6

tcpdump showed me there are some ICMP-redirect in my network (KVM virtual-machines, bridged network). I decided to take a closer look on them and how my system behaves and how it looks. I found it doesn't work as it should:

Let say I'm on 1.1.1.1 and I ping 2.2.2.2:

# ping 2.2.2.2
PING 2.2.2.2 (2.2.2.2) 56(84) bytes of data.
64 bytes from 2.2.2.2: icmp_seq=1 ttl=63 time=0.569 ms
From 4.4.4.4: icmp_seq=2 Redirect Host(New nexthop: 3.3.3.3)
64 bytes from 2.2.2.2: icmp_seq=2 ttl=63 time=0.690 ms
From 4.4.4.4: icmp_seq=3 Redirect Host(New nexthop: 3.3.3.3)

as you can see I get multiple redirects to 3.3.3.3 which looks fine but for some reason my host (1.1.1.1) ignores it.

# sysctl -a|grep accept_redirects
net.ipv4.conf.all.accept_redirects = 1
net.ipv4.conf.default.accept_redirects = 1
net.ipv4.conf.eth0.accept_redirects = 1
net.ipv4.conf.lo.accept_redirects = 1

and there is no entry for that new route in ip route list and ip route list cache is empty.

Kernel version is:

# uname -a
Linux foo.bar 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt20-1+deb8u3 (2016-01-17) x86_64 GNU/Linux

Changing /proc/sys/net/ipv4/conf/*/accept_redirects values 0|1, networking restart or even reboot didn't worked.

I wish to accept ICMP redirects - any ideas ?

UPDATE:

# ip -d route

unicast default via 4.4.4.4 dev eth0  proto boot  scope global 
unicast 1.1.1.0/24 dev eth0  proto kernel  scope link  src 1.1.1.1
unicast 4.4.4.4 dev eth0  proto boot  scope link
pawel7318
  • 1,940
  • 3
  • 16
  • 15

2 Answers2

4

ICMP redirects are sent to define a better route/gateway to a destination.

As you have to have an IP address in the same network as the gateway/exit for a route, the route will only be inserted in the routing table if all the following conditions are true:

  • accept_redirects is set to 1
  • the machine in question has an interface with an address that belongs to the network of the gateway
  • it does not have an IP address in the same network as the destination route.

otherwise the route will be discarded.

I would not accept blindly redirects as there known security implications with spoofed ICMP redirects. ICMP redirects may also mask transient network malfunctions, or network design mistakes.

What are ICMP redirects and should they be blocked?

Community
  • 1
Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
  • 1
    `and the machine in question has an interface with an address that belongs to the network` - that is the reason why it ignored it ! – pawel7318 Mar 08 '16 at 18:08
3

To add to Rui F Ribeiro's answer:

You may also have to disable secure_redirects, as that defaults to 1 now and rejects redirect destinations that aren't already one of the existing gateways.

Alternatively, if you can add the destination IP as a second default gateway for the same interface, perhaps with a lower metric, that should work too. If someone knows how to do that, please comment.

Pierre.Vriens
  • 1,088
  • 21
  • 13
  • 16
petiepooo
  • 131
  • 2
  • Technically your answer to the question is correct, +1. I do however prefer to fix the underlying network problem (lack of route, router down, other problems rather than enabling ICMP redirects) – Rui F Ribeiro Sep 05 '18 at 17:42
  • Good point Rui. Where I ran into this is when I had a host placed on a subnet connecting a core router to the firewall. The default gateway was set to the core router, but that was redirecting all internet bound traffic to the firewall. The correct fix would be to put the host on a different subnet, but by then we had other things relying on it being at that location. So I worked around it by setting the default gateway to the firewall and adding a static route for internal traffic. – petiepooo Sep 07 '18 at 01:13