* icmp redirect
@ 2002-07-10 17:11 Jan Humme
2002-07-10 17:39 ` Ramin Alidousti
2002-07-10 17:46 ` Antony Stone
0 siblings, 2 replies; 8+ messages in thread
From: Jan Humme @ 2002-07-10 17:11 UTC (permalink / raw)
To: netfilter
I am developing an application that will eventually run on a PC with two
ethernet cards; unfortunately the development PC that I use has only one
ethernet card (eth0) and no available slots (except for one that I need for
another purpose).
Doesn't matter, during the development I can have both applications use eth0
instead, if I can only stop the icmp redirect messages that the kernel sends
back to the source, whenever it finds out that it is forwarding a packet via
the same eth0 interface on which it came in.
Of course, I can choke the icmp redirect message using iptables, but is there
a better (proper) way, to prevent the message from being generated?
Jan Humme.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: icmp redirect
2002-07-10 17:11 icmp redirect Jan Humme
@ 2002-07-10 17:39 ` Ramin Alidousti
2002-07-10 17:48 ` Jan Humme
2002-07-10 17:46 ` Antony Stone
1 sibling, 1 reply; 8+ messages in thread
From: Ramin Alidousti @ 2002-07-10 17:39 UTC (permalink / raw)
To: Jan Humme; +Cc: netfilter
On Wed, Jul 10, 2002 at 07:11:21PM +0200, Jan Humme wrote:
> I am developing an application that will eventually run on a PC with two
> ethernet cards; unfortunately the development PC that I use has only one
> ethernet card (eth0) and no available slots (except for one that I need for
> another purpose).
>
> Doesn't matter, during the development I can have both applications use eth0
> instead, if I can only stop the icmp redirect messages that the kernel sends
> back to the source, whenever it finds out that it is forwarding a packet via
> the same eth0 interface on which it came in.
>
> Of course, I can choke the icmp redirect message using iptables, but is there
> a better (proper) way, to prevent the message from being generated?
On the sending host:
# echo 0 > /proc/sys/net/ipv4/conf/*/send_redirects
On the receiving host:
# echo 0 > /proc/sys/net/ipv4/conf/*/accept_redirects
should do it.
Ramin
>
> Jan Humme.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: icmp redirect
2002-07-10 17:39 ` Ramin Alidousti
@ 2002-07-10 17:48 ` Jan Humme
0 siblings, 0 replies; 8+ messages in thread
From: Jan Humme @ 2002-07-10 17:48 UTC (permalink / raw)
To: Ramin Alidousti, Jan Humme; +Cc: netfilter
On Wednesday 10 July 2002 19:39, Ramin Alidousti wrote:
> On Wed, Jul 10, 2002 at 07:11:21PM +0200, Jan Humme wrote:
> > I am developing an application that will eventually run on a PC with two
> > ethernet cards; unfortunately the development PC that I use has only one
> > ethernet card (eth0) and no available slots (except for one that I need
> > for another purpose).
> >
> > Doesn't matter, during the development I can have both applications use
> > eth0 instead, if I can only stop the icmp redirect messages that the
> > kernel sends back to the source, whenever it finds out that it is
> > forwarding a packet via the same eth0 interface on which it came in.
> >
> > Of course, I can choke the icmp redirect message using iptables, but is
> > there a better (proper) way, to prevent the message from being generated?
>
> On the sending host:
> # echo 0 > /proc/sys/net/ipv4/conf/*/send_redirects
>
> On the receiving host:
> # echo 0 > /proc/sys/net/ipv4/conf/*/accept_redirects
>
> should do it.
Thanks a lot; I knew there was an elegant way :-) !
