http://kb.linuxvirtualserver.org/api.php?action=feedcontributions&feedformat=atom&user=R1ck 2026-05-16T23:18:52Z User contributions MediaWiki 1.26.2 http://kb.linuxvirtualserver.org/wiki?title=Using_arptables_to_disable_ARP&diff=4312 2007-07-11T15:10:15Z

<p>R1ck: </p> <hr /> <div>== arptables ==<br /> <br /> Arptables is used to set up, maintain, and inspect the tables of [[ARP]]<br /> packet filter rules in the Linux kernel. Several different tables may<br /> be defined. Each table contains a number of built-in chains and may<br /> also contain user-defined chains.<br /> <br /> Each chain is a list of rules which can match a set of packets. Each<br /> rule specifies what to do with a packet that matches. This is called a<br /> 'target', which may be a jump to a user-defined chain in the same table.<br /> <br /> See &quot;man arptables&quot; for more information.<br /> <br /> The ARP filter is available at both the Linux kernel 2.4 and 2.6.<br /> <br /> == Disable ARP for VIP ==<br /> <br /> Basically, we have the following commands to disable [[ARP]] for [[VIP]] at real servers.<br /> arptables -F<br /> arptables -A IN -d $VIP -j DROP<br /> arptables -A OUT -s $VIP -j mangle --mangle-ip-s $RIP<br /> Where '''$VIP''' is the virtual IP address and '''$RIP''' is the IP address of the interface connected to VIP network at real server.<br /> <br /> * The first command is to flush the arp packet filtering table.<br /> * The second command is to drop the incoming ARP request for VIP at real server.<br /> * The third command is to mangle the source ip of outgoing ARP request from $VIP to $RIP, because when the real server sends response packet with source $VIP to client, it may send ARP request with source $VIP for the router or a host in the VIP network, we have to mangle its source ip from $VIP to $RIP, otherwise the ARP request would not succeed and no response could be sent to client.<br /> <br /> The other note is that the arptables rules must be setup before the $VIP address is brought up at logical interface, such as alias or dummy interface.<br /> <br /> == Linux Distributions ==<br /> <br /> === RHEL 3/CentOS 3 ===<br /> <br /> If arptables is not available at installed OS system, run the following command to install the arptables package:<br /> yum install arptables_jf<br /> It will install the version arptables_jf-0.0.7-0.3E.<br /> <br /> === RHEL 4/CentOS 4 ===<br /> <br /> If arptables is not available at installed OS system, run the following command to install the arptables package:<br /> yum install arptables_jf<br /> It will install the version arptables_jf-0.0.8-2.<br /> <br /> === Debian Etch/4.0 ===<br /> arptables can be found in the 'arptables' package. You can install it with:<br /> apt-get install arptables<br /> <br /> Currently this installs version v0.0.3.<br /> <br /> [[Category:ARP Issue]]</div>

R1ck