0

Routing can be disabled by putting the following setting in /etc/sysctl.conf or a file in /etc/sysctl.d/

net.ipv4.ip_forward=0

It can also be disabled directly by issuing as root the command

echo 0 > /proc/sys/net/ipv4/ip_forward

It is also possible to do this in the bootloader on the kernel command line (see https://unix.stackexchange.com/a/593688/44864) with

sysctl.net.ipv4.ip_forward=0

My problem is that a bad actor that gains access can just as easily enable it again. I was disappointed that the kernel command-line argument can be overridden (tested on 5.10).

Am I right that probably the only way is to build my own kernel without ip routing compiled in or as a module with it being blacklisted?

If I'm right, which module(s) need to be disabled? Looking at my laptop's /boot/config, likely candidates are CONFIG_IP_ADVANCED_ROUTER, CONFIG_IP_ROUTE_MULTIPATH, CONFIG_IP_ROUTE_VERBOSE and CONFIG_IP_ROUTE_CLASSID.

Thanks for any help and insight.

JdeHaan
  • 914
  • 1
  • 6
  • 20
  • 4
    If a bad actor can re-enable routing, then they can also enable a proxy process even if routing is fully disabled. In other words, once compromised, it matters little. – Bib Oct 30 '22 at 10:23
  • @Bib : I think that is a valid argument. On the other hand: it's easier to spot an alien process than a system that suddenly starts routing. Just dotting the i's and crossing the t's on a network. After all, part of security is preventing 'bad things' to being able to happen at all. – JdeHaan Oct 30 '22 at 10:43
  • Why exactly do you have the Linux system on two networks? Typically you wouldn’t want two networks on a server unless one has a different mtu – James Risner Oct 30 '22 at 11:58
  • @JamesRisner, why not? you could have e.g. an HTTPS server that accesses an SQL server, with the latter in some internal network. Or any other such arrangement. – ilkkachu Oct 30 '22 at 12:20
  • Well, I guess I should of phrased it differently. There are cases where having two networks is beneficial. The OP didn't advise us of their motivation for having two networks. I would solve that use of a firewall to place the Linux server on a vlan and allow traffic from that vlan to another vlan with the sql server. More control, less worry about the web server being compromised (yes there is still bad stuff that a bad actor could do.) – James Risner Oct 30 '22 at 12:24
  • @JdeHaan what is your use case for two networks? One is Internet? The other is an SQL server? or what? – James Risner Oct 30 '22 at 12:24
  • @ilkkachu - Anyone who uses that scenario ROUTE to the SQL server should be shot. The webserver process talking to an sql server is **not** routing. – tink Oct 30 '22 at 22:52
  • @tink, no-one said it was called routing. – ilkkachu Oct 31 '22 at 01:43
  • @ilkkachu I must have misread the topic, then: `How to make it impossible to enable routing ...` – tink Oct 31 '22 at 02:07
  • @James Risner : the use case is a multi service (dozens) on hundreds of servers in a high load (nnnGBit/s) high DOS risk environment. A DOS typically blocked (part of) the control plane as well. The choice was made to rebuild with a separate management network. – JdeHaan Oct 31 '22 at 07:02
  • @tink, that's not inconsistent with the scenario I described not being routing. – ilkkachu Oct 31 '22 at 07:50

1 Answers1

1

I believe the only way to block changes is to install a grsecurity kernel.

A quick start guide is here.

I’ll fill this out more tonight with steps.

James Risner
  • 1,143
  • 2
  • 4
  • 18