Using arptables to disable ARP

From LVSKB
Revision as of 03:01, 10 September 2006 by Wensong (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

arptables

Arptables is used to set up, maintain, and inspect the tables of ARP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a 'target', which may be a jump to a user-defined chain in the same table.

See "man arptables" for more information.

The ARP filter is available at both the Linux kernel 2.4 and 2.6.

Disable ARP for VIP

Basically, we have the following commands to disable ARP for VIP at real servers.

arptables -F
arptables -A IN -d $VIP -j DROP
arptables -A OUT -s $VIP -j mangle --mangle-ip-s $RIP

Where $VIP is the virtual IP address and $RIP is the IP address of the interface connected to VIP network at real server.

The second command is to drop the incoming ARP request for VIP at real server. The third command is to mangle the source ip of outgoing ARP request from $VIP to $RIP, because when the real server sends response packet with source $VIP to client, it may send ARP request with source $VIP for the router or a host in the VIP network, we have to mangle its source ip from $VIP to $RIP, otherwise the ARP request would not succeed and no response could be sent to client.

The other note is that the arptables rules must be setup before the $VIP address is brought up at logical interface, such as alias or dummy interface.

Linux Distributions

RHEL 3/CentOS 3

RHEL 4/CentOS 4

Red Hat 9