I have a dual port ethernet NIC and let's say I have connected 2 ports in a loop and assigned the following IPs to the 2 ethernet interfaces:
eth2 -> 192.168.2.1
eth3 -> 192.168.3.1
I want to send traffic from 1 port to another over the physical network, e.g. ping 192.168.3.1 from 192.168.2.1. However, the TCP/IP stack in the Linux kernel recognizes that these two addresses are local and instead sends the traffic to the loopback adapter, so the traffic never hits the physical network.
The closest I have to a solution is Anastasov's send-to-self patch, which unfortunately, has been discontinued since kernel 3.6 so it won't work on Ubuntu 13.10 (kernel 3.11) for me. I've tried finding rewriting the patch for 3.11, but I can't seem to locate these in the Ubuntu distro:
include/linux/inetdevice.h
net/ipv4/devinet.c
net/ipv4/fib_frontend.c
net/ipv4/route.c
Documentation/networking/ip-sysctl.txt
Is there a way I can get the send-to-self patch to work, or an alternative?
You can use network namespaces for this purpose.
As ip-netns's manpage says:
A network namespace is logically another copy of the network stack,
with its own routes, firewall rules, and network devices.
Following is just a copy of this answer:
Create a network namespace and move one of interfaces into it:
ip netns add test
ip link set eth1 netns test
Start a shell in the new namespace:
ip netns exec test bash
Then proceed as if you had two machines. When finished exit the shell and delete the namespace:
ip netns del test
you can try configuring route table, by running "ip" command:
ip route add to unicast 192.168.3.1 dev eth2
ip route add to unicast 192.168.2.1 dev eth3
new route would be added into route table, and it should be able to take effect before egress routing lookup hit the host-local route between "192.168.3.1" and "192.168.2.1", therefore, the traffic should be sent through physical interface "eth2" and "eth3", instead of loopback "lo"
Never tried myself, but should work.
Related
I have two NICs.
On eth1 IP is 10.135.28.86/16.
On eth IP is 135.251.8.43/24.
My routing table is like below:
135.251.8.0/24 dev eth1 proto kernel scope link src 135.251.8.43
10.135.0.0/16 dev eth0 proto kernel scope link src 10.135.28.86
169.254.0.0/16 dev eth0 scope link metric 1002
169.254.0.0/16 dev eth1 scope link metric 1003
10.0.0.0/8 via 10.135.0.1 dev eth0
default via 135.251.8.1 dev eth1
Now if I ping 10.135.28.86 from 10.34.7.103, it's OK, while if I ping 135.251.8.43 from 10.34.7.10, it fails.
And if I ping my public IP 135.251.8.43 from 135.252.11.7, it's OK, if I ping 10.135.28.86, it fails.
However, on my other machines which have exactly the same subnet and gateway configured, I can ping both IP either from 10.34.7.103 or 135.252.11.7.
Any ideas on this?
I used tcpdump to capture icmp packet on other machines and found that echo request come in eth0 and echo reply out from eth1.
but on this machine no echo reply were captured.
When you ping from your other machines with IP's in both networks the machine uses the interface on the same network to send the packet (so private-to-private and public-to-public, since they are on directly connected subnets). That is why it reaches, they are on the same subnet.
I see 2 scenarios.
1.
The machine which only has IP on your private network (10.34.7.10) probobly sends its ping to dgw (IP?) which then forwards it to 135.251.8.43 (eth0).
But since the source adress (10.34.7.10) is on a network directly connected to it's other interface (eth1) the answer will be sent back there. I would say you have a flawed network architecture.
The machine 10.34.7.10 has a static route for 135.251.8.43 to 10.135.28.86, but your machine has not bridged the 2 networks.
I have to make a STUN server in OpenSIPs, and it says that I need to bind 2 IP addresses.
http://www.opensips.org/About/News0042
A STUN server uses 2 ips and 2 ports to create 4 sockets on which to listen or respond.
STUN requires 2 routable ip addresses
How can I enable two public IP addresses into one Linux server? I've searched all website, and failed to find the answer.
Several options.
Option 1.
You likely just need to use ifconfig from the command line to start
You can assign an additional static IP address to your NIC via the command line. Type ifconfig to get the name of your default adapter. It's typically "eth0". Then do add a secondary address to this adapter, the command is something like the following:
sudo ifconfig eth0:1 inet up netmask 255.255.255.0 192.168.1.55
Where 255.255.255.0 is the netmask of my 8-bit subnet and 192.16.1.55 is an existing IP address that no other device on my subnet is already using.
Option 2.
After you get your server up and running with Option 1, you likely need to find a way to get the IP address assigned by "ifconfig" to persist after a reboot. You could likely stick an ifconfig statement into one of your rc.init files. But most Linux skus have a formal way of configuring an interface with another /etc file. But this step varies between different flavors of Linux. On Ubuntu, this is all defined in the /etc/network/interfaces file. Add these three lines to the bottom of your existing file:
iface eth0:1 inet static
address 192.168.1.55
netmask 255.255.255.0
Option 3 (shameless plug)
Switch to Stuntman ( www.stunprotocol.org ) as your STUN server. Its default mode only requires one IP address to be present on the box. Most client usages of the STUN protocol don't require the second IP address unless to do NAT classification and behavior tests.
