UNIX Socket FAQ

A forum for questions and answers about network programming on Linux and all other Unix-like systems

You are not logged in.

#1 2002-07-27 01:07 AM

HectorLasso
Administrator
From: Colombia
Registered: 2002-06-12
Posts: 353

Re: 6.6 - Restricting a socket to a given interface

6
From: Georg Wagner

How do I restrict a socket to a specific inteace i.e. that it only listens and accepts from the given interface ?

From: Bret Watson

Difficult.. Unless you are going to patch the kernel I don't think this is possible.

What I have seen in most firewall implementations is that the "inetd" wrapper does some filtering up front, including:

Check if the src and dest belong to the same network - if so ignore packet.
Make filtering decisions based on src,dest, ports..


Bret

From: Bret Watson

As a second check I dug through the source of the juniper firewall - which does identify interfaces as trusted or non-trusted

I found there was a file called "Kernel_patch" which patched the kernel so that the socket identified which interface it was on.

So there you go - you will need to patch things within netinet unless you are running a version of linux that supports such things.

Bret

From: John

If you can re-compile the server that you want to restrict, then it's easy. Set the IP address in the parameter you pass to bind() to be the IP address of the network interface you want to listen on (assuming you know what that is or course...)

From: meng

try use function setsockopt(),and use SOL_SOCKET, SO_DONTROUTE, peramater. It may work if your kernl suport it.

From: Michael

Hello;

What type of OS are you using. If you are using Linux, for
example. You can use IPCHAINS to restrict IP Packets from
going to and from an interface or group of machines. Look
at the MAN pages for IPCHAINS and you will understand what
I am talking about. Also Get a book on firewalls. It will
tell you how to shut down services you may not what on the
network.

Good luck and if you have any more questions feel free to
E-Mail me. I work on three platforms. BSD Unix, SCO Unix
and Linux. Anything other than that I may not be able to
help you.

Michael

From: Kevin J Walters
Added on: 2002-02-21 14:18:19
If you don't have access to the source and you really want to do this then you can make a shared library and set LD_PRELOAD (on solaris) to intercept the bind/t_bind calls.

From: Michael Lampkin
Added on: 2002-02-23 22:55:28

Hmmm...

Well, the SO_DONTROUTE (and similar) flags don't make sense since they deal with transmission... not receiving connections / data... and either way don't make sense unless you want to bypass your local routing table... Why would you do this? That seems to either make the assumption that the box you are running on may be misconfigured OR that you explicitly are checking a known point to point connection (such as routers talking to each other to validate their tables)...

Anyway, I digress... So back to the actual question... and perhaps I am being brain dead right now but I am not a system admin and as much as anything else, I am trying to understand the question...

Assume we have a box with two interfaces... we will just call them A and B... and each has one address assigned... If you (assuming TCP) bind / listen / accept on giving the address A... won't it ONLY get / accept incoming packets sent explictly to interface A under normal conditions?

For example:

Host 0 Host 1 

Interface (A) ------(C) Router (E ----- Interface (F) 
                    (D) 
Interface (B) ------ |

In my thinking, the Router would receive a packet from Host 1 on connection E, check the dest address... After looking up the bits in it's table it would say "ah, a packet for address / interface A, send it down line C"... same for the second interface (B) on the receiving host (though it would get it down the line from the router (D) connection)...

Now, I realize the following diagram is also possible:

Host 0 Host 1 

Interface (A) ------(C) Router (E) ----- Interface (F) 
           | 
Interface (B)


Now we bind etc. to interface B but our routing table in Host 0 says that any packet recv'd on A with a specific address (or a range / class ~ depending on the purpose of the route) should be sent to Interface (B)... effectively "receiving" on interface (A) but actually getting the packet / data to process on working with interface (B)...

So I guess my point (if there actually is any)... is that the condition you are attempting to protect against is a misconfiguration (?!) of the routing tables (ipchains, whatever) on Host 0 or external routers (?) and is this really something you would want your server to protect against since it would have to do it in REAL TIME (i.e. the routing tables etc. can be changed anytime after the server has started)...

If, on the other hand, you just want to make certain that only certain client (addresses) are accepted... why not just accept the connections and quickly compare it to your own internally held table (a 32 bit comparison isn't that much overhead)...?

Curiouser and curiouser...

ML

Offline

Board footer

Powered by FluxBB