Configuring Scrutinizer for Dual/Multi-homing¶
Scrutinizer is configured with Reverse-Path Filtering which is disabled by default. It allows the collector to receive flows from IP addresses that it does not know how to route to. This functionality exists in order to allow collectors to receive non-local traffic that may have been forwarded by a proxy or replication appliance and is intended ONLY to be used when Scrutinizer:
- is in a secure environment
- has a single interface
Plixer recommends that in multi-interface/multi-homed situations and where strict networking practices are required, best practices defined in RFC 3704 should be observed. This is required in order to ensure that spoofed/forged packets are not used to generate responses that are sent out another interface.
It is recommended the following steps be taken:
Enable Reverse Path Forwarding –
Edit the /etc/sysctl.conf and modify the line “net.ipv4.conf.default.rp_filter = 1” to “net.ipv4.conf.default.rp_filter = 0”
If the goal is to not restart networking after editing this file, simply run the command “sysctl net.ipv4.conf.default.rp_filter = 0” and this should turn it on (editing the file is still required).
Make sure the routing tables contain routes to all networks that will be receiving flows. Failure to properly configure routing will result in the inability to collect flows from non-local address spaces.
Virtual Routing and Forwarding (VRF) Mode¶
In certain circumstances it might be best to isolate the routing tables from the management network. Common cases for this are either security requirements or the management network may overlap with IP addresses on the collection side interfaces.
In these cases separate routing tables can be created in order to isolate management traffic to the management interface. Collection and polling traffic will then only impact their respective interfaces.
In this example, Scrutinizer has 2 interfaces: eth0 and eth1. Each will have its own routing table. One called “plixer”, another called “public”.
Configure separate routing tables¶
In this example notice that 2 default gateways are configured. This would not be possible under a standard configuration with a single routing table. Each maintains separate isolated IP networks which are not routable to one another on the Scrutinizer box.
- Add the 2 routing tables to the file named “/etc/iproute2/rt_tables”. The 2 lines will result in the file looking like this:
# # reserved values # 255 local 254 main 253 default 0 unspec # # local # #1 inr.ruhep 1 public 2 plixer
Create file /etc/sysconfig/network-scripts/route-eth0 containing the following:
default via 172.16.2.20 table plixer
Create file /etc/sysconfig/network-scripts/route-eth1 containing the following:
default via 10.1.1.251 table public
Interfaces do not need any special configuration. Here is an example based on the above configuration.
/etc/sysconfig/network-scripts/ifcfg-eth0 DEVICE="eth0" BOOTPROTO="none" HWADDR="" NM_CONTROLLED="yes" ONBOOT="yes" BOOTPROTO="none" PEERDNS=no TYPE="Ethernet" NETMASK=255.255.255.0 IPADDR=172.16.2.7 /etc/sysconfig/network-scripts/ifcfg-eth1 DEVICE="eth1" BOOTPROTO="none" HWADDR="" NM_CONTROLLED="yes" ONBOOT="yes" BOOTPROTO="none" PEERDNS=no TYPE="Ethernet" NETMASK=255.255.0.0 IPADDR=10.1.4.190 GATEWAY=10.1.1.251
- Restart the server in order to make sure networking is reset and operating properly.
- Verify that iptables are configured to accept or deny the traffic desired on each interface.