the rp_filter of Linux kernel parameters
introduction of Rp_filter parametersThe Rp_filter parameter is used to control whether the system turns on the checksum of the packet source address. First look at the description in the Linux kernel document documentation/networking/ip-sysctl.txt: Rp_filter-integer
0-no source Validation.
1-strict mode as defined in RFC3704 Strict Reverse Path
Each incoming packet is tested against the FIB and if the interface
is not the best reverse path the packet check'll fail.
By default failed packets are discarded.
2-loose mode as defined in RFC3704 Loose Reverse Path
Each incoming packet ' s source address is also tested against the FIB
And if the source is not reachable via any interface
The packet check would fail.
Current recommended practice in RFC3704 be to enable strict mode
To prevent IP spoofing from DDos attacks. If Using Asymmetric routing
or other complicated routing, then loose the mode is recommended.
The max value from Conf/{all,interface}/rp_filter is used
When doing source validation on the {interface}.
Default value is 0. Note This some distributions enable it in startup scripts. That is, the Rp_filter parameter has three values, 0, 1, 2, meaning: 0: Do not open the source address check. 1: Turn on strict reverse path calibration. For each incoming packet, verify that its reverse path is the best path. If the reverse path is not the optimal path, the packet is discarded directly. 2: Open the loose reverse path checksum. For each incoming packet, verify that its source address is up to, that is, whether the reverse path is accessible (through any network port), and if the reverse path is different, discard the packet directly.
Two, rp_filter parameter example Assume that the machine has 2 network ports: eth0:192.168.1.100 eth1:200.153.1.122 Packet Source ip:10.75.153.98, the purpose ip:200.153.1.122 system routing table configuration is: [root@localhost ~]# route -n kernel ip routing table destination gateway genmask flags metric ref use iface default 192.168.1.234 0.0.0.0 UG 0 0 &n bsp; 0 eth0 192.168.120.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 10.75.153.98 0.0.0.0 255.255.255.0 u &nbSp; 0 0 0 eth0 system RP The _filter parameter is configured as: [Root@localhost ~]# sysctl-a | grep rp_filter net.ipv4.conf.all.rp_filter=1 net.ipv4.conf.default.rp_filter=1 as shown above, packets are sent to the ETH1 network card, if Rp_ is turned on Filter parameter and configured to 1, the reverse path of the packet is strictly validated. From the routing table can be seen, the return of the response to the packet from the ETH0 network card, that is, the request packet into the network card and response data packets are not the same network card, this time the system will judge that the reverse path is not the best path, and directly discard the request packet. (The business process also does not receive the request packet) solution: 1. Modify the routing table so that the response packet is eth1 out, that is, the network card that the request data is packet into and the network card that the response data packet is the same network card. 2. Close the Rp_filter parameter. (Note that all and default parameters are to be changed) 1) modify the/etc/sysctl.conf file, and then sysctl-p flushed to memory. 2 Use sysctl-w Direct write memory: sysctl-w net.ipv4.conf.all.rp_filter=0 3) Modify/proc File system: echo "0" >/proc/sys/net/ipv4/conf /all/rp_filter
third, the function of opening rp_filter parameters1. Reduce DDoS attack check packet reverse path, if the reverse path is not appropriate, then drop packets directly, avoid excessive invalid connection consumption system resources. 2. To prevent the IP Spoofing check packet reverse path, if the client forged source IP address of the reverse path is not in the routing table, or the reverse path is not the best path, then directly discard packets, will not respond to fake IP clients.
Ps: Two common means of illegal attack:1. DDoS attack (distribute deny service) distributed Denial-of-service attack. By constructing a large number of useless packets to the target service to launch the request, occupy the target service host a large number of resources, but also may cause network congestion, and thus affect the normal user access. 2. IP spoofing (IP spoofing) IP spoofing refers to a client through the forgery of source IP, impersonating another client and the target service to communicate, so as to achieve some unspeakable secret.
Source: https://www.cnblogs.com/lipengxiang2009/p/7446388.html
Add:
https://my.oschina.net/7shell/blog/308887
Company business needs, a server, dual network card, the need to access both the extranet and intranet. In the setup process, colleagues reflect the original use of the intranet address (192.168.1.100) in the setting of the external network address changed bad, as long as the outside network that network card can be normal access to the intranet.
In fact, because you set up the intranet, and then set the external network, in the network after the gateway set up, because there is no default gateway, resulting in intranet IP will also take the gateway of the extranet, it is certainly not possible. All we have to do is let the intranet go through its own network card.
Intranet network card: eth0 192.168.1.100 Gateway: 192.168.1.100
External Network network card: eth1 119.222.222.222 Gateway: 119.222.222.1
First set the default gateway so that all IP packets are forwarded by default via 119.222.222.1:
Route add default GW 119.222.222.1
Then, separate for the intranet set forwarding special case, all 192.168 start, all go eth0
Route add-net 192.168.0.0 netmask 255.255.0.0 Dev eth0
The best route to add is to boot up
Vi/etc/rc.local
Another: the command to delete the default gateway is as follows:
Route del Default