Asymmetric Routing and Reverse Path Filtering (RPF)

Reverse Path Filtering (RPF): Linux and many other OSes/routers implements a security feature called Reverse Path Filtering (RPF), often controlled by rp_filter sysctl parameter (e.g., /proc/sys/net/ipv4/conf/all/rp_filter).

Purpose: RPF prevents IP spoofing and helps mitigate certain types of attacks. It works by checking if an incoming packet’s source IP address would be routed back out the same interface it arrived on.

Set rp_filter value persistently

To set the rp_filter value persistently on a Debian system (or most Linux systems), you’ll use the sysctl utility and its configuration files.

Create a new sysctl configuration file:

Use your preferred text editor (like nano or vim) to create a new file in /etc/sysctl.d/. A descriptive name is good, e.g., 99-rpfilter.conf. The 99- prefix ensures it’s loaded after other default configurations.

sudo nano /etc/sysctl.d/99-rpfilter.conf

Add the rp_filter settings to the file:

Inside the file, add the following lines. You can set it globally for all interfaces, or specifically for default (which applies to new interfaces), or for individual interfaces like eth0 and eth1. Setting it for all or default is usually sufficient unless you have a specific per-interface need.

    Option A: Set for all interfaces (most common)
    net.ipv4.conf.all.rp_filter = 2
net.ipv4.conf.default.rp_filter = 2

    (Replace 2 with 0 or 1 if you desire a different mode)

    Option B: Set for specific interfaces (if you only want eth1 to be loose, but eth0 strict)
    net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth1.rp_filter = 2
net.ipv4.conf.default.rp_filter = 1 # Ensures new interfaces follow default if not explicitly set
net.ipv4.conf.all.rp_filter = 1 # Ensures all interfaces default to strict unless overridden

    Note: The all setting is a global override for all interfaces, while default is for interfaces that don’t have a specific conf. setting. all generally takes precedence if defined. For most cases, setting all and default to your desired value (e.g., 2) is the simplest approach.

    Save the file and exit the editor. (In nano, Ctrl+O, Enter, Ctrl+X).

    Apply the changes:

    To make the changes active immediately without rebooting, run:

    sudo sysctl --system

    This command tells sysctl to load all configuration files in /etc/sysctl.d/ and /etc/sysctl.conf.

    Verify the changes:

    Check the current rp_filter value for your interfaces:

    cat /proc/sys/net/ipv4/conf/eth0/rp_filter
cat /proc/sys/net/ipv4/conf/eth1/rp_filter
cat /proc/sys/net/ipv4/conf/default/rp_filter
cat /proc/sys/net/ipv4/conf/all/rp_filter

    The output should reflect the value you set (e.g., 2 or 0). These settings will also persist across reboots.

    WordPress Appliance - Powered by TurnKey Linux