icmp redirect

icmp redirect

[Jan Humme]

I am developing an application that will eventually run on a PC with two 
ethernet cards; unfortunately the development PC that I use has only one 
ethernet card (eth0) and no available slots (except for one that I need for 
another purpose).

Doesn't matter, during the development I can have both applications use eth0 
instead, if I can only stop the icmp redirect messages that the kernel sends 
back to the source, whenever it finds out that it is forwarding a packet via 
the same eth0 interface on which it came in.

Of course, I can choke the icmp redirect message using iptables, but is there 
a better (proper) way, to prevent the message from being generated?

Jan Humme.

Re: icmp redirect

[Ramin Alidousti]

On Wed, Jul 10, 2002 at 07:11:21PM +0200, Jan Humme wrote:

> I am developing an application that will eventually run on a PC with two 
> ethernet cards; unfortunately the development PC that I use has only one 
> ethernet card (eth0) and no available slots (except for one that I need for 
> another purpose).
> 
> Doesn't matter, during the development I can have both applications use eth0 
> instead, if I can only stop the icmp redirect messages that the kernel sends 
> back to the source, whenever it finds out that it is forwarding a packet via 
> the same eth0 interface on which it came in.
> 
> Of course, I can choke the icmp redirect message using iptables, but is there 
> a better (proper) way, to prevent the message from being generated?

On the sending host:
# echo 0 > /proc/sys/net/ipv4/conf/*/send_redirects

On the receiving host:
# echo 0 > /proc/sys/net/ipv4/conf/*/accept_redirects

should do it.

Ramin

> 
> Jan Humme.

Re: icmp redirect

[Antony Stone]

On Wednesday 10 July 2002 6:11 pm, Jan Humme wrote:

> I am developing an application that will eventually run on a PC with two
> ethernet cards; unfortunately the development PC that I use has only one
> ethernet card (eth0) and no available slots (except for one that I need for
> another purpose).
>
> Doesn't matter, during the development I can have both applications use
> eth0 instead, if I can only stop the icmp redirect messages that the kernel
> sends back to the source, whenever it finds out that it is forwarding a
> packet via the same eth0 interface on which it came in.
>
> Of course, I can choke the icmp redirect message using iptables, but is
> there a better (proper) way, to prevent the message from being generated?

Does it help if you put two addresses onto eth0 from different subnets (eg 
192.168.0.1 and 172.16.0.1) so that icmp redirect is no longer appropriate 
(because this is used only between machines on a single subnet) ?

Then your other machines which are talking to it can pretend that one address 
is eth0 and the other address is eth1.

 

Antony.

Re: icmp redirect

[Jan Humme]

On Wednesday 10 July 2002 19:39, Ramin Alidousti wrote:
> On Wed, Jul 10, 2002 at 07:11:21PM +0200, Jan Humme wrote:
> > I am developing an application that will eventually run on a PC with two
> > ethernet cards; unfortunately the development PC that I use has only one
> > ethernet card (eth0) and no available slots (except for one that I need
> > for another purpose).
> >
> > Doesn't matter, during the development I can have both applications use
> > eth0 instead, if I can only stop the icmp redirect messages that the
> > kernel sends back to the source, whenever it finds out that it is
> > forwarding a packet via the same eth0 interface on which it came in.
> >
> > Of course, I can choke the icmp redirect message using iptables, but is
> > there a better (proper) way, to prevent the message from being generated?
>
> On the sending host:
> # echo 0 > /proc/sys/net/ipv4/conf/*/send_redirects
>
> On the receiving host:
> # echo 0 > /proc/sys/net/ipv4/conf/*/accept_redirects
>
> should do it.

Thanks a lot; I knew there was an elegant way :-) !

Jan Humme.

Re: icmp redirect

[Jan Humme]

On Wednesday 10 July 2002 19:46, Antony Stone wrote:
> On Wednesday 10 July 2002 6:11 pm, Jan Humme wrote:
> > I am developing an application that will eventually run on a PC with two
> > ethernet cards; unfortunately the development PC that I use has only one
> > ethernet card (eth0) and no available slots (except for one that I need
> > for another purpose).
> >
> > Doesn't matter, during the development I can have both applications use
> > eth0 instead, if I can only stop the icmp redirect messages that the
> > kernel sends back to the source, whenever it finds out that it is
> > forwarding a packet via the same eth0 interface on which it came in.
> >
> > Of course, I can choke the icmp redirect message using iptables, but is
> > there a better (proper) way, to prevent the message from being generated?
>
> Does it help if you put two addresses onto eth0 from different subnets (eg
> 192.168.0.1 and 172.16.0.1) so that icmp redirect is no longer appropriate
> (because this is used only between machines on a single subnet) ?


