Forwarding between two interfaces on Ubuntu or Linux wasn’t working

I ran into an issue recently where I was using Linux as a router and forwarding wasn’t working between two interfaces. I could see packets entering eth0, but they weren’t forwarding out eth1. The routing table was fine and IP forwarding was enabled. I couldn’t even ping by sourcing a packet from eth0 destined for eth1 – both locally connected interfaces.

My basic topology is below. Essentially, I was forwarding packets through Linux with no return route – basically “direct server return” kind of a setup where traffic flowed in asynchronous paths. In the topology below, breakingpoint is a 3064 switch with a default router to the MX240 with a default route str-ubuntuddos-02 with a default route out a second interface in a different VRF back to MX240, etc. Default routes pointing in one direction through the entire topology. IXIA (traffic generator) client sourced traffic connected to breakingpoint2 and received traffic on an interface connected to breakingpoint1.

So, why wasn’t it working?  RPF (reverse path filtering) was enabled. As soon as I turned it off, packets were forwarding normally.

RPF is a kernel setting to prevent IP spoofing. Its basic function is to ensure that there is a path back to a source address on the Interface it arrived on. So, because I had to route facing on the return path, RPF dropped those packets and never forwarded.

RPF can be enabled or disabled using the kernel proc setting /proc/sys/net/ipv4/conf/all/rp_filter

cat /proc/sys/net/ipv4/conf/all/rp_filter

echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter

For me, there were several proc settings under /proc/sys/net/ipv4/conf/*/rp_filter — a default, an all and one for each interface. I had to change them all.topology

Leave a Reply

eight + = 15