Topic: no ip redirects command?

[chris burnat]

Does anyone know how to defeat the ip redirects function on the local interface of an SME server?
I am testing some audio codecs and have setup two gateways, one at 192.168.1.1 and the other at 192.168.2.1  I have also included 192.168.1.1 into the local network of gateway 192.168.2.1 (and vis et versa).  The codecs are at 192.168.1.2 and 192.168.2.2 .

The gateways are sending out ICMP redirect messages to the codec devices asking to bypass themselves and send direct to the destination:

IP 192.168.2.1 > 192.168.2.2: icmp 46: redirect 192.168.1.2 to host 192.168.1.2
IP 192.168.1.1 > 192.168.1.2: icmp 292: redirect 192.168.2.2 to host 192.168.2.2

One particular brand of codec does not like this.  With Cisco routers, I could issue a "no ip redirects" command to avoid this situation.  How to do this with SME?

[mmccarn]

From looking at http://www.itsyourip.com/Security/how-to-disable-icmp-redirects-in-linux-for-security-redhatdebianubuntususe-tested/, I think you can do what you want like this:

Code: [Select]

mkdir -p /etc/e-smith/templates-custom/etc/sysctl.conf
cd /etc/e-smith/templates-custom/etc/sysctl.conf
echo '
# ICMP accept_redirects disabled by custom template
net.ipv4.conf.all.accept_redirects = 0
' > net.ipv4.conf.all.accept_redirects
echo '
#ICMP send_redirects disabled by custom template
net.ipv4.conf.all.send_redirects = 0
' > net.ipv4.conf.all.send_redirects
expand-template /etc/sysctl.conf
/etc/rc.d/init.d/network restart

(I tested the above on my SME, and the network still seems to work -- but I have no idea how to find out if the redirects have actually been disabled).

[CharlieBrady]

I don't think that Chris should be trying to disable redirects. i think he should find out why the redirects are being issued. I expect there's a network configuration problem in his network.

[chris burnat]

I don't think that Chris should be trying to disable redirects. i think he should find out why the redirects are being issued. I expect there's a network configuration problem in his network.

You are correct Charlie.  I am trying to simulate a private VPN using two SME gateways for testing of a variety of digital audio codecs. The VPN I am trying to emulate has two Cisco routers, the LAN gateway addresses being 192.168.1.1 & 192.168.2.1  .  The codecs are at 192.168.1.2 & 192.168.2.2 .   At the moment, I have connected the two LAN interface of the SME and the two codecs onto a common switch, crude I know, but it has allowed me to check bitrates over the "network" resulting from various audio coding scheme I implement.  I am hitting a hitch with one particular brand of device:  they do not allow bypassing the gateways, and so I cannot perform any meaningful test on these boxes.  Actually, they just crash after a while.  The manufacturer has suggested that I prevent IP redirects:

see for more info:
http://www.cisco.com/en/US/tech/tk365/technologies_tech_note09186a0080094702.shtml
NOTE: By default, Cisco routers send ICMP redirects. The interface subcommand no ip redirects can be used to disable ICMP redirects.

Hence my question...

What I should really do, I suspect,  is "link" in some way the WAN interface of each SME gateway - they are at the moment connected to my ADSL router with a public IP address which allow me to simulate port forwarding of relevant ports to access the toolbox or GUI of each codecs for remote access of the devices.  In this way, data arriving from codec A to the LAN interface of Gateway A would pass through the SME gateway B to reach  codec B.  I do not know how to do this, and I am probably guilty of being O/T - my apologies.

Any tip would however be very appreciated, I am out of my depth here.
Rgds.

mmccarn, Thanks for the info.  Packet captures with tcpdump of the LAN interface will show the redirect instructions every few minutes in my particular case.