Connected to the server (centos7) Yota via USB as a backup communication channel. In the first few seconds everything is OK, the route is determined correctly. After a few seconds, the default route from the routing table disappears.

When you set a route statically in the config and / or manually via ip route, the situation repeats. Addresses / routes on the other maps are statically assigned.

How to find out why the routing table is changing?

  • [oracle mode on] network manager [oracle