Network interface binding appears to only work as root
Clash Royale CLAN TAG#URR8PPP
up vote
2
down vote
favorite
I have a CentOS 7 server with two network interfaces. One points to our LAN (ens32) and the other to our DMZ (ens33).
While the LAN interface works fine, I noticed that it seems like the traffic will only traverse the DMZ interface if logged in as root, and I'm unsure what this means or if it has any net effect on other issues that I'm experiencing.
For example, if I run:
curl --interface ens32 ipecho.net/plain
as a non-root user, I'll get the public IP for that interface.
If I run:
curl --interface ens33 ipecho.net/plain
as a non-root user, the command appears to stall and I'll be forced to kill the process.
If I run the previous command as root, I'll get the expected output which is the public IP for that interface.
Can anyone explain what might be going on here?
linux networking
edited Feb 27 at 19:53
Rui F Ribeiro
34.9k1269113
asked Feb 27 at 16:34
surkukteni
111
add a comment |Â
up vote
2
down vote
favorite
I have a CentOS 7 server with two network interfaces. One points to our LAN (ens32) and the other to our DMZ (ens33).
While the LAN interface works fine, I noticed that it seems like the traffic will only traverse the DMZ interface if logged in as root, and I'm unsure what this means or if it has any net effect on other issues that I'm experiencing.
For example, if I run:
curl --interface ens32 ipecho.net/plain
as a non-root user, I'll get the public IP for that interface.
If I run:
curl --interface ens33 ipecho.net/plain
as a non-root user, the command appears to stall and I'll be forced to kill the process.
If I run the previous command as root, I'll get the expected output which is the public IP for that interface.
Can anyone explain what might be going on here?
linux networking
edited Feb 27 at 19:53
Rui F Ribeiro
34.9k1269113
asked Feb 27 at 16:34
surkukteni
111
Do you have a host firewall (e.g., iptables) configured? If so, that'd be the place I'd start. E.g.,ownermatch...
– derobert
Feb 27 at 16:44
@derobert firewalld is running on the system, but this happens even when I disable the daemon.
– surkukteni
Feb 27 at 16:53
I just ran the same command from above with the -v flag for verbose output from curl and this is what I got: * About to connect() to ipecho.net port 80 (#0) * Trying 146.255.36.1... * Local Interface ens33 is ip 172.16.5.200 using address family 2 * SO_BINDTODEVICE ens33 failed with errno 1: Operation not permitted; will do regular bind * Local port: 0
– surkukteni
Feb 27 at 16:54
edit those details in to your question — then it's much easier to use code formatting to make them readable..
– derobert
Feb 27 at 16:55
add a comment |Â
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I have a CentOS 7 server with two network interfaces. One points to our LAN (ens32) and the other to our DMZ (ens33).
While the LAN interface works fine, I noticed that it seems like the traffic will only traverse the DMZ interface if logged in as root, and I'm unsure what this means or if it has any net effect on other issues that I'm experiencing.
For example, if I run:
curl --interface ens32 ipecho.net/plain
as a non-root user, I'll get the public IP for that interface.
If I run:
curl --interface ens33 ipecho.net/plain
as a non-root user, the command appears to stall and I'll be forced to kill the process.
If I run the previous command as root, I'll get the expected output which is the public IP for that interface.
Can anyone explain what might be going on here?
linux networking
edited Feb 27 at 19:53
Rui F Ribeiro
34.9k1269113
asked Feb 27 at 16:34
surkukteni
111
I have a CentOS 7 server with two network interfaces. One points to our LAN (ens32) and the other to our DMZ (ens33).
While the LAN interface works fine, I noticed that it seems like the traffic will only traverse the DMZ interface if logged in as root, and I'm unsure what this means or if it has any net effect on other issues that I'm experiencing.
For example, if I run:
curl --interface ens32 ipecho.net/plain
as a non-root user, I'll get the public IP for that interface.
If I run:
curl --interface ens33 ipecho.net/plain
as a non-root user, the command appears to stall and I'll be forced to kill the process.
If I run the previous command as root, I'll get the expected output which is the public IP for that interface.
Can anyone explain what might be going on here?
linux networking
edited Feb 27 at 19:53
Rui F Ribeiro
34.9k1269113
asked Feb 27 at 16:34
surkukteni
111
edited Feb 27 at 19:53
Rui F Ribeiro
34.9k1269113
edited Feb 27 at 19:53
Rui F Ribeiro
34.9k1269113
edited Feb 27 at 19:53
Rui F Ribeiro
34.9k1269113
34.9k1269113
asked Feb 27 at 16:34
surkukteni
111
asked Feb 27 at 16:34
surkukteni
111
asked Feb 27 at 16:34
surkukteni
111
111
Do you have a host firewall (e.g., iptables) configured? If so, that'd be the place I'd start. E.g.,ownermatch...
