BIND_TO DEVICE and the loopback interface

BIND_TO DEVICE and the loopback interface

Shachar Shemesh shachar at shemesh.biz
Fri Jul 3 13:11:51 IDT 2009


Shachar Shemesh wrote:
> Gilad Ben-Yossef wrote:
>>
>> Hello List,
>>
>>
>> A friend presented me with a difficult problem which I don't have a 
>> solution for and I thought someone here on the list might have an idea.
>>
>>
>> The problem is as follows:
>>
>>
>> You have an application running on a machine that has two network 
>> interfaces. One for management and one for media.
>>
>>
>> You have a network server application (it's a SIP UA but that doesn't 
>> matter much) that is bound to an IP on the media network interface. 
>> Because the media and management networks might be completely 
>> different, you use the BIND_TO_DEVICE socket option om the server 
>> sockets so that the kernel will only route traffic for that socket 
>> via that device.
>>
> I haven't been able to find any documentation on the BIND_TO_DEVICE 
> socket option. Can you point to some, or at least give a code sample?
>
> Why not just use bind with an IP address? This way, communication from 
> localhost is still possible, provided you give the external IP address 
> rather than the internal one. Attached is a sample program.
I re-read the problem description, and the solution I suggested is 
incomplete. To make it complete, you need to add an iptables INCOMING 
chain saying "do not allow connection to IP:PORT unless from interface 
eth1". This will provide the security aspect you desire, but because 
it's in IPTABLES rules, it's flexible enough to accomodate the "allow 
from here AND here, but not here.

Shachar

-- 
Shachar Shemesh
Lingnu Open Source Consulting Ltd.
http://www.lingnu.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20090703/25567478/attachment.html>


More information about the Linux-il mailing list