Forwarding ICMP over a server without redirects

Posted on

Problem :

I need to test network characteristics like RTT in a network for example by using ICMP pings.

This question is special since I want to force every packet over a server who needs to work like a router but is not allowed to propose redirects. But exactly this is not possible, instead, I always lose the connections between hosts.

The network was set up (in “ip route” / routing tables) to first pass all packets to a server (IP: 10.0.0.4) who then sends it back to the gateway (IP: 10.0.0.1). From the gateway, it is routed to the correct host (IP: 10.0.0.5 – 10.0.0.255).

In the future, this scenario will enable a server to alter all packets in the network.

To simplify the scenario, only two hosts are set up (10.0.0.5 and .6). The hosts are then configured with the following routing table (showed for 10.0.0.5):

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.0.0.1        0.0.0.0         UG    0      0        0 ens3
10.0.0.0        *               255.255.255.0   U     0      0        0 ens3
host-10-0-0-6.o host-10-0-0-4.o 255.255.255.255 UGH   0      0        0 ens3

For the server 10.0.0.4 the routing table is as follows:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         10.0.0.1        0.0.0.0         UG    0      0        0 ens3
10.0.0.0        *               255.255.255.0   U     0      0        0 ens3

The iptables are completely empty at this point for all devices. Further, to allow IP-forwarding the server was configured with /proc/sys/net/ipv4/ip_forward=1

With this setting I can easily ping between the two hosts, the output is as follows (for host 10.0.0.6):

# ping 10.0.0.5
PING 10.0.0.5 (10.0.0.5) 56(84) bytes of data.
From 10.0.0.4: icmp_seq=1 Redirect Host(New nexthop: 10.0.0.5)
64 bytes from 10.0.0.5: icmp_seq=2 ttl=64 time=0.441 ms
64 bytes from 10.0.0.5: icmp_seq=3 ttl=64 time=0.405 ms

The problem is the ICMP-redirect that the servers immediately sends. With this, all ping-packets do not pass the server anymore.

I have tried many things, including altering the iptable to drop redirects and changing the sysctl.conf file with net.ipv4.conf.all.accept_redirects = 0 and net.ipv4.conf.all.send_redirects = 0 (respectively for the interface …conf.ens3….)

The problem is, every time I disable redirects, the ping is no longer possible at all (100% packet loss).

How can I make this (supposed to be) simple scenario work, meaning: How can I route all packets every time over a server and back?

Solution :

You need to prevent BOTH the server and the router from SENDING icmp redirects to the source host.

If it is a cisco router, “no ip redirects” will do that.

On the server, depends on your linux flavor, this link has info for all the flavors and various ways to Disable ICMP Redirects in Linux
http://www.itsyourip.com/Security/how-to-disable-icmp-redirects-in-linux-for-security-redhatdebianubuntususe-tested/comment-page-1/

Leave a Reply

Your email address will not be published.