– derobert
Feb 27 at 16:44
@derobert firewalld is running on the system, but this happens even when I disable the daemon.
– surkukteni
Feb 27 at 16:53
I just ran the same command from above with the -v flag for verbose output from curl and this is what I got: * About to connect() to ipecho.net port 80 (#0) * Trying 146.255.36.1... * Local Interface ens33 is ip 172.16.5.200 using address family 2 * SO_BINDTODEVICE ens33 failed with errno 1: Operation not permitted; will do regular bind * Local port: 0
– surkukteni
Feb 27 at 16:54
edit those details in to your question — then it's much easier to use code formatting to make them readable..
– derobert
Feb 27 at 16:55
add a comment |Â
Do you have a host firewall (e.g., iptables) configured? If so, that'd be the place I'd start. E.g.,ownermatch...
– derobert
Feb 27 at 16:44
@derobert firewalld is running on the system, but this happens even when I disable the daemon.
– surkukteni
Feb 27 at 16:53
I just ran the same command from above with the -v flag for verbose output from curl and this is what I got: * About to connect() to ipecho.net port 80 (#0) * Trying 146.255.36.1... * Local Interface ens33 is ip 172.16.5.200 using address family 2 * SO_BINDTODEVICE ens33 failed with errno 1: Operation not permitted; will do regular bind * Local port: 0
– surkukteni
Feb 27 at 16:54
edit those details in to your question — then it's much easier to use code formatting to make them readable..
– derobert
Feb 27 at 16:55
Do you have a host firewall (e.g., iptables) configured? If so, that'd be the place I'd start. E.g.,
owner match...– derobert
Feb 27 at 16:44
Do you have a host firewall (e.g., iptables) configured? If so, that'd be the place I'd start. E.g.,
owner match...– derobert
Feb 27 at 16:44
@derobert firewalld is running on the system, but this happens even when I disable the daemon.
– surkukteni
Feb 27 at 16:53
@derobert firewalld is running on the system, but this happens even when I disable the daemon.
– surkukteni
Feb 27 at 16:53
I just ran the same command from above with the -v flag for verbose output from curl and this is what I got: * About to connect() to ipecho.net port 80 (#0) * Trying 146.255.36.1... * Local Interface ens33 is ip 172.16.5.200 using address family 2 * SO_BINDTODEVICE ens33 failed with errno 1: Operation not permitted; will do regular bind * Local port: 0
– surkukteni
Feb 27 at 16:54
I just ran the same command from above with the -v flag for verbose output from curl and this is what I got: * About to connect() to ipecho.net port 80 (#0) * Trying 146.255.36.1... * Local Interface ens33 is ip 172.16.5.200 using address family 2 * SO_BINDTODEVICE ens33 failed with errno 1: Operation not permitted; will do regular bind * Local port: 0
– surkukteni
Feb 27 at 16:54
edit those details in to your question — then it's much easier to use code formatting to make them readable..
– derobert
Feb 27 at 16:55
edit those details in to your question — then it's much easier to use code formatting to make them readable..
– derobert
Feb 27 at 16:55
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
2
down vote
As it can be seen in the official curl page, to specify/bind to a specific interface, there is a need to either have CAP_NET_RAW or to run as root.
Hence thus root being able to do the binding/routing, and it not working with a regular user for you.
When a regular user is using curl, without it being no permitted to use the --interface option, the default routing rules of the server will apply to that operation instead.
From the curl official page curl.1 the man page:
--interface
Perform an operation using a specified interface. You can enter
interface name, IP address or host name. An example could look like:
curl --interface eth0:1 https://www.example.com/
If this option is used several times, the last one will be used.
On Linux it can be used to specify a VRF, but the binary needs to
either have CAP_NET_RAW or to be ran as root.
More information about
Linux VRF: https://www.kernel.org/doc/Documentation/networking/vrf.txt
answered Feb 27 at 17:37
Rui F Ribeiro
34.9k1269113
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
2
down vote
As it can be seen in the official curl page, to specify/bind to a specific interface, there is a need to either have CAP_NET_RAW or to run as root.
Hence thus root being able to do the binding/routing, and it not working with a regular user for you.
