BIND_TO DEVICE and the loopback interface
Shachar Shemesh
shachar at shemesh.biz
Fri Jul 3 13:11:51 IDT 2009
Shachar Shemesh wrote:
> Gilad Ben-Yossef wrote:
>>
>> Hello List,
>>
>>
>> A friend presented me with a difficult problem which I don't have a
>> solution for and I thought someone here on the list might have an idea.
>>
>>
>> The problem is as follows:
>>
>>
>> You have an application running on a machine that has two network
>> interfaces. One for management and one for media.
>>
>>
>> You have a network server application (it's a SIP UA but that doesn't
>> matter much) that is bound to an IP on the media network interface.
>> Because the media and management networks might be completely
>> different, you use the BIND_TO_DEVICE socket option om the server
>> sockets so that the kernel will only route traffic for that socket
>> via that device.
>>
> I haven't been able to find any documentation on the BIND_TO_DEVICE
> socket option. Can you point to some, or at least give a code sample?
>
> Why not just use bind with an IP address? This way, communication from
> localhost is still possible, provided you give the external IP address
> rather than the internal one. Attached is a sample program.
I re-read the problem description, and the solution I suggested is
incomplete. To make it complete, you need to add an iptables INCOMING
chain saying "do not allow connection to IP:PORT unless from interface
eth1". This will provide the security aspect you desire, but because
it's in IPTABLES rules, it's flexible enough to accomodate the "allow
from here AND here, but not here.
Shachar
--
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20090703/25567478/attachment.html>
More information about the Linux-il
mailing list