Jan Humme.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: icmp redirect
2002-07-10 17:11 icmp redirect Jan Humme
2002-07-10 17:39 ` Ramin Alidousti
@ 2002-07-10 17:46 ` Antony Stone
2002-07-10 18:31 ` Jan Humme
1 sibling, 1 reply; 8+ messages in thread
From: Antony Stone @ 2002-07-10 17:46 UTC (permalink / raw)
To: netfilter
On Wednesday 10 July 2002 6:11 pm, Jan Humme wrote:
> I am developing an application that will eventually run on a PC with two
> ethernet cards; unfortunately the development PC that I use has only one
> ethernet card (eth0) and no available slots (except for one that I need for
> another purpose).
>
> Doesn't matter, during the development I can have both applications use
> eth0 instead, if I can only stop the icmp redirect messages that the kernel
> sends back to the source, whenever it finds out that it is forwarding a
> packet via the same eth0 interface on which it came in.
>
> Of course, I can choke the icmp redirect message using iptables, but is
> there a better (proper) way, to prevent the message from being generated?
Does it help if you put two addresses onto eth0 from different subnets (eg
192.168.0.1 and 172.16.0.1) so that icmp redirect is no longer appropriate
(because this is used only between machines on a single subnet) ?
Then your other machines which are talking to it can pretend that one address
is eth0 and the other address is eth1.
Antony.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: icmp redirect
2002-07-10 17:46 ` Antony Stone
@ 2002-07-10 18:31 ` Jan Humme
0 siblings, 0 replies; 8+ messages in thread
From: Jan Humme @ 2002-07-10 18:31 UTC (permalink / raw)
To: Antony Stone, netfilter
On Wednesday 10 July 2002 19:46, Antony Stone wrote:
> On Wednesday 10 July 2002 6:11 pm, Jan Humme wrote:
> > I am developing an application that will eventually run on a PC with two
> > ethernet cards; unfortunately the development PC that I use has only one
> > ethernet card (eth0) and no available slots (except for one that I need
> > for another purpose).
> >
> > Doesn't matter, during the development I can have both applications use
> > eth0 instead, if I can only stop the icmp redirect messages that the
> > kernel sends back to the source, whenever it finds out that it is
> > forwarding a packet via the same eth0 interface on which it came in.
> >
> > Of course, I can choke the icmp redirect message using iptables, but is
> > there a better (proper) way, to prevent the message from being generated?
>
> Does it help if you put two addresses onto eth0 from different subnets (eg
> 192.168.0.1 and 172.16.0.1) so that icmp redirect is no longer appropriate
> (because this is used only between machines on a single subnet) ?
That is exactly what I am doing, and lo-and-behold! tcpdump reveals an
icmp-redirect message.
=> 192.168.255.254: my firewall/internet gateway
=> 192.168.0.1 (eth0) alias 1.2.3.254 (eth0:0) my development machine, using
192.168.255.254 as the gateway
=> 1.2.3.4 my Windoze test machine, using 1.2.3.254 as its gateway
So when the Windoze machine tries to ping, say 194.134.32.32, it forwards the
packet to 1.2.3.254, who forwards it back onto the same eth0 towards
192.168.255.254.
Also, an icmp-redirect message is sent back to the Windoze-machine, telling
it to forward those packets straight to 192.168.255.254 from now on.
> Then your other machines which are talking to it can pretend that one
> address is eth0 and the other address is eth1.
I wouldn't know how to tell this to my test Windoze box.
Jan Humme.
^ permalink raw reply [flat|nested] 8+ messages in thread
* ICMP REDIRECT
@ 2005-03-18 15:29 vardhaman.m
0 siblings, 0 replies; 8+ messages in thread
From: vardhaman.m @ 2005-03-18 15:29 UTC (permalink / raw)
To: netfilter
Hello All,
The manformated ( not having complete pay load, which are generated by
utilities like hping and send-ip) ICMP redirect packets are getting
droped after PREROUTING chain of mangle table. I want these ICMP
REDIRECT ( icmp type 5 ) packets to be traversed till filter table
even though it does not have connection tracking entry.
I want where all I have to put NF_ACCEPT in netfilter code for this to happen.
I am using 2.4.26 kernel.
Can anybody through light on this.
Thanks in advance.