When a regular user is using curl, without it being no permitted to use the --interface option, the default routing rules of the server will apply to that operation instead.
From the curl official page curl.1 the man page:
--interface
Perform an operation using a specified interface. You can enter
interface name, IP address or host name. An example could look like:
curl --interface eth0:1 https://www.example.com/
If this option is used several times, the last one will be used.
On Linux it can be used to specify a VRF, but the binary needs to
either have CAP_NET_RAW or to be ran as root.
More information about
Linux VRF: https://www.kernel.org/doc/Documentation/networking/vrf.txt
answered Feb 27 at 17:37
Rui F Ribeiro
34.9k1269113
add a comment |Â
up vote
2
down vote
As it can be seen in the official curl page, to specify/bind to a specific interface, there is a need to either have CAP_NET_RAW or to run as root.
Hence thus root being able to do the binding/routing, and it not working with a regular user for you.
When a regular user is using curl, without it being no permitted to use the --interface option, the default routing rules of the server will apply to that operation instead.
From the curl official page curl.1 the man page:
--interface
Perform an operation using a specified interface. You can enter
interface name, IP address or host name. An example could look like:
curl --interface eth0:1 https://www.example.com/
If this option is used several times, the last one will be used.
On Linux it can be used to specify a VRF, but the binary needs to
either have CAP_NET_RAW or to be ran as root.
More information about
Linux VRF: https://www.kernel.org/doc/Documentation/networking/vrf.txt
answered Feb 27 at 17:37
Rui F Ribeiro
34.9k1269113
add a comment |Â
up vote
2
down vote
up vote
2
down vote
As it can be seen in the official curl page, to specify/bind to a specific interface, there is a need to either have CAP_NET_RAW or to run as root.
Hence thus root being able to do the binding/routing, and it not working with a regular user for you.
When a regular user is using curl, without it being no permitted to use the --interface option, the default routing rules of the server will apply to that operation instead.
From the curl official page curl.1 the man page:
--interface
Perform an operation using a specified interface. You can enter
interface name, IP address or host name. An example could look like:
curl --interface eth0:1 https://www.example.com/
If this option is used several times, the last one will be used.
On Linux it can be used to specify a VRF, but the binary needs to
either have CAP_NET_RAW or to be ran as root.
More information about
Linux VRF: https://www.kernel.org/doc/Documentation/networking/vrf.txt
answered Feb 27 at 17:37
Rui F Ribeiro
34.9k1269113
As it can be seen in the official curl page, to specify/bind to a specific interface, there is a need to either have CAP_NET_RAW or to run as root.
Hence thus root being able to do the binding/routing, and it not working with a regular user for you.
When a regular user is using curl, without it being no permitted to use the --interface option, the default routing rules of the server will apply to that operation instead.
From the curl official page curl.1 the man page:
--interface
Perform an operation using a specified interface. You can enter
interface name, IP address or host name. An example could look like:
curl --interface eth0:1 https://www.example.com/
If this option is used several times, the last one will be used.
On Linux it can be used to specify a VRF, but the binary needs to
either have CAP_NET_RAW or to be ran as root.
More information about
Linux VRF: https://www.kernel.org/doc/Documentation/networking/vrf.txt
answered Feb 27 at 17:37
Rui F Ribeiro
34.9k1269113
edited Feb 27 at 20:25
answered Feb 27 at 17:37
Rui F Ribeiro
34.9k1269113
answered Feb 27 at 17:37
Rui F Ribeiro
34.9k1269113
answered Feb 27 at 17:37
Rui F Ribeiro
34.9k1269113
34.9k1269113
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f426970%2fnetwork-interface-binding-appears-to-only-work-as-root%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Do you have a host firewall (e.g., iptables) configured? If so, that'd be the place I'd start. E.g.,
ownermatch...– derobert
Feb 27 at 16:44
@derobert firewalld is running on the system, but this happens even when I disable the daemon.
– surkukteni
Feb 27 at 16:53
I just ran the same command from above with the -v flag for verbose output from curl and this is what I got: * About to connect() to ipecho.net port 80 (#0) * Trying 146.255.36.1... * Local Interface ens33 is ip 172.16.5.200 using address family 2 * SO_BINDTODEVICE ens33 failed with errno 1: Operation not permitted; will do regular bind * Local port: 0
– surkukteni
Feb 27 at 16:54
edit those details in to your question — then it's much easier to use code formatting to make them readable..
– derobert
Feb 27 at 16:55