That is exactly what I am doing, and lo-and-behold! tcpdump reveals an 
icmp-redirect message.

=> 192.168.255.254: my firewall/internet gateway
=> 192.168.0.1 (eth0) alias 1.2.3.254 (eth0:0) my development machine, using 
192.168.255.254 as the gateway
=> 1.2.3.4 my Windoze test machine, using 1.2.3.254 as its gateway

So when the Windoze machine tries to ping, say 194.134.32.32, it forwards the 
packet to 1.2.3.254, who forwards it back onto the same eth0 towards 
192.168.255.254.

Also, an icmp-redirect message is sent back to the Windoze-machine, telling 
it to forward those packets straight to 192.168.255.254 from now on.


> Then your other machines which are talking to it can pretend that one
> address is eth0 and the other address is eth1.

I wouldn't know how to tell this to my test Windoze box.

Jan Humme.

Re: ICMP Redirect

[Cedric Blancher]

Le dimanche 07 mai 2006 à 00:19 -0700, R. Rajasekaran a écrit :
> IP of H1   = 10.0.0.1
> IP of H2   = 10.0.0.2
[...]
> >From 10.0.0.2: icmp_seq=1 Redirect Host (New nexthop:
> 10.0.0.3)
[...]
> The above behaviour is of Linux functionality.
> Here the redirect uses the next-hop address as
> 10.0.0.3.  What is the reason of it ?

Because your network setting is just wrong. The smallest network mask
you can set on this type of link is /30, i.e. 10.0.0.0/30. Then you
have :

	10.0.0.0 as network address
	10.0.0.3 as broadcast address
	10.0.0.1 and 10.0.0.2 as host addresses

If you send a packet from H1 to H2 destined to 10.0.0.3, H2 will
complain because he's not the best router for H1 to reach 10.0.0.3. As
describe by network mask, H1 should reach 10.0.0.3 directly on link,
without using H2 as a router, thus you gety an ICMP Redirect.

This is still true if network mask is wider than /30, because then,
10.0.0.3 will be a host address belonging to H1 and H2 local link. Then
there's not reason for H1 to go through H2 to reach it, and you get an
ICMP redirect again.

Set your network as 10.0.0.0/30 and try to ping 10.0.0.5 instead. BTW,
there's nothing related to Netfilter in this behaviour.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!

ICMP Redirect

[R. Rajasekaran]

Kindly help me in understanding the observation of 
following experiment :-



 --------         --------
 |      |         |      |
 |  H1  |---------|  H2  |
 |      |         |      |
 --------         --------

H1 and H2 are two Linux host.

IP of H1   = 10.0.0.1
MAC of H1  = 00:00:00:00:00:01


IP of H2   = 10.0.0.2
MAC of H2  = 00:00:00:00:00:02

Now I did the following configurations.

1) In host H1
-------------
I added a static arp entry in the arp cache of the
host H1
as  arp -s 10.0.0.3 00:00:00:00:00:02.

(ie) the mac address for 10.0.0.3 as H2's mac address.


2) In host H2
-------------
Enabled IP forwarding.


Then from host H1, I made a ping 10.0.0.3.
Here I found that ICMP request from host H1 reaches
host H2,
and host H2 sends the following as ICMP redirect
messages.

From 10.0.0.2: icmp_seq=1 Redirect Host (New nexthop:
10.0.0.3)
From 10.0.0.2: icmp_seq=2 Redirect Host (New nexthop:
10.0.0.3)
From 10.0.0.2: icmp_seq=3 Redirect Host (New nexthop:
10.0.0.3)

The above behaviour is of Linux functionality.
Here the redirect uses the next-hop address as
10.0.0.3.  What is the reason of it ?
It seems confusing because the ping was send just to
that address.

- R. Rajasekaran.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

ICMP REDIRECT

[vardhaman.m]

Hello All,
The manformated ( not having complete pay load, which are generated by
utilities like hping and send-ip) ICMP redirect packets are getting
droped after PREROUTING chain of mangle table.  I want these ICMP
REDIRECT ( icmp type 5 ) packets to be traversed till filter table
even though it does not have connection tracking entry.
I want where all I have to put NF_ACCEPT in netfilter code for this to happen.
I am using 2.4.26 kernel.

Can anybody through light on this.

Thanks in advance.
Vardhaman M