1. # sysctl -ar "\.rp_filter"
  2. net.ipv4.conf.all.rp_filter = 2
  3. net.ipv4.conf.br-7be1475ea18d.rp_filter = 2
  4. net.ipv4.conf.default.rp_filter = 2
  5. net.ipv4.conf.docker0.rp_filter = 2
  6. net.ipv4.conf.enp3s0.rp_filter = 2
  7. net.ipv4.conf.enp5s0.rp_filter = 2
  8. net.ipv4.conf.ens1f0.rp_filter = 2
  9. net.ipv4.conf.ens1f1.rp_filter = 2
  10. net.ipv4.conf.lo.rp_filter = 2
  11. net.ipv4.conf.veth53f918d.rp_filter = 2
  13. # ip a
  14. 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
  15. link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  16. inet 127.0.0.1/8 scope host lo
  17. valid_lft forever preferred_lft forever
  18. inet 10.200.0.1/32 scope global lo
  19. valid_lft forever preferred_lft forever
  20. inet6 ::1/128 scope host
  21. valid_lft forever preferred_lft forever
  22. 2: enp3s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
  23. link/ether 00:23:7d:33:cb:f6 brd ff:ff:ff:ff:ff:ff
  24. 3: enp5s0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1000
  25. link/ether 00:23:7d:33:8b:18 brd ff:ff:ff:ff:ff:ff
  26. 4: ens1f0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
  27. link/ether 10:60:4b:93:ca:b8 brd ff:ff:ff:ff:ff:ff
  28. inet 10.20.128.33/31 scope global ens1f0
  29. valid_lft forever preferred_lft forever
  30. inet 10.200.0.1/32 scope global ens1f0
  31. valid_lft forever preferred_lft forever
  32. inet6 fe80::1260:4bff:fe93:cab8/64 scope link
  33. valid_lft forever preferred_lft forever
  34. 5: ens1f1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
  35. link/ether 10:60:4b:93:ca:bc brd ff:ff:ff:ff:ff:ff
  36. inet 10.20.128.35/31 scope global ens1f1
  37. valid_lft forever preferred_lft forever
  38. inet 10.200.0.1/32 scope global ens1f1
  39. valid_lft forever preferred_lft forever
  40. inet6 fe80::1260:4bff:fe93:cabc/64 scope link
  41. valid_lft forever preferred_lft forever
  42. 6: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
  43. link/ether 02:42:26:f9:ea:29 brd ff:ff:ff:ff:ff:ff
  44. inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
  45. valid_lft forever preferred_lft forever
  46. inet6 fe80::42:26ff:fef9:ea29/64 scope link
  47. valid_lft forever preferred_lft forever
  48. 24: br-7be1475ea18d: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
  49. link/ether 02:42:d8:6b:a1:3d brd ff:ff:ff:ff:ff:ff
  50. inet 172.23.0.1/16 brd 172.23.255.255 scope global br-7be1475ea18d
  51. valid_lft forever preferred_lft forever
  52. inet6 fe80::42:d8ff:fe6b:a13d/64 scope link
  53. valid_lft forever preferred_lft forever
  54. 26: veth53f918d@if25: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-7be1475ea18d state UP group default
  55. link/ether 82:64:88:70:e3:c8 brd ff:ff:ff:ff:ff:ff link-netnsid 0
  56. inet6 fe80::8064:88ff:fe70:e3c8/64 scope link
  57. valid_lft forever preferred_lft forever
  59. # ip route
  60. default proto bgp src 10.200.0.1 metric 20
  61. nexthop via 10.20.128.34 dev ens1f1 weight 1
  62. nexthop via 10.20.128.32 dev ens1f0 weight 1
  63. 10.20.128.32/31 dev ens1f0 proto kernel scope link src 10.20.128.33
  64. 10.20.128.34/31 dev ens1f1 proto kernel scope link src 10.20.128.35
  65. 172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
  66. 172.23.0.0/16 dev br-7be1475ea18d proto kernel scope link src 172.23.0.1
  68. # iptables -L
  69. Chain INPUT (policy ACCEPT)
  70. target prot opt source destination
  71. ACCEPT tcp -- anywhere anywhere tcp dpt:8888
  73. Chain FORWARD (policy ACCEPT)
  74. target prot opt source destination
  75. DOCKER-USER all -- anywhere anywhere
  76. DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
  77. ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
  78. DOCKER all -- anywhere anywhere
  79. ACCEPT all -- anywhere anywhere
  80. ACCEPT all -- anywhere anywhere
  81. ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
  82. DOCKER all -- anywhere anywhere
  83. ACCEPT all -- anywhere anywhere
  84. ACCEPT all -- anywhere anywhere
  86. Chain OUTPUT (policy ACCEPT)
  87. target prot opt source destination
  89. Chain DOCKER (2 references)
  90. target prot opt source destination
  91. ACCEPT tcp -- anywhere 172.23.0.2 tcp dpt:8888
  93. Chain DOCKER-ISOLATION-STAGE-1 (1 references)
  94. target prot opt source destination
  95. DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
  96. DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
  97. RETURN all -- anywhere anywhere
  99. Chain DOCKER-ISOLATION-STAGE-2 (2 references)
  100. target prot opt source destination
  101. DROP all -- anywhere anywhere
  102. DROP all -- anywhere anywhere
  103. RETURN all -- anywhere anywhere
  105. Chain DOCKER-USER (1 references)
  106. target prot opt source destination
  107. RETURN all -- anywhere anywhere
  109. # ping 10.100.1.5 -I ens1f1
  110. PING 10.100.1.5 (10.100.1.5) from 10.200.0.1 ens1f1: 56(84) bytes of data.
  111. ^C
  112. --- 10.100.1.5 ping statistics ---
  113. 1 packets transmitted, 0 received, 100% packet loss, time 0ms
  115. root@worker1:/proc/sys/net/ipv4/conf/all# ping 10.100.1.5 -I ens1f0
  116. PING 10.100.1.5 (10.100.1.5) from 10.200.0.1 ens1f0: 56(84) bytes of data.
  117. 64 bytes from 10.100.1.5: icmp_seq=1 ttl=251 time=0.533 ms
  118. ^C
  119. --- 10.100.1.5 ping statistics ---
  120. 1 packets transmitted, 1 received, 0% packet loss, time 0ms
  121. rtt min/avg/max/mdev = 0.533/0.533/0.533/0.000 ms
  123. When pinging from ens1f1 icmp echo reply arrives on ens1f0.