0

I thought a data packet from another subnet is always rejected. But when I have two hosts (h1 and h2) in two different subnets (s1 and s2) and one router (r) with activated ip_forward and access to both subnets, I can ping h1 from h2. I understand how the packet is routed to h1, but I don't understand why h1 is accepting a packet from another subnet. If masquerading is done all is clear to me. But without masquerading I can not understand it.

Does this mean that in TCP/IP protocol a packet from another subnet is always accepted if it reaches the host? So the problem without router is only that the sending host is not sending a packet with destination in another subnet?

Wotim
  • 121
  • 4
  • 4
    The whole Internet works this way; if it did not, there would be no communication at all! It's masquerading that is not normal. – Michael Hampton Nov 29 '15 at 16:39
  • And where is the packet blocked if I do not use a router? Because direct communication between h1 and h2 is not possible. So the packet must be blocked somewhere. – Wotim Nov 29 '15 at 17:10
  • You need to describe your setup in more detail so that we can show you that there is no problem. You have a router, it seems it's routing the packets to their destination as it's supposed to. – Law29 Nov 29 '15 at 19:08

2 Answers2

2

Yes, you're pretty much right - if a host receives an IP packet and it has a valid routing path to the source, it just responds. Obviously, there may be a firewall between, which may defeat the traffic.

Excluding more advanced topics like dynamic routing protocols, the case is pretty simple. If there's no link-class (direct) or gateway-based (indirect) path, finally the widest, default (0.0.0.0/0) route is used. Think of it and you'll find it all makes sense. :-)

As @MichaelHampton already pointed out, this is exactly how the Internet works. NAT is only an addition (created years after the IP protocol) generally used to connect local address classes (check RFC1918) to WAN and thus saving publicly routable addresses.

Community
  • 1
sam_pan_mariusz
  • 2,133
  • 1
  • 14
  • 15
  • So to point out the problem why a host needs a router to send a package to an other subnet: Without a router the host has no route to this subnet and so it drops the package. But if the host would send the package, it would reach the destination if it is not blocked somewhere between. Am I right with this? – Wotim Nov 29 '15 at 19:55
  • 1
    When responding host don't have any route (with *default* checked as the last) to the source, it accepts the incoming packet and discards the response. – sam_pan_mariusz Nov 29 '15 at 20:01
1

You use a router whenever you want to connect 2 or more nets. The hosts on those nets HAVE TO know about this router and use it properly to connect from one to the other nets, unless you BRIDGE those networks with something like brctl, which "converts a router into a switch". If your router machine has ip_forward on, then it won't block anything and will route everything if it knows how to do it, or return an "unroutable address". Unless you tell a/several blocking rule/s with iptables for normal routing or ebtables for bridges.

emi
  • 279
  • 1
  • 8