-)
root@router-1:~# for i in /proc/sys/net/ipv4/conf/*/rp_filter; do echo "1" > $i ;done
root@router-1:~# for i in /proc/sys/net/ipv4/conf/*/log_martians; do echo "1" > $i ;done
root@router-2:~# hping xx.xx.xx.21 --icmp -a xx.xx.xx.19 -c 3
root@box-a:~# tcpdump -p icmp
tcpdump: listening on eth0
22:44:52.515555 xx.xx.xx.19 > xx.xx.xx.21: icmp: echo request
22:44:53.509648 xx.xx.xx.19 > xx.xx.xx.21: icmp: echo request
22:44:54.509775 xx.xx.xx.19 > xx.xx.xx.21: icmp: echo request
Tuka obache rp_filter veche e 1, no produljava da ne raboti... ;/
Moje bi triabva da nulirame ruting kesh-a?
root@router-1:~# ip route flush cache
root@router-2:~# hping xx.xx.xx.21 --icmp -a xx.xx.xx.19 -c 3
root@box-a:~# tcpdump -p icmp
tcpdump: listening on eth0
Vze che stana. Obache se predpolaga filtriranite paketi da se zapisvat v syslog.
Samo che ne se. Opitah s iadro 2.2.17 i 2.2.18, kakto i s razlichni versii na
iproute2 i syslogd/klogd. Rezultata za sujalenie beshe sushtiiat. Niakoi moje li da
dade komentar po sluchaia?
egards
--
=- --rw------- =--=--=--=--=--=--=--=--=--=--=--=--=--=
Theodor Milkov Administrator IP Networks
Davidov Electric Ltd. Phone: +359 (2) 730158
PGP: http://www.xx.xx.xx.21/zimage.asc
=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=--=
-- --> End of translated message <-- --
<HR>
<UL>
<LI>application/pgp-signature \\\\\\\\\ \\\\: stored
</UL>
==================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers)
Otpiswaneto RABOTI !!! : Majordomo@xxxxxxxxxxxxxxxxxx UNSUBSCRIBE LUG-BG
http://www.linux-bulgaria.org/ Hosted by Internet Group Ltd. - Stara Zagora
|