In the world of Linux and networking technologies, there are many subtle but critically important kernel settings. One such setting is rp_filter. This parameter, often overlooked, plays a key role in network security and correct packet routing. Let’s explore what it is, how it works, and why understanding it is essential for every system administrator.

What is rp_filter?

rp_filter stands for Reverse Path Filtering. It’s a Linux kernel mechanism that checks incoming network packets to verify whether they arrived on the interface through which a reply to the sender’s IP address would be routed.

Simply put: when a packet arrives on a network interface, rp_filter checks whether the server would send a response to the sender’s IP address through the same interface the packet came in on.

Imagine this analogy: You receive a letter with a return address of “Lenina Street, house 5.” Your post office checks: if you were to send a reply to “Lenina, house 5,” would you use the same post office that the original letter came through? If yes, everything is fine. If not (e.g., “Lenina, house 5” is in another city and uses a completely different post office), the letter is considered suspicious.

What is rp_filter for? (Main purpose: Anti-spoofing)

The main goal of rp_filter is to protect against IP spoofing. IP spoofing is a technique where an attacker forges the source IP address of network packets to impersonate another computer. This can be used for:

• DDoS attacks: Hiding the true origin of the attack.
• Bypassing network filters: Masquerading as a trusted node.
• Man-in-the-Middle attacks: Intercepting and modifying traffic.

When rp_filter is enabled, it rejects incoming packets whose source IP address doesn’t match the expected reverse route. This ensures that packets your server receives genuinely come from where they claim to originate—or at least that the return path to the sender via that interface is “valid” according to your routing table.

rp_filter Operating Modes

rp_filter is configured separately for each network interface (e.g., eth0, eth1) and can take one of three values:

• 0 (Disabled): Reverse path filtering is turned off. All packets are accepted regardless of their reverse path. Not recommended for most environments, as it leaves the system vulnerable to spoofing.

• 1 (Strict mode - RFC3704 strict mode): The system verifies that the response to an incoming packet would be sent only through the same interface the packet arrived on, and that it would be the best route to the source. If not, the packet is dropped.

  • Pros: Maximum protection against spoofing.
  • Cons: May cause issues in complex networking setups such as asymmetric routing (where incoming and outgoing traffic use different paths), or with certain types of load balancing.

• 2 (Loose mode - RFC3704 loose mode): The system checks whether the response to an incoming packet could be sent through any interface on the server. If there is at least one route to the source, the packet is accepted.

  • Pros: A good compromise between security and flexibility. Offers spoofing protection while allowing asymmetric routing and complex networking scenarios.
  • Cons: Less strict protection than mode 1.

Where is it and how to configure?

rp_filter parameters are located in /proc/sys/net/ipv4/conf/. You can view them for each interface and for all interfaces:

• /proc/sys/net/ipv4/conf/all/rp_filter (applies to all interfaces by default, unless overridden)
• /proc/sys/net/ipv4/conf/default/rp_filter (default for new interfaces)
• /proc/sys/net/ipv4/conf/<interface_name>/rp_filter (e.g., /proc/sys/net/ipv4/conf/eth0/rp_filter)

Check the current value (e.g., for eth0):

cat /proc/sys/net/ipv4/conf/eth0/rp_filter

Temporarily change the value (until reboot):

echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter

Permanently change the value (persist after reboot):

Use sysctl. Open or create a configuration file (e.g., /etc/sysctl.d/99-rpfilter.conf):

net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1 # If a specific value is needed for the interface

Then apply the changes:

sudo sysctl -p /etc/sysctl.d/99-rpfilter.conf

Or simply sudo sysctl -p to apply all files in sysctl.d.

Configuration Recommendations

• For most servers (single interface, no asymmetric routing): Use rp_filter = 1 (strict mode). This provides the best spoofing protection.

  net.ipv4.conf.all.rp_filter = 1
  net.ipv4.conf.default.rp_filter = 1
  

• For servers with asymmetric routing, multiple IPs on an interface, or complex network configurations (e.g., load balancers, VPN servers, certain virtual machines): Consider rp_filter = 2 (loose mode). It offers reasonable protection while allowing incoming traffic on one path and outgoing traffic on another.

  net.ipv4.conf.all.rp_filter = 2
  net.ipv4.conf.default.rp_filter = 2
  

• Never use rp_filter = 0 unless you have a very good reason and fully understand the risks.

Conclusion

rp_filter is a powerful tool for enhancing your Linux server’s network security by protecting against IP spoofing. Properly configuring this parameter is critically important, especially in publicly accessible environments. Always start with the strictest mode (1) and loosen to 2 only if legitimate traffic breaks in complex networking setups. Remember: understanding kernel networking settings is key to a stable and secure infrastructure.