Vardhaman M
^ permalink raw reply [flat|nested] 8+ messages in thread
* ICMP Redirect
@ 2006-05-07 7:19 R. Rajasekaran
2006-05-09 12:25 ` Cedric Blancher
0 siblings, 1 reply; 8+ messages in thread
From: R. Rajasekaran @ 2006-05-07 7:19 UTC (permalink / raw)
To: netfilter
Kindly help me in understanding the observation of
following experiment :-
-------- --------
| | | |
| H1 |---------| H2 |
| | | |
-------- --------
H1 and H2 are two Linux host.
IP of H1 = 10.0.0.1
MAC of H1 = 00:00:00:00:00:01
IP of H2 = 10.0.0.2
MAC of H2 = 00:00:00:00:00:02
Now I did the following configurations.
1) In host H1
-------------
I added a static arp entry in the arp cache of the
host H1
as arp -s 10.0.0.3 00:00:00:00:00:02.
(ie) the mac address for 10.0.0.3 as H2's mac address.
2) In host H2
-------------
Enabled IP forwarding.
Then from host H1, I made a ping 10.0.0.3.
Here I found that ICMP request from host H1 reaches
host H2,
and host H2 sends the following as ICMP redirect
messages.
From 10.0.0.2: icmp_seq=1 Redirect Host (New nexthop:
10.0.0.3)
From 10.0.0.2: icmp_seq=2 Redirect Host (New nexthop:
10.0.0.3)
From 10.0.0.2: icmp_seq=3 Redirect Host (New nexthop:
10.0.0.3)
The above behaviour is of Linux functionality.
Here the redirect uses the next-hop address as
10.0.0.3. What is the reason of it ?
It seems confusing because the ping was send just to
that address.
- R. Rajasekaran.
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: ICMP Redirect
2006-05-07 7:19 ICMP Redirect R. Rajasekaran
@ 2006-05-09 12:25 ` Cedric Blancher
0 siblings, 0 replies; 8+ messages in thread
From: Cedric Blancher @ 2006-05-09 12:25 UTC (permalink / raw)
To: R. Rajasekaran; +Cc: netfilter
Le dimanche 07 mai 2006 à 00:19 -0700, R. Rajasekaran a écrit :
> IP of H1 = 10.0.0.1
> IP of H2 = 10.0.0.2
[...]
> >From 10.0.0.2: icmp_seq=1 Redirect Host (New nexthop:
> 10.0.0.3)
[...]
> The above behaviour is of Linux functionality.
> Here the redirect uses the next-hop address as
> 10.0.0.3. What is the reason of it ?
Because your network setting is just wrong. The smallest network mask
you can set on this type of link is /30, i.e. 10.0.0.0/30. Then you
have :
10.0.0.0 as network address
10.0.0.3 as broadcast address
10.0.0.1 and 10.0.0.2 as host addresses
If you send a packet from H1 to H2 destined to 10.0.0.3, H2 will
complain because he's not the best router for H1 to reach 10.0.0.3. As
describe by network mask, H1 should reach 10.0.0.3 directly on link,
without using H2 as a router, thus you gety an ICMP Redirect.
This is still true if network mask is wider than /30, because then,
10.0.0.3 will be a host address belonging to H1 and H2 local link. Then
there's not reason for H1 to go through H2 to reach it, and you get an
ICMP redirect again.
Set your network as 10.0.0.0/30 and try to ping 10.0.0.5 instead. BTW,
there's nothing related to Netfilter in this behaviour.
--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2006-05-09 12:25 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-07-10 17:11 icmp redirect Jan Humme
2002-07-10 17:39 ` Ramin Alidousti
2002-07-10 17:48 ` Jan Humme
2002-07-10 17:46 ` Antony Stone
2002-07-10 18:31 ` Jan Humme
2005-03-18 15:29 ICMP REDIRECT vardhaman.m
2006-05-07 7:19 ICMP Redirect R. Rajasekaran
2006-05-09 12:25 ` Cedric Blancher
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.