Actually, rp_filter is set in both cases:
# sysctl net/ipv4/conf/default/rp_filter
net.ipv4.conf.default.rp_filter = 1
Resetting it to 0 on the RHEL6 box didn't seem to make any difference.
Thanks,
Peter
[email protected] wrote:
Have you looked at /etc/sysctl.conf
net.ipv4.conf.default.rp_filter
rp_filter - BOOLEAN
1 - do source validation by reversed path, as specified in RFC1812
Recommended option for single homed hosts and stub network
routers. Could cause troubles for complicated (not loop free)
networks running a slow unreliable protocol (sort of RIP),
or using static routes.
0 - No source validation.
conf/all/rp_filter must also be set to TRUE to do source validation
on the interface
Default value is 0. Note that some distributions enable it
in startup scripts.
I believe RHEL5 defaults to 0, but check if it's set by default now.
Nathan Anderson
Automation Systems Group
UPS
502.247.1268
-----Original Message-----
From: [email protected] [mailto:rhelv6-list-
[email protected]] On Behalf Of Peter Ruprecht
Sent: Friday, January 14, 2011 1:01 PM
To: [email protected]
Subject: [rhelv6-list] routing/interface question
Hi everyone,
I think I'm seeing a difference in behavior between RHEL 5 and 6 on how
packets get routed between different subnets on different network
interfaces. Say I have a dual-homed host, with each interface connected
to a different physical class C subnet. The routing table looks like:
# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
128.138.140.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
128.138.107.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth1
0.0.0.0 128.138.107.1 0.0.0.0 UG 0 0 0
eth0
In RHEL5, if I ping the host's 128.138.140.X address from a machine on
the 128.138.107. subnet, I can use tcpdump to see the icmp request
coming in on eth1, and the reply going out on eth0. The host is not
doing forwarding; that is, there's a 0 in /proc/sys/net/ipv4/ip_forward.
Now, with what I think is exactly the same setup on a RHEL 6 host, I can
see the incoming icmp packet on eth1, but there's no reply at all, on
any interface. Similarly for an incoming ssh request, for example. If
I ping the host's 128.138.140.X address from a machine on the
128.138.140. subnet, then I see both the request and reply as expected
on eth1. And if I ping the host's 128.138.107.X address from a machine
on the 128.138.107. subnet, then I see both the request and reply as
expected on eth0. iptables is not running.
Does anyone know if there's a way to get RHEL 6 to give me the behavior
I'm used to with RHEL 5? That is, how can I ping the interface on the
"other" subnet and actually get a reply?
Thanks,
Peter Ruprecht
_______________________________________________
rhelv6-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv6-list
_______________________________________________
rhelv6-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv6-list
_______________________________________________
rhelv6-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv6-list
