rp_filter

Help Protect Your Server from IP Spoofing Attacks with rp_filter

The rp_filter parameter enables or disables the server's reverse path filtering mechanism. Enable it to perform source validation on traffic. This can be enabled globally, or on a per-interface basis.

Check the current settings on your server.

sysctl -a | grep rp_filter | grep -v arp_filter
net.ipv4.conf.all.rp_filter = 0
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth1.rp_filter = 1

Any one of these configuration lines can be adjusted in /etc/sysctl.conf or you can echo a value directly to the /proc filesystem.

For example, to enable net.ipv4.conf.all.rp_filter via procfs

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

Now running sysctl again will show you it's enabled.

sysctl -a | grep rp_filter | grep -v arp_filter
net.ipv4.conf.all.rp_filter = 1

To persist this change, just edit /etc/sysctl.conf and change the value.

vi /etc/sysctl.conf

Change

net.ipv4.conf.all.rp_filter = 0

To

net.ipv4.conf.all.rp_filter = 1
(Comments)

Comments