Passive response and unsolicited source IP selection when a single machine configures multiple IP addresses

Source: Internet
Author: User
Tags iptables

http://zhangxugg-163-com.iteye.com/blog/1669810


If a host is bound to have multiple IP addresses, then in the passive response and active initiating connection two ways, the source IP address selection mechanism is certainly different.

When the host receives the external packet and sends the response packet, the response source address is clearly the address of the client request, which is very easy to understand, such as the client to the host's 1.1.2.3:80 to initiate the request, then the host response Packet's source IP address must be 1.1.2.3.

The source IP address of the packet is then selected when the host initiates the request externally. We may have little insight into this problem, and in order to find out the problem, I have made a lot of time to extensively consult various materials, and the conclusions are as follows:

When a host creates an IP packet, it is critical that the correct source IP address be selected, because only the source address is correct to allow the receiver to respond correctly. If the source address is incorrect, no response to the end host can be obtained.

Linux 2.2 Select the source IP address using the following three mechanisms:

1. An application can explicitly specify the source IP address by applying bind (2) system calls to SENDMSG (2) calls and through a secondary data object ip_pktinfo. In this case, the operating system kernel simply checks to see if the source IP address is correct, or a corresponding error occurs.

2. If the application does not specify a source IP address, the routing table containing the source IP determines the packet source IP address, specifying the source IP address by setting the SRC parameter of the IP route command. If the routing table does not contain the SRC attribute, the primary IP address is used.

3. In other cases the kernel searches for the IP address on the binding packet routing interface, IPV6 selects the first available IP address. IPv4 case, try to select the same subnet as the target IP source IP, if the target IP and all of its own IP is not in the same subnet, then use the second algorithm.

The corresponding reference article:

Http://linux-ip.net/gl/ip-cref/node155.html

Http://serverfault.com/questions/12285/when-ip-aliasing-how-does-the-os-determine-which-ip-address-will-be-used-as-sour

By default, if the Linux network card has multiple IP and is located in a different subnet, if the packet destination address is a subnet in the IP, then the corresponding target and subnet IP will be used. If the eth0 has two IP 192.168.1.12/24, 10.1.1.1/8, then the source address of the packet to the 10.0.0.0 subnet will use 10.1.1.1. Of course, you can use the IP route src attribute to specify the source address.

If several of the IP bindings are in the same subnet, the primary IP address will be used (such as IP on the Eth0 interface), or you can use Iptables to modify the source address of the packet, such as:

Iptables-t nat-i postrouting-o eth0-d 1.2.3.4/0-S 192.168.100.1-j SNAT--to-source 192.168.100.2

Principle analysis and treatment method we have finished analyzing, then use the actual example to show

Linux host bindings have the following IP (Gateway for 192.168.0.1)
Eth0 192.168.0.250/24, Eth0:1 192.168.0.22/24, Eth0:2 192.168.0.23/24

In addition, you can use the IP addr add command to bind multiple IPs without generating sub-interfaces.

In the above case, 192.168.0.250 will become the default primary IP.

Objective: When this host initiates a new connection, the source IP address uses 192.168.0.22, and the default 192.168.0.250 is not used.

Method: Modify the source IP properties of the routing table
I. View the system's IP address and routing table details (bold font is entered)
[root@localhost ~]# IP addr

1:lo: <LOOPBACK,UP,LOWER_UP> MTU 16436 Qdisc noqueue

Link/loopback 00:00:00:00:00:00 BRD 00:00:00:00:00:00

inet 127.0.0.1/8 Scope host Lo

inet 192.168.100.250/32 Scope Global Lo

2:eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> MTU 1500 Qdisc pfifo_fast Qlen 1000

Link/ether f4:6d:04:76:ca:98 BRD FF:FF:FF:FF:FF:FF

inet 192.168.0.250/24 BRD 192.168.0.255 Scope Global eth0

inet 172.16.25.1/24 Scope Global eth0

inet 192.168.0.22/24 Scope Global secondary eth0

inet 192.168.0.23/24 Scope Global secondary eth0

Note that 192.168.0.250 is a global state and other addresses are secondary states.

[root@localhost ~]# IP route

192.168.0.0/24 Dev eth0 proto kernel scope link src 192.168.0.250

172.16.25.0/24 Dev eth0 proto kernel scope link src 172.16.25.1

169.254.0.0/16 Dev eth0 Scope link

Default via 192.168.0.1 Dev eth0

Note that the above output will find that the source IP address of the route to the same subnet will use the primary IP address. The route to the default gateway does not specify the source IP (it will actually use the primary IP of the same subnet as the gateway).

Modify the routing table so that the system uses the specified IP (192.168.0.22) as the source:
[root@localhost ~]# IP route change default dev eth0 src 192.168.0.22

[root@localhost ~]# IP route change to 192.168.0.0/24 Dev eth0 src 192.168.0.22

[root@localhost ~]# IP route

192.168.0.0/24 dev eth0 scope link src 192.168.0.22

172.16.25.0/24 Dev eth0 proto kernel scope link src 172.16.25.1

169.254.0.0/16 Dev eth0 Scope link

Default dev eth0 scope link src 192.168.0.22

With the final output, we find that the modification takes effect and then use the other host to actually test it. If you have any doubts, please contact zhangxugg@163.com.

There is another way to modify the source IP address using iptables:

Iptables-t nat-i postrouting-o eth0-d 0.0.0.0/0-S 192.168.0. 250-j SNAT--to-source 192.168.0.22

After experiment, the test also passed, obviously the way to modify the routing table better.



Prerouting and postrouting are also frequently used in NAT configuration gateways for network address translation, and there are some rules:

Prerouting is the destination address translation (Dnat), to convert other people's public network IP into your internal IP, so that access to your internal firewall-protected servers.

Postrouting is the source address translation (SNAT), to convert your internal network firewall-protected IP address to your local public network address to allow them to surf the internet. SNAT the source address of the transform packet.
Example: Change the source IP address of all packets from 192.168.1.0/24 to 1.2.3.4:
Iptables-t nat-a postrouting-s 192.168.1.0/24-o eth0-j SNAT --to-source 1.2.3.4


Dnat, for the external department to provide WWW,FTP and other services
For example: Change the destination IP address of all packets from 192.168.1.0/24 to 1.2.3.4:
Iptables-t nat-a prerouting-s 192.168.1.0/24-i eth1--dport 65533-j dnat--to-destination 1.2.3.4




to modify the source IP at NAT table:
Iptables-t nat-i postrouting-d 81.201.0.0/16-p UDP--sport 5060-j SNAT--to-source 165.254.88.10

list NAT Table rules:
Iptables-l-T NAT

Flush NAT Table rules:
Iptables--flush-t NAT



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.