Limit ARP to gateway IP only

Question

My current network setup is as follows

auto lo
iface lo inet loopback
    dns-nameservers 8.8.8.8 8.8.4.4

auto eth0
iface eth0 inet static
address 104.244.72.242/32
gateway 107.189.30.113
pointopoint 107.189.30.113
netmask 255.255.255.255

I was having an issue before where ARP would end up connecting to 104.244.72.1 causing issues I fixed that by adding

net.ipv4.conf.all.arp_announce=1
net.ipv4.conf.all.arp_ignore=2

arp now connects/returns only to

Address                  HWtype  HWaddress           Flags Mask            Iface
107.189.30.113           ether   00:16:cd:0b:1e:7c   C                     eth0
107.189.30.1             ether   0c:81:26:30:b8:78   C                     eth0

However this is causing issues still. How can I get it to only connect to 107.189.30.113

To add this environment is from within a nested virtual machine Proxmox node network is as follows

auto lo
iface lo inet loopback

iface ens3 inet manual

auto vmbr0
iface vmbr0 inet static
        address 107.189.30.113/24
        gateway 107.189.30.1
        bridge-ports ens3
        bridge-stp off
        bridge-fd 0
post-up ip route add 104.244.72.242/32 dev vmbr0
post-up echo 1 > /proc/sys/net/ipv4/ip_forward
post-up echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp

The host I am with does do MAC filtering. I am trying to next-hop the connection.

If you are stuck with MAC filtering, use 1:1 NAT instead. – Michael Hampton Aug 10 '21 at 22:24 — Michael Hampton, Aug 10 '21 at 22:24

score 0 · Answer 1 · answered Aug 07 '21 at 15:01

0

Depending on your environment, I think you might want to look into how to limit access to and from your system with a local endpoint firewall.

I would consider ufw, iptables, ipfilter or similar, depending on which Linux / BSD / Unix flavor you have installed.

Also, arp may not be the source of your issues. You should probably look at your routing table. You do not describe the nature of your issues, hence it is not easy to lead you to a solution.

answered Aug 07 '21 at 15:01

Sven

51
2

What outputs should I add? – Harmonytalk Aug 07 '21 at 15:07
I am not sure what you mean by that question.. You should choose an appropriate firewall for your system. When installed, you must create allow rules for all the traffic you want to pass to and from your system, and deny everything else. – Sven Aug 07 '21 at 15:31
I have created firewall settings to block `107.189.30.1` on the nested virtual machine. It still shows up on arp and I can't ping `107.189.30.1`. – Harmonytalk Aug 07 '21 at 15:33
Added a bit more info about the environment hope it helps. – Harmonytalk Aug 07 '21 at 15:38
Could you please explain what you are trying to fix? What issues are you running into? – Sven Aug 07 '21 at 15:41
The network works on boot but shortly after it stops. This always happened when `104.244.72.1` displayed it sometimes happens when arp shows `107.189.30.1` but it comes and goes every 15-30 minutes. – Harmonytalk Aug 07 '21 at 15:55
Ah, Netsted vm in a Proxmox environment.. That's key information and opens a whole new can of worms.. – Sven Aug 07 '21 at 17:11
1

It looks like you are trying to use the Proxmox bridged interface as your default gw for the "inner vm"? And this is configured to be a p2p-interface. But the "inner VM" displays arp entries from the "outer VM's" network environment. Makes sense since this is a bridged adapter. I have never looked into nested vms before. Have you tried to just configure a 107.189.30.X address on the inner vm? remove the p2p-config and use a /24 netmask. With the .1 address as the default gw.. – Sven Aug 07 '21 at 17:18
Yes I have `Reply from 107.189.0.1: TTL expired in transit.` returns from ping. The packets need to come from `00:16:cd:0b:1e:7c` just setting the VM mac to that doesn't seem to do anything. – Harmonytalk Aug 07 '21 at 18:06

Limit ARP to gateway IP only

1 Answers1