Cyber Asylum
Dve IP adresy z rovnakej podsiete na dvoch fyzických rozhraniach
Blog - GNU/Linux
Napísal Jaroslav Petráš   
Utorok, 09 November 2010 23:10
Pred nedávnou dobou mi dali zo serverovne na známosť že moja mašina robí na sieti bordel. Na ARP ping vraj odpovedalo z jednej IP adresy viac fyz. rozhraní. Pomyslel som si že to predsa nie je možné. Po bližšej analýze som zistil že to tak skutočne je. Server má celkom tri RJ45 porty. Jeden pre vzdialenú správu (ten už ďalej nespomeniem, keďže nie je podstatný) a dve nezávislé sieťové rozhrania. Nastaviť každému rozhraniu vlastnú pevnú IP adresu z prideleného rozsahu nestačí ako som sa stihol presvedčiť pri riešení tohto problému. 

Celý problém bol spôsobený prednastavenými hodnotami v sieťovom IPv4 stacku. Oprava teda spočívala v nastavení:
  
net.ipv4.conf.eth0.arp_filter = 1
net.ipv4.conf.eth1.arp_filter = 1
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.eth1.arp_ignore = 1
net.ipv4.conf.eth0.arp_announce = 1
net.ipv4.conf.eth1.arp_announce = 1
v súbore /etc/sysctl.conf (platí pre Debian GNU/Linux)
Nastavenia načítame pomocou # sysctl -p  
Následne je nutné nakonfigurované sieťové rozhrania reštartovať.

Z dokumentácie:

arp_filter
  • 0 - (default) The kernel can respond to ARP requests with addresses from other interfaces. This may seem wrong but it usually makes sense, because it increases the chance of successful communication. IP addresses are owned by the complete host on Linux, not by particular interfaces. Only for more complex setups like load-balancing, does this behaviour cause problems.
  • 1 - Allows you to have multiple network interfaces on the same subnet, and have the ARPs for each interface be answered based on whether or not the kernel would route a packet from the ARP'd IP out that interface (therefore you must use source based routing for this to work). In other words it allows control of which cards (usually 1) will respond to an ARP request.

arp_ignore
Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses:
  • 0 - (default) reply for any local target IP address, configured on any interface
  • 1 - reply only if the target IP address is local address configured on the incoming interface
  • 2 - reply only if the target IP address is local address configured on the incoming interface and both with the sender's IP address are part from same subnet on this interface
  • 3 - do not reply for local addresses configured with scope host, only resolutions for global and link addresses are replied
  • 4 - 7 - reserved
  • 8 - do not reply for all local addresses

The max value from conf/{all,interface}/arp_ignore is used when ARP request is received on the {interface}.

arp_announce
Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface:

  • 0 - (default) Use any local address, configured on any interface.
  • 1 - Try to avoid local addresses that are not in the target's subnet for this interface. This mode is useful when target hosts reachable via this interface require the source IP address in ARP requests to be part of their logical network configured on the receiving interface. When we generate the request we will check all our subnets that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet we select source address according to the rules for level 2.
  • 2 - Always use the best local address for this target. In this mode we ignore the source address in the IP packet and try to select local address that we prefer for talks with the target host. Such local address is selected by looking for primary IP addresses on all our subnets on the outgoing interface that include the target IP address. If no suitable local address is found we select the first local address we have on the outgoing interface or on all other interfaces, with the hope we will receive reply for our request and even sometimes no matter the source IP address we announce.

The max value from conf/{all,interface}/arp_announce is used.

Increasing the restriction level gives more chance for receiving answer from the resolved target while decreasing the level announces more valid sender's information.


Zdroj: http://www.linuxinsight.com/proc_sys_net_ipv4_conf_eth0.html

Po prečítaní úryvkov z dokumentácie teda vidíme že systém implicitne posiela odpoveď cez akékoľvek rozhranie ktoré je k dispozícii a je na rovnakej podsieti.

Keďže sa nám toto správanie podarilo pozmeniť nastavením uvedeným vyššie, ďalším krokom bude vytvorenie vlastnej smerovacej tabuľky pre každé rozhranie (eth0, eth1). Postupovať môžeme napríklad takto:
/etc/network/interfaces 
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address    192.168.1.100
netmask    255.255.255.0
hwaddress ether xx:xx:xx:xx:xx:xx
post-up /usr/local/bin/add-route-i1

allow-hotplug eth1
iface eth1 inet static
address    192.168.1.200
netmask    255.255.255.0
hwaddress ether xx:xx:xx:xx:xx:xx
post-up /usr/local/bin/add-route-i2
Kde obsah skriptu /usr/local/bin/add-route-i1 je: 
#! /bin/bash
 
    if ! /bin/ip "route" "add" "default" "via" "192.168.1.1" "src" "192.168.1.100" "dev" "eth0" "table" "i1"; then
        exit 1
    fi
 
    if ! /bin/ip "rule" "add" "from" "192.168.1.100" "table" "i1"; then
        exit 2
    fi
 
    if ! /usr/local/bin/add-route-default; then
        exit 3
    fi
 
    exit 0
 
a /usr/local/bin/add-route-i2 
#! /bin/bash
 
    if ! /bin/ip "route" "add" "default" "via" "192.168.1.1" "src" "192.168.1.200" "dev" "eth1" "table" "i2"; then
        exit 1
    fi
 
    if ! /bin/ip "rule" "add" "from" "192.168.1.200" "table" "i2"; then
        exit 2
    fi
 
    exit 0
 
Pritom platí že 192.168.1.1 je adresa brány, 192.168.1.100 je adresa eth0 a 192.168.1.200 je adresa eth1.
V add-route-i1 sa spúšťa aj/usr/local/bin/add-route-default ktorého obsah je: 
#! /bin/bash
 
    if ! /bin/ip "route" "add" "default" "via" "192.168.1.1"; then
        exit 1
    fi
 
    exit 0
 
Nakonfigurované rozhrania stačí už len reštartovať a je hotovo.
Posledná úprava Streda, 12 Január 2011 21:02
 
Services - IT Outsourcing
 

Jaroslav Petráš


asfethan

Narodený v roku 1988

moje profesie
 - programátor
 - GNU/Linux SysAdmin
 - Web developer
 - správca IT

moje záľuby
 - korčulovanie
 - squash
 - spoločenské akcie
 - hudba
 - autá
 - práca s IT

e-mail
   asfethan@cyberasylum.eu

jabber
   asfethan@cyberasylum.eu

Moja plocha


desktop screenshot

 - Debian GNU/Linux OS
 - XMonad
 - GNOME 3
 - gvim
 - xterm
 - dzen2
 - stalonetray
 - sysinfo-dzen2-php

Teamspeak 3 server


ts.niekde.sk
ts.cyberasylum.eu
  • free to use
  • for new permanent channels, informations or abuse reports please use e-mail address below

e-mail
   ts@cyberasylum.eu