Linux kernel rp_filter settings (Reverse path filtering )

Sarath Pillai's picture
Reverse Path Filtering in Linux

The main functionality of a router is to route packets from one place to another. Linux machine can be used as router on your network that will route substantial amount of traffic without any issues, if configured correctly.

Due to the increasing amount of malicious and attack traffic on the internet, it has become very much necessary to take some extra care while configuring routes on a Linux machine or physical router's.

One of the major problem that internet security people are dealing with today, is spoofing. 

 

 

What is IP address spoofing?

IP spoofing is a method adopted by attacker's to send forged source address in their attack traffic.Which means they can send an IP packet with an IP address of their wish.

Most of the time's spoofing is used by an attacker mainly for the following reasons.

  1. To conduct a DDOS attack ,and he does not want the response from the target machine to reach him
  2. To compromise source based authentication

Spoofing can be controlled to a cerain extent by using Reverse Path filtering(not fully although).

 

What is reverse path filtering?

Reverse path filtering is a mechanism adopted by the Linux kernel, as well as most of the networking devices out there to check whether a receiving packet source address is routable.

So in other words, when a machine with reverse path filtering enabled recieves a packet, the machine will first check whether the source of the recived packet is reachable through the interface it came in.

  • If it is routable through the interface which it came, then the machine will accept the packet
  • If it is not routable through the interface, which it came, then the machine will drop that packet.

Latest red hat machine's will give you one more option. This option is kind of liberal in terms of accepting traffic.

  • If the recieved packet's source address is routable through any of the interfaces on the machine, the machine will accept the packet.

 

Reverse Path Filter(rp_filter) settings in Red hat 5/Centos 5 mahcines

 

In Linux machine's Reverse Path filtering is handled by sysctl, like many other kernel settings.

The current value on your machine can be found from the following method.

[root@localhost ~]# cat /proc/sys/net/ipv4/conf/default/rp_filter
1
[root@localhost ~]#

 

Let's understand the boolean values for rp_filter first then go ahead with configuration.

1 indicates, that the kernel will do source validation by confirming reverse path.

0 indicates, no source validation.

The previously shown output of /proc/sys/net/ipv4/conf/default/rp_filter  indicates the default value of Reverse path filtering for any new interface.

You can also enable reverse path filtering only on your desired interface, because each interface has got different rp_filter files.

[root@localhost ~]# cd /proc/sys/net/ipv4/conf/
[root@localhost conf]# ll
total 0
dr-xr-xr-x 2 root root 0 Feb 28 05:12 all
dr-xr-xr-x 2 root root 0 Feb 28 05:12 default
dr-xr-xr-x 2 root root 0 Feb 28 05:12 eth0
dr-xr-xr-x 2 root root 0 Feb 28 05:12 lo

 

All the folder's in the above shown output has the file rp_filter. I will recommend enabling it by modifying the file /proc/sys/net/ipv4/conf/all/rp_filter file, if you Reverse filtering very strictly. This can be done by simply redirecting your desired boolean value(1 or 0) to the desired file.

[root@localhost conf]# echo 1 >  /proc/sys/net/ipv4/conf/all/rp_filter
[root@localhost conf]#

Now restart your network for the new configuration to take effect.

 

However editing file's inside /proc is not at all a good practice. So you can do this by editing sysctl.conf file

[root@localhost conf]#  sysctl -w "net.ipv4.conf.all.rp_filter=1"
net.ipv4.conf.all.rp_filter = 1

Replace "all" with default,eth0,<or any interface name of your wish>

 

Reverse Path Filter(rp_filter) settings in Red hat 6/Centos 6 mahcines

 

Like previously mentioned there is one more option which is to do a source validation of the packet's recieved through all the interfaces on the machine.

In other words if the source address is routable with any of the routes on any of the interface, then packet is accepted. And this is called as a loose mode reverse filtering.

The numeric value to enable this mode of rp_filter in redhat-linux 6 is 2 .

For example you can simply set the value of 2 as shown below to enable this mode.

 

[root@localhost conf]# echo 2 >  /proc/sys/net/ipv4/conf/all/rp_filter
[root@localhost conf]#

Rest of the setting's related to rp_filter in Red Hat enterprise Linux 6 is same as in Red Hat 5.

Rate this article: 
Average: 3.7 (682 votes)

Comments

Thanks, for the really helpful information.

It helped me use rp_filter for all my exposed interface without touching anything for my loopback interface

Excellent!. Clear, simple, perfect.

Thanks for this explanation.

The way the content is narrated is highly appreciable.

Add new comment

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
CAPTCHA
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.