krys...@ibse.cz wrote: > Dne středa 15. března 2023 12:55:55 CET, Henning Follmann napsal(a): > > This is indeed not right. > > Please try to ping any other host on the 192.168.1.0/24 network from > > 192.168.0.0/24 network. This might be just the case that the host with the > > two interfaces replies on any interface independent of the network. > > Pinging to other hosts on that network does not work - forwarding is > disabled, which is the default. My point is that when I have a server which > has management interface on VLAN for example, and some client sets default > route to that server and tries to access the management address, he will get > there if no input interface is set on firewall. The managemwent is not the > problem since it usualy is accessible only through one interface on one > specific address, but when I want to enable ICMP for example on multiple > interfaces from multiple networks, it gets kind of exhauseting. I was > wondering if it is possible to prevent this behavior through modification of > kernel network stack, but did find nothing other than rp_filter which checks > source address of packets but not the destination one.
If I understand your problem correctly, you want to do this: $nic-A = eth0 $ip-A = 192.168.0.2 $nic-B = eth1 $ip-B = 192.168.1.3 iptables -A INPUT -i $nic-A -d $ip-B -j reject iptables -A INPUT -i $nic-B -d $ip-A -j reject Note that -i is the input interface and -d is the destination IP. There are corresponding -o and -s options available, but we don't need them here. -dsr-
