2.2.11. Reverse Path Forwarding
Reverse Path Forwarding is used to prevent packets that arrived via one interface from leaving via a different interface. When outgoing routes and incoming routes are different, it is sometimes referred to as asymmetric routing. Routers often route packets this way, but most hosts should not need to do this. Exceptions are such applications that involve sending traffic out over one link and receiving traffic over another link from a different service provider. For example, using leased lines in combination with xDSL or satellite links with 3G modems. If such a scenario is applicable to you, then turning off reverse path forwarding on the incoming interface is necessary. In short, unless you know that it is required, it is best enabled as it prevents users spoofing
IPaddresses from local subnets and reduces the opportunity for DDoS attacks.
Red Hat Enterprise Linux 6 (unlike Red Hat Enterprise Linux 5) defaults to using Strict Reverse Path Forwarding. Red Hat Enterprise Linux 6 follows the Strict Reverse Path recommendation from RFC 3704, Ingress Filtering for Multihomed Networks. This currently only applies to
IPv4in Red Hat Enterprise Linux 6.
If forwarding is enabled, then Reverse Path Forwarding should only be disabled if there are other means for source-address validation (such as iptables rules for example).
- Reverse Path Forwarding is enabled by means of the
rp_filteroption is used to direct the kernel to select from one of three modes.It takes the following form when setting the default behavior:
~]# /sbin/sysctl -w net.ipv4.conf.default.rp_filter=INTEGERwhere INTEGER is one of the following:
The setting can be overridden per network interface using
0— No source validation.
1— Strict mode as defined in RFC 3704.
2— Loose mode as defined in RFC 3704.
net.ipv4.interface.rp_filter. To make these settings persistent across reboot, modify the
22.214.171.124. Additional Resources
The following are resources that explain more about Reverse Path Forwarding.
- Installed Documentation
usr/share/doc/kernel-doc-version/Documentation/networking/ip-sysctl.txt— This file contains a complete list of files and options available in the
- Useful Websiteshttps://access.redhat.com/knowledge/solutions/53031 — The Red Hat Knowledgebase article about
rp_filter.See RFC 3704 for an explanation of Ingress Filtering for Multihomed Networks.