[Linux] Reverse Path Filtering

I write a little article about rp_filter because I recently had a problem that bothered me for several days.

In principle, the main functionality of a router is to route packets from one interface to another one. Linux can be used as router that will route amount of traffic without any issues, if configured correctly. The number of malicious and attack on the web has increased these last years and it has become necessary to take some extra care when we configure static routes on a Linux host (and physical router too). One of the major threat that security specialists are dealing with today is the IP spoofing.

IP spoofing is often used when attackers perform DDoS attacks because they do not want to receive back the response to their requests. Spoofing can be controlled to a cerain extent by using Reverse Path filtering (not fully although).

Principles of rp_filtering

Reverse path filtering is a mechanism present in the Linux kernel, as well as most of the networking devices out there to check whether a receiving packet source address is routable.

So in other words, when a Linux host with reverse path filtering enabled receives a packet, it will first check if the source of the received packet is reachable through the interface it came in. An important point to remember here is that this mechanism is proper to a specific interface. On a Linux host, this parameter can be enabled or not using /proc/sys files.

  • If it is routable through the interface which it came, then the machine will accept the packet
  • If it is not routable through the interface, which it came, then the machine will drop that packet

In recent Linux Kernel, a new option is available:

  • If the received packet’s source address is routable through any of the interfaces on the machine, the machine will accept the packet.

Configuration

On Linux, rp_filtering, is enable by default for all interfaces. Even if you create static interfaces in /etc/network/interfaces, this option will be active. In the directory /proc/sys/net/ipv4/conf, there is a directory dedicated for each network interfaces available in host.

# fl0at-0xff@ubuntu: ls /proc/sys/net/ipv4/conf
total 0
all default eth0 lo

In these folders, there is file named rp_filter which have a value of 0 or 1. Normally, you must have the value “1” in it. If you want to disable it, simply write a “0” on it like this:

# fl0at-0xff@ubuntu: echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

Just restart the networking service to apply this change

# fl0at-0xff@ubuntu: /etc/init.d/networking restart

Note : You can try to write a “2” on the file. If the option is available, the packet will be accepted if it is routable through ANY of the interfaces.

 

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.