Centos7 disable IP Redirect sending on IPSec VPN Server

centos7icmpipnetworkingsysctl

When using StrongSwan as an IPSEC S2S VPN Gateway, ICMP redirects are being sent to machines behind the right side. I have added the following lines to /etc/sysctl.conf:

net.ipv4.conf.all.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.all.send_redirects=0

However, after syncing with sysctl -p I still see redirection:

[root@tunnels ~]# sysctl -p
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
[root@tunnels ~]# cat /proc/sys/net/ipv4/conf/eno16777984/send_redirects
1

What is the proper way to disable all send_redirects and keep it persistent across reboots?

Best Answer

It looks like net.ipv4.conf.eno16777894 and net.ipv4.conf.all are being tracked by the kernel separately.

[user@host sysctl.d]$ sudo cat /etc/sysctl.conf
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv4.ip_forward = 1
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.send_redirects = 0
[user@host sysctl.d]$ sudo cat /proc/sys/net/ipv4/conf/all/send_redirects
0
[user@host sysctl.d]$ sudo cat /proc/sys/net/ipv4/conf/eth0/send_redirects
1

I'm not sure if the "all" setting overrides the settings found in each eth0 etc. If push comes to shove, you could add a net.ipv4.conf.<eth#> line for each of your network interfaces.

Related Topic