Linux Reverse Path Filtering (IPv4)

By default routers “route” everything, even packets which ‘obviously’ don’t belong on your network. A common example is private IP space escaping onto the Internet.
Lots of people want to turn this feature off, the method is called “Reverse Path Filtering”.
Basically, if the reply to a packet wouldn’t go out the interface this packet came in, this is a bogus packet and should be ignored.

The following fragment will turn this on for all current and future interfaces.

for i in /proc/sys/net/ipv4/conf/*/rp_filter ; do
 echo 2 > $i 
 done

Going by the example above, if a packet came from a “private network”, claiming to be from somewhere outside your firewall (in other words, coming from a “public network”), it would be dropped.

This is full reverse path filtering. The default is to only filter based on IPs that are on directly connected networks.
This is because the full filtering breaks in the case of asymmetric routing, where packets come in one way and go out another (for example if you are using dynamic routing protocols in your network).

If this exception applies to you, you can simply turn off the rp_filter on the interface where the asymmetric data comes in.
If you want to see if any packets are being dropped, the log_martians file in the same directory will tell the kernel to log them to your syslog.

echo 1 > /proc/sys/net/ipv4/conf/<interfacename>/log_martians

Settings can be done for all interfaces also using sysctl, by setting:

net.ipv4.conf.all.rp_filter=1

And for Martian Logging:

net.ipv4.conf.all.log_martians = 0

Comments are closed.