0 - No source validation.
1 - Strict mode as defined in RFC3704 Strict Reverse Path
Each incoming packet is tested against the FIB and if theinterface
is not the best reverse path the packet check will fail.
By default failed packets are discarded.
2 - Loose mode as defined in RFC3704 Loose Reverse Path
Each incoming packet's source address is also tested against theFIB
and if the source address is not reachable via any interface
the packet check will fail.
Current recommended practice in RFC3704 is to enable strictmode
to prevent IP spoofing from DDos attacks. If using asymmetricrouting
or other complicated routing, then loose mode is recommended.
The max value from conf/{all,interface}/rp_filter is used
when doing source validation on the {interface}.
Default value is 0. Note that some distributions enable it
in startup scripts.
-----
Red Hat are (correctly) setting rp_filter to 1, strictmode.
In this case a packet coming in eth0 willhave its source address routed out on the same interface that itcame in on (because that's the default route).
However, a packet coming in on eth1 will have it source addressrouted out on a different interface to the one it came in on and itwill be discarded.
Silently.
This is basically asymmetric routing and is quite possibly not whatyou want anyway (it messes up TCP flow control) so there are twoways to fix this: stick with asymmetric routing and permit it orfix the asymmetric routing.
The first one is easiest: in /etc/sysctl.conf change rp_filter=1 torp_filter=2).
You'll need to load that andrestart the network.
It's probably easiest toreboot :-) to be sure.
I suspect that it was notrestarting enough things that prevented this change from workingbefore.
The second one may be simple as simple as adding those routes thatshould go out on eth1 to the routing table or running some routingdaemon.
It depends on your network topology,basically.
This would be the preferred solutionif it's practicable.