具有两个网卡的 Linux 系统。
- eth0 连接到公司 LAN。 DHCP 已配置。它是主要的网络连接。
- eth1 点对点连接到网络分析仪。该接口上没有 IP。
- Linux 应用程序在 eth1 上发送 L2 数据包。
- 网络分析器获取应用程序数据包以及到达 eth0 的所有广播。
问题:如何停止在 eth1 上转发广播?
配置:
eth0 Link encap:Ethernet HWaddr 10:98:36:af:9c:0f
inet addr:192.168.x.xx Bcast:192.168.3.255 Mask:255.255.252.0 UP
BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
eth1 Link encap:Ethernet HWaddr 10:98:36:af:9c:10
UP BROADCAST RUNNING MTU:1500 Metric:1
ip link:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 10:98:36:af:9c:0f brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP mode DEFAULT group default qlen 1000 link/ether 10:98:36:af:9c:10 brd ff:ff:ff:ff:ff:ff
答案1
通过向 iptables 添加两条规则解决了该问题:
iptables -A FORWARD -m pkttype --pkt-type broadcast -i eth1 -j DROP
iptables -A INPUT -m pkttype --pkt-type broadcast -i eth1 -j DROP
iptables 现在看起来:
$ iptables -L -v
Chain INPUT (policy ACCEPT 54446 packets, 5132K bytes)
pkts bytes target prot opt in out source destination
123 40344 DROP all -- eth1 any anywhere anywhere PKTTYPE = broadcast
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth1 any anywhere anywhere PKTTYPE = broadcast
Chain OUTPUT (policy ACCEPT 8072 packets, 3990K bytes)
pkts bytes target prot opt in out source destination