Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

2.2.11. Reverse Path Forwarding

Reverse Path Forwarding is used to prevent packets that arrived via one interface from leaving via a different interface. When outgoing routes and incoming routes are different, it is sometimes referred to as asymmetric routing. Routers often route packets this way, but most hosts should not need to do this. Exceptions are such applications that involve sending traffic out over one link and receiving traffic over another link from a different service provider. For example, using leased lines in combination with xDSL or satellite links with 3G modems. If such a scenario is applicable to you, then turning off reverse path forwarding on the incoming interface is necessary. In short, unless you know that it is required, it is best enabled as it prevents users spoofing IP addresses from local subnets and reduces the opportunity for DDoS attacks.

Note

Red Hat Enterprise Linux 6 (unlike Red Hat Enterprise Linux 5) defaults to using Strict Reverse Path Forwarding. Red Hat Enterprise Linux 6 follows the Strict Reverse Path recommendation from RFC 3704, Ingress Filtering for Multihomed Networks. This currently only applies to IPv4 in Red Hat Enterprise Linux 6.

Warning

If forwarding is enabled, then Reverse Path Forwarding should only be disabled if there are other means for source-address validation (such as iptables rules for example).
rp_filter
Reverse Path Forwarding is enabled by means of the rp_filter directive. The rp_filter option is used to direct the kernel to select from one of three modes.
It takes the following form when setting the default behavior:
~]# /sbin/sysctl -w net.ipv4.conf.default.rp_filter=INTEGER
where INTEGER is one of the following:
  • 0 — No source validation.
  • 1 — Strict mode as defined in RFC 3704.
  • 2 — Loose mode as defined in RFC 3704.
The setting can be overridden per network interface using net.ipv4.interface.rp_filter. To make these settings persistent across reboot, modify the /etc/sysctl.conf file.

2.2.11.1. Additional Resources

The following are resources that explain more about Reverse Path Forwarding.
  • Installed Documentation
    usr/share/doc/kernel-doc-version/Documentation/networking/ip-sysctl.txt — This file contains a complete list of files and options available in the /proc/sys/net/ipv4/ directory.
  • Useful Websites
    https://access.redhat.com/knowledge/solutions/53031 — The Red Hat Knowledgebase article about rp_filter.
    See RFC 3704 for an explanation of Ingress Filtering for Multihomed Networks.