Am using Cent OS 6.2 (64bit), I have 4 NIC interface, in that am trying to connect two NIC with different subnet,
em1 with 10.30.2.x series
em4 with 10.30.4.x series
Also I added route with /sbin/route add -net 10.30.4.0 netmask 255.255.255.0 dev em4
When I make the network device up "ifup em4" am not able to ping both the interfaces.
There is no IPtables running and selinux also disabled.
The same setup is working in one more DELL server, in that server reverse IP and IP forwarding is not enabled, even then its working.
Reverse IP & IP Forwarding
cat /proc/sys/net/ipv4/conf/em2/rp_filter
1
cat /proc/sys/net/ipv4/ip_forward
0
Any comments would be appreciated.
Thanks in advance.
If you are sure that ip addresses are actually setted on the interfaces, everything should work out, i would suggest to check network equipment on the way.
easiest way to test this is to use tcpdump -i any icmp and see if you actually receive the packets, this will also show you if your pong is going on the wrong interface.
hope that helps
I am writing a test script to exercise processor boards for a burn-in cycle during manufacturing. I would like to use netcat to transfer files from one process, out one Ethernet port and back into another Ethernet port to a receiving process. It looks like netcat would be an easy tool to use for this.
The problem is that if I set up the ethernet ports with IP addresses on separate IP sub nets and attempt to transfer data from one to the other, the kernel's protocol stack detects an internal route and although the data transfer completes as expected, it does NOT go out over the wire. The packets are routed internally.
That's great for network optimization but it foils the test I want to do.
Is there easy way to make this work? Is there a trick with iptables that would work? Or maybe things you can do to the route table?
I use network name spaces to do this sort of thing. With each of the adapters in a different namespace the data traffic definitely goes through the wire instead of reflecting in the network stack. The separate namespaces also prevent reverse packet filters and such from getting in the way.
So presume eth0 and eth1, wiht iperf3 as the reflecting agent (ping server or whatever). [DISCLAIMER:text from memory, all typos are typos, YMMV]
ip netns add target
ip link set dev eth1 up netns target
ip netns exec target ip address add dev eth1 xxx.xxx.xxx.xxx/y
ip netns exec target iperf3 --server
So now you've created the namespace "target", moved one of your adapters into that namespace. Set its IP address. And finally run your application in the that target namespace.
You can now run any (compatible) program in the native namespace, and if it references the xxx.xxx.xxx.xxx IP address (which clearly must be reachable with some route) will result in on-wire traffic that, with a proper loop-back path, will find the adapter within the other namespace as if it were a different computer all together.
Once finished, you kill the daemon server and delete the namespace by name and then the namespace members revert and you are back to vanilla.
killall iperf3
ip netns delete target
This also works with "virtual functions" of a single interface, but that example requires teasing out one or more virtual functions --- e.g. SR-IOV type adapters -- and handing out local mac addresses. So I haven't done that enough to have a sample code tidbit ready.
Internal routing is preferred because in the default routing behaviour you have all the internal routes marked as scope link in the local table. Check this out with:
ip rule show
ip route show table local
If your kernel supports multiple routing tables you can simply alter the local table to achieve your goal. You don't need iptables.
Let's say 192.168.1.1 is your target ip address and eth0 is the interface where you want to send your packets out to the wire.
ip route add 192.168.1.1/32 dev eth0 table local
I have two machines each with two valid network interfaces, an Ethernet interface eth0 and a tun/tap interface gr0. The goal is to start a TCP connection on machine A using interface gr0 but then have the responses (ACKs, etc) from machine B come back over the Ethernet interface, eth0. So, machine A sends out a SYN on gr0 and machine B receives the SYN on its own gr0 but then sends its SYN/ACK back through eth0. The tun/tap device is a GNU Radio wireless link and we just want the responses to come through the Ethernet.
What's the easiest way to accomplish this? I need to research more on TCP/IP, but I was initially thinking that source-spoofing outgoing packets would tell the receiver to respond to the spoofed address (which should get routed to eth0). This would involve routing the IPs from the tun/tap interfaces through gr0 and leave the other traffic to eth0.
We are using Linux and a Python solution would be preferable.
Thanks for looking!
You could add an additional address to the lo interface on each system and use these new addresses as the TCP connection endpoints. You can then use static routes to direct which path each machine takes to get to the other machine's lo address.
For example:
Machine A:
ip addr add 1.1.1.1/32 dev lo
ip route add 2.2.2.2/32 dev eth0 via <eth0 default gateway>
Machine B:
ip addr add 2.2.2.2/32 dev lo
ip route add 1.1.1.1/32 dev gr0
Then bind to 1.1.1.1 on machine A and connect to 2.2.2.2.
You may be interested in enabling logging of martian packets net.ipv4.conf.all.log_martians, and disable reverse path filtering net.ipv4.conf.<interface>.rp_filter on the affected interfaces.
This sysctl vars are accesible via the sysctl utility and/or the /proc filesystem.