当使用 StrongSwan 作为 IPSEC S2S VPN 网关时,ICMP 重定向会被发送到右侧后面的机器。我在 /etc/sysctl.conf 中添加了以下几行:
net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.all.send_redirects=0
但是,与 sysctl -p 同步后我仍然看到重定向:
[root@tunnels ~]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
[root@tunnels ~]# cat /proc/sys/net/ipv4/conf/eno16777984/send_redirects
1
禁用所有 send_redirects 并使其在重启后保持持久的正确方法是什么?
答案1
它看起来像net.ipv4.conf.eno16777894并net.ipv4.conf.all正在被内核单独跟踪。
[user@host sysctl.d]$ sudo cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
[user@host sysctl.d]$ sudo cat /proc/sys/net/ipv4/conf/all/send_redirects
0
[user@host sysctl.d]$ sudo cat /proc/sys/net/ipv4/conf/eth0/send_redirects
1
我不确定“全部”设置是否会覆盖每个 eth0 等中的设置。如果情况紧急,您可以net.ipv4.conf.<eth#>为每个网络接口添加一行。