Difference between revisions of "Using arptables to disable ARP"
m |
(→Linux Distributions) |
||
Line 22: | Line 22: | ||
Where '''$VIP''' is the virtual IP address and '''$RIP''' is the IP address of the interface connected to VIP network at real server. | Where '''$VIP''' is the virtual IP address and '''$RIP''' is the IP address of the interface connected to VIP network at real server. | ||
− | The second command is to drop the incoming ARP request for VIP at real server. The third command is to mangle the source ip of outgoing ARP request from $VIP to $RIP, because when the real server sends response packet with source $VIP to client, it may send ARP request with source $VIP for the router or a host in the VIP network, we have to mangle its source ip from $VIP to $RIP, otherwise the ARP request would not succeed and no response could be sent to client. | + | * The first command is to flush the arp packet filtering table. |
+ | * The second command is to drop the incoming ARP request for VIP at real server. | ||
+ | * The third command is to mangle the source ip of outgoing ARP request from $VIP to $RIP, because when the real server sends response packet with source $VIP to client, it may send ARP request with source $VIP for the router or a host in the VIP network, we have to mangle its source ip from $VIP to $RIP, otherwise the ARP request would not succeed and no response could be sent to client. | ||
The other note is that the arptables rules must be setup before the $VIP address is brought up at logical interface, such as alias or dummy interface. | The other note is that the arptables rules must be setup before the $VIP address is brought up at logical interface, such as alias or dummy interface. | ||
Line 29: | Line 31: | ||
=== RHEL 3/CentOS 3 === | === RHEL 3/CentOS 3 === | ||
+ | |||
+ | If arptables is not available at installed OS system, run the following command to install the arptables package: | ||
+ | yum install arptables_jf | ||
+ | It will install the version arptables_jf-0.0.7-0.3E. | ||
=== RHEL 4/CentOS 4 === | === RHEL 4/CentOS 4 === | ||
+ | |||
+ | If arptables is not available at installed OS system, run the following command to install the arptables package: | ||
+ | yum install arptables_jf | ||
+ | It will install the version arptables_jf-0.0.8-2. | ||
=== Red Hat 9 === | === Red Hat 9 === |
Revision as of 12:36, 16 April 2007
Contents
arptables
Arptables is used to set up, maintain, and inspect the tables of ARP packet filter rules in the Linux kernel. Several different tables may be defined. Each table contains a number of built-in chains and may also contain user-defined chains.
Each chain is a list of rules which can match a set of packets. Each rule specifies what to do with a packet that matches. This is called a 'target', which may be a jump to a user-defined chain in the same table.
See "man arptables" for more information.
The ARP filter is available at both the Linux kernel 2.4 and 2.6.
Disable ARP for VIP
Basically, we have the following commands to disable ARP for VIP at real servers.
arptables -F arptables -A IN -d $VIP -j DROP arptables -A OUT -s $VIP -j mangle --mangle-ip-s $RIP
Where $VIP is the virtual IP address and $RIP is the IP address of the interface connected to VIP network at real server.
- The first command is to flush the arp packet filtering table.
- The second command is to drop the incoming ARP request for VIP at real server.
- The third command is to mangle the source ip of outgoing ARP request from $VIP to $RIP, because when the real server sends response packet with source $VIP to client, it may send ARP request with source $VIP for the router or a host in the VIP network, we have to mangle its source ip from $VIP to $RIP, otherwise the ARP request would not succeed and no response could be sent to client.
The other note is that the arptables rules must be setup before the $VIP address is brought up at logical interface, such as alias or dummy interface.
Linux Distributions
RHEL 3/CentOS 3
If arptables is not available at installed OS system, run the following command to install the arptables package:
yum install arptables_jf
It will install the version arptables_jf-0.0.7-0.3E.
RHEL 4/CentOS 4
If arptables is not available at installed OS system, run the following command to install the arptables package:
yum install arptables_jf
It will install the version arptables_jf-0.0.8-2.