Red Hat Bugzilla – Bug 50166
default /etc/sysctl.conf leaves machine open to ip spoofing contrary to comment
Last modified: 2014-03-16 22:22:08 EDT
Description of Problem:
The default /etc/sysctl.conf as distributed with RedHat 7.1 leaves the
machine open to IP spoofing attacks but lulls the user into a false sense
that it does not. In particular the file contains these lines:
# Enables source route verification
net.ipv4.conf.all.rp_filter = 1
However, this doesn't really have any effect at the time the sysctl.conf is
processed since the interfaces have not been brought up yet. To be
effective, in addition to the above rule, you also need
net.ipv4.conf.default.rp_filter = 1
Basically, the system behaves exactly as configured, but the comment makes
you think you have more protection than you actually do based on the order
in which things are evaluated, etc.
Steps to Reproduce:
Configure three machines as follows:
box1 eth0: a.a.a.2
router eth0: a.a.a.1
router eth1: b.b.b.1
box2 eth1: b.b.b.2
On router, no ipchains/iptables settings are needed. IP forwarding should
be enabled (by setting sys.net.ipv4.ip_forward = 1 or by directly
manipulating the file in /proc)
Run tcpdump -n icmp on all three machines.
ifconfig eth0:0 b.b.b.2 up
ping b.b.b.1 -I b.b.b.2
box1 shows echo requests from b.b.b.1 to b.b.b.2
router shows echo requests from b.b.b.1 to b.b.b.2 coming in through eth0
and echo replies from b.b.b.2 to b.b.b.1 going out through eth1.
box2 shows echo replies from b.b.b.2 to b.b.b.1
Of course, the ping doesn't work, but the point is that the router accepts
packets with b source addresses on eth0.
/proc/sys/net/ipv4/conf/eth/rp_filter are both 0 on the router.
Well, the above is actually what is expected given the configuration, but
the comment leads you to believe that you are protected.
Once you enable rp_filter, you get the message
From b.b.b.2: Destination Host Unreachable
which is what you would expect.
sys.net.ipv4.conf.default.rp_filter = 1
in /etc/sysctl.conf and reboot. Then the above ping setup fails and the
only icmp packets you see are those generated on box1. box2 sees nothing,
and router drops the packets. You can verify by setting
/proc/sys/net/ipv4/conf/eth0/log_martians to 1 and checking
Note that when changing these dynamically, it may be necessary to run
ip route flush cache
to have the changes take effect. It took me a while to realize this. I
finally found mention of it in the email@example.com mailing list
Rebooting is not necessary to effect the change, but the reason for doing
this and rebooting is to make sure that the proper protections are enabled
immediately after the machine boots and that filtering is not disabled at
any time during the boot process. Doing a continuous ping from box1
through a reboot cycle of the router does in fact show that with
default.rp_filter = 1 and all.rp_filter = 1, there is no opening for an IP
Note: I accidentally typed
in some places in the above. Sorry about that. It should always be
net.ipv4.... -- I assume the person to whom this bug will be assigned will be
familiar enough with /proc/sys, sysctl, etc. to understand my bug report even if
there are a couple of typos, though I apologize for that. If this seems not to
hold up, let me know -- I have definitely performed the exact experiment I
described with my real ip addresses instead of a.a.a and b.b.b....
Will be fixed in 6.13-1 - thanks!