[Gllug] Linux Source Address selection
Walter Stanish
walter.stanish at saffrondigital.com
Mon Oct 18 10:54:03 UTC 2010
> I'm wondering if there is any way in Linux to deprecate IPv4 addresses so
> that they are never used as the source address of an outbound connection?
I could be missing something as I'm well sleepy (just flew in from the US and
have barely slept a wink!), but I think the following is the normal approach...
Some daemons allow you to set the source address preference in their
configuration file. Behind the scenes, this makes OS-level bind() calls
to bind the socket to a specific IP, see:
http://www.opengroup.org/onlinepubs/009695399/functions/bind.html
For those daemons, you are then typically set for limiting both outgoing and
incoming communications to that particular IP or group of IPs. (Note: some
will allow you to specify using an interface name, eg: 'eth0', rather than an
explicit IP address. This can be useful if you have dynamic, eg: DHCP-based
IP address assignments.
Regarding other cases, many daemons tend to default as follows:
- listen to all IP addresses
- outgoing packets wind up being sent from the source IP address of the
interface with the most specific / lowest metric route to the destination.
For this case, see: 'man route' (traditional) or 'man iproute2' (newer)
I think the above a roughly accurate summary of the defaults these days.
(Though the kernel-level route preferencing is probably awfully complex
by the time you cover all the potential specifics... asymmetric routes,
IPv4 + IPv6 concurrent routing, probably many other forms of less
frequently used weirdness...)
== Wacky ideas ==
Regarding your request to specifically blacklist a source IP, I guess
you would have to somehow prevent any process from binding sockets
to that IP. Likely in practice simply not setting any outgoing routes
with that IP as the default would be effective enough (eg: make the IP
in question an alias of the 'preferred' outgoing IP on that interface,
so eth0 = 192.168.0.<ok> and eth0:1 = 192.168.0.<not-for-outbound>)
Perhaps some more specific blocking could be achieved using
LXC/cgroups/network namespaces to cut all access to a device,
though I'm not 100% fresh on how this works right now - this part
of the kernel is under pretty heavy development.
===============
Hope that helps. I'm not an expert in this area - just trying to assist -
so please take all advice with a grain of salt :)
- Walter
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list