not rule is not working

Hi,
I was trying to drop arp packets such that only specific
interface
should answer the arp requests.
I added following rules in input chain.
-j DROP -i !eth1 -o * -d 10.19.1.102 --opcode 1 , pcnt=0 --
bcnt=0
-j DROP -i !eth2 -o * -d 10.19.51.102 --opcode 1 , pcnt=0 --
bcnt=0

as packet count suggests these are not matching against any
packet.
when I do arping from other machine to the 10.19.1.102
(assigned to
the eth1 interface)
arp requests are responded from eth0 (ip-10.19.0.102).
why the rules are not having any effect.

-- 
Thanks
Pankaj Jain

pankaj jain írta:
> Hi,
> I was trying to drop arp packets such that only
specific interface
> should answer the arp requests.
> I added following rules in input chain.
> -j DROP -i !eth1 -o * -d 10.19.1.102 --opcode 1 ,
pcnt=0 -- bcnt=0
> -j DROP -i !eth2 -o * -d 10.19.51.102 --opcode 1 ,
pcnt=0 -- bcnt=0
>
>   
I think that this should be in THIS form:

-j DROP ! -i eth1 ....
> as packet count suggests these are not matching against
any packet.
> when I do arping from other machine to the 10.19.1.102
(assigned to
> the eth1 interface)
> arp requests are responded from eth0 (ip-10.19.0.102).
> why the rules are not having any effect
Swifty

On 8/14/07, Gáspár Lajos <swiftyfreemail.hu> wrote:
> pankaj jain írta:
> > Hi,
> > I was trying to drop arp packets such that only
specific interface
> > should answer the arp requests.
> > I added following rules in input chain.
> > -j DROP -i !eth1 -o * -d 10.19.1.102 --opcode 1 ,
pcnt=0 -- bcnt=0
> > -j DROP -i !eth2 -o * -d 10.19.51.102 --opcode 1 ,
pcnt=0 -- bcnt=0
> >
> >
> I think that this should be in THIS form:
>
> -j DROP ! -i eth1 ....
> > as packet count suggests these are not matching
against any packet.
> > when I do arping from other machine to the
10.19.1.102 (assigned to
> > the eth1 interface)
> > arp requests are responded from eth0
(ip-10.19.0.102).
> > why the rules are not having any effect
> Swifty
>
>

I tried
arptables -A INPUT ! -i eth1 --opcode Request -d 10.19.1.102
-j DROP
but it was not working.
when i do the "arptables -L -nvx" it shows:
-j DROP -i eth1 -o !* -d 10.19.1.102 --opcode 1 , pcnt=0 --
bcnt=0
-- 
Thanks
Pankaj Jain

On 08/14/07 01:45, pankaj jain wrote:
> I was trying to drop arp packets such that only
specific interface 
> should answer the arp requests.

I don't know if it applies to your situation or not, but
have you tried
the configurations used in the Linux Virtual Server (a.k.a.
LVS) to
prevent an interface from responding to ARP requests, i.e.
via /proc
settings?



Grant. . . .

On 08/14/07 01:45, pankaj jain wrote:
> I was trying to drop arp packets such that only
specific interface 
> should answer the arp requests.

Will you please elaborate a bit more on why you are trying
to accomplish
this and what your situation is?  I feel like there is more
to this
puzzle that will help us help you.  For example, do you have
multiple
(VLAN) physical interfaces on the same subnet or do you have
an overly
large netmask that encompasses both IPs in your post?



Grant. . . .

On 8/14/07, Grant Taylor <gtaylorriverviewtech.net>
wrote:
> On 08/14/07 01:45, pankaj jain wrote:
> > I was trying to drop arp packets such that only
specific interface
> > should answer the arp requests.
>
> Will you please elaborate a bit more on why you are
trying to accomplish
> this and what your situation is?  I feel like there is
more to this
> puzzle that will help us help you.  For example, do you
have multiple
> (VLAN) physical interfaces on the same subnet or do you
have an overly
> large netmask that encompasses both IPs in your post?
>
>
>
> Grant. . . .
>
>

I have a machine with 3 interfaces
eth0: 10.19.0.102 mask (255.255.255.0)
eth1: 10.19.1.102 mask (255.255.255.0)
eth2: 10.29.51.102 mask (255.255.255.0)

all three are connected in a same switch (no vlans
configured).
I want arp requests to be responded by the associated
interface only,
and not by other interfaces.
I have added following rules.
arptables -A INPUT -i eth0 --opcode Request -d 10.19.0.102
-j ACCEPT
arptables -A INPUT -i eth1 --opcode Request -d 10.19.1.102
-j ACCEPT
arptables -A INPUT -i eth2 --opcode Request -d 10.19.51.102
-j ACCEPT
arptables -A INPUT -i !eth0 --opcode Request -d 10.19.0.102
-j DROP
arptables -A INPUT -i !eth1 --opcode Request -d 10.19.1.102
-j DROP
arptables -A INPUT -i !eth2 --opcode Request -d 10.19.51.102
-j DROP

DROP rules with [!] are not working.
but if I remove the interface part it works fine
arptables -A INPUT -i eth0 --opcode Request -d 10.19.0.102
-j ACCEPT
arptables -A INPUT -i eth1 --opcode Request -d 10.19.1.102
-j ACCEPT
arptables -A INPUT -i eth2 --opcode Request -d 10.19.51.102
-j ACCEPT
arptables -A INPUT  --opcode Request -d 10.19.0.102 -j DROP
arptables -A INPUT  --opcode Request -d 10.19.1.102 -j DROP
arptables -A INPUT  --opcode Request -d 10.19.51.102 -j
DROP


-- 
Thanks
Pankaj Jain

ON THU, AUG 16, 2007 AT 10:27:32AM -0500, GRANT TAYLOR
WROTE:
> ON 08/16/07 10:07, PASCAL HAMBOURG WROTE:
> > THE DEFAULT BEHAVIOUR IS TO REPLY ON ANY INTERFACE
FOR ANY LOCAL
> > ADDRESS. IT CAN BE CHANGED ON A PER-INTERFACE
BASIS WITH THE KERNEL
> > PARAMETER
/PROC/SYS/NET/IPV4/CONF/<INTERFACE>/ARP_IGNORE.
DEFINITIONS
> > AND VALUES ARE IN
DOCUMENTATION/NETWORKING/IP-SYSCTL.TXT :

[...]
> SO I CAN CORRECTLY UPDATE MY REFERENCES, WHERE DID YOU
COPY AND PAST
> THAT DOCUMENTATION FROM?

IT COMES FROM THE KERNEL DOCUMENTATION.

-- 
FRANCK JONCOURT
HTTP://WWW.DEBIAN.ORG - HTTP://SMHTEAM.INFO/WIKI/
GPG SERVER : PGPKEYS.MIT.EDU
FINGERPRINT : C10E D1D0 EF70 0A2A CACF 9A3C C490 534E 75C0
89FE