Using arptables to disable ARP

From LVSKB
Revision as of 15:10, 11 July 2007 by R1ck (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

arptables

Arptables is used to set up, maintain, and inspect the tables of ARP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.

Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a 'target', which may be a jump to a user-defined chain in the same table.

See "man arptables" for more information.

The ARP filter is available at both the Linux kernel 2.4 and 2.6.

Disable ARP for VIP

Basically, we have the following commands to disable ARP for VIP at real servers.

arptables -F
arptables -A IN -d $VIP -j DROP
arptables -A OUT -s $VIP -j mangle --mangle-ip-s $RIP

Where $VIP is the virtual IP address and $RIP is the IP address of the interface connected to VIP network at real server.

  • The first command is to flush the arp packet filtering table.
  • The second command is to drop the incoming ARP request for VIP at real server.
  • The third command is to mangle the source ip of outgoing ARP request from $VIP to $RIP, because when the real server sends response packet with source $VIP to client, it may send ARP request with source $VIP for the router or a host in the VIP network, we have to mangle its source ip from $VIP to $RIP, otherwise the ARP request would not succeed and no response could be sent to client.

The other note is that the arptables rules must be setup before the $VIP address is brought up at logical interface, such as alias or dummy interface.

Linux Distributions

RHEL 3/CentOS 3

If arptables is not available at installed OS system, run the following command to install the arptables package:

yum install arptables_jf

It will install the version arptables_jf-0.0.7-0.3E.

RHEL 4/CentOS 4

If arptables is not available at installed OS system, run the following command to install the arptables package:

yum install arptables_jf

It will install the version arptables_jf-0.0.8-2.

Debian Etch/4.0

arptables can be found in the 'arptables' package. You can install it with:

apt-get install arptables

Currently this installs version v0.0.3.