In the green note under "Code Listing 10.6: Enable reverse path filtering" it's written "If you turn on IP forwarding, you will also get this result": this is not true. Enabling or disabling /proc/sys/net/ipv4/ip_forward will enable or disable some other /proc/sys/net/ipv4 entry (try a diff before and after) but will not touch in any way rp_filter (at least in latest 2.6 kernels). Moreover I think if would be good if the guide could remark that (see /usr/src/linux/Documentation/networking/ip-sysctl.txt): 1) Enabling/disabling /proc/sys/net/ipv4/ip_forward should be done before every other flag (even in /etc/sysctl.conf) because it enables/disables other flags as well. 2) /proc/sys/net/ipv4/conf/{all,interface_name}/rp_filter must be BOTH enabled to enable source validation, setting just /proc/sys/net/ipv4/conf/interface_name/rp_filter will not suffice. Actually the for...do...done cycle in the guide does it, but I think it's better to tell it clear to the reader. 3) In case rp_filter is enabled the packet doesn't magically disappear, infact it travels through the mangle-prerouting and nat-prerouting as any other packet, it will be filtered out just before entering the filter-input or filter-forward chains. 4) If you needn't ICMP redirects, better to turn off /proc/sys/net/ipv4/conf/*/secure_redirects too. 5) Some /proc/sys/net/ipv4/conf/*/* flags adopt an OR logic, some an AND logic: I mean, for some feature to be active on an interface sometimes must be TRUE both /proc/sys/net/ipv4/conf/{all,interface_name}/feature_name (as for rp_filter), sometimes just one of /proc/sys/net/ipv4/conf/{all,interface_name}/feature_name will suffice (as for secure_redirects). Obviously, in first case to turn off the feature you just need to set FALSE /proc/sys/net/ipv4/conf/all/feature_name, in second case you have to set FALSE both /proc/sys/net/ipv4/conf/{all,interface_name}/feature_name (see /usr/src/linux/Documentation/networking/ip-sysctl.txt). Reproducible: Always Steps to Reproduce:
Thanks, fixed in CVS.