Network exceptions caused by rp_filter

The background of the problem is as follows:

1, the company intranet to a computer room public network does not pass (Ping,traceroute,curl are not)

2, in a computer room this public network machine to the company intranet also does not pass (Ping,traceroute,curl are not)

3, but a room this public network which machine can pass through the gateway network, and external network environment can also access a computer room public network IP, only the company intranet to these different IP.

4, the company intranet to several other computer room of the public network is no problem

Company intranet to a computer room public network traceroute Result:

$ traceroute x.x.x.x
Traceroute to x.x.x.x (x.x.x.x), hops max, byte packets
1 * * *
2 10.x.253.1 (10.x.253.1) 7.092 ms 7.388 ms 7.384 ms
3 10.x.2.2 (10.x.2.2) 7.372 ms 7.615 ms 8.347 ms
4 10.x.1.2 (10.x.1.2) 7.595 ms 8.335 ms 8.331 ms
5 192.x.168.254 (192.x.168.254) 8.879 ms 9.325 ms 10.077 ms
6 * * *
......

30 * * *

Company intranet to other computer room public network normal traceroute result:

$ traceroute xx.xx.xx.xx
Traceroute toxx.xx.xx.xx (xx.xx.xx.xx), hops max, byte packets
1 * * *
2 10.x.253.1 (10.x.253.1) 7.092 ms 7.388 ms 7.384 ms
3 10.x.2.2 (10.x.2.2) 7.372 ms 7.615 ms 8.347 ms
4 10.x.1.2 (10.x.1.2) 7.595 ms 8.335 ms 8.331 ms

5 * * *

6 111.111.111.111 (111.111.111.111) 8.879 ms 9.325 ms 10.077 ms
7 * * *

8 xx.xx.xx.xx

Problem Analysis Solution steps: (After discovering this problem, feeling and strange, although not affect the service, but Curiosity is driven to make the problem clear)

One, the analysis of a computer room machine routing, all normal no abnormalities found

Second, I tested a room and other computer room between the network, outside the network to a computer room is normal. The first suspect is that the company intranet is limited, because see traceroute results, the packet has not yet out of the company intranet. So, and the company IT department to troubleshoot, found that there are no restrictions

Third, then, doubt the company room has the relevant restrictions. So, I looked for the network group, the result is still no limit

Four, after the exclusion of external factors, it may be suspected that the system has a problem. And, through a computer room outside the network machine grab bag can catch the company intranet delivery of the Traceroute package, just a room machine does not reply to the packet, it is more certain that the system itself is a problem. With the powerful Google found rp_filter This parameter caused this problem, because we have a room machine this parameter is 1.

The role of the Rp_filter parameter:

rp_filter - integer0 - no source validation.1 - strict mode  as defined in rfc3704 strict reverse path    each  incoming packet is tested against the fib and if the  Interface    is not the best reverse path the packet  check will fail.    by default failed packets are  discarded.2 - Loose mode as defined in RFC3704 Loose  Reverse path    each incoming packet ' S source address is  also tested against the fib    and if the source  address is not reachable via any interface    the  packet check will fail. CuRrent recommended practice in rfc3704 is to enable strict modeto  prevent IP spoofing from DDos attacks. If using asymmetric  Routingor other complicated routing, then loose mode is recommended. the max value from conf/{all,interface}/rp_filter is usedwhen doing  Source validation on the {interface}. Default value is 0. note that some distributions enable itin  startup scripts.

The function of 1 is: the packet from which network port comes in from which gateway out, if not match discards.

Conclusion:

The request packet from the company intranet to a computer room machine enters from the public network card, and the reply packet flows from the intranet network card of a computer room machine according to the routing rules of the machine. The rp_filter of a computer room machine is 1, which causes the packet to be discarded by the system. While the Rp_filter parameter is 0 by default and is adjusted to 1 for historical reasons, we re-adjust all of the managed machines to default values to solve similar problems.

This article is from the "Good" blog, please be sure to keep this source http://leejia.blog.51cto.com/4356849/1758405

Network exceptions caused by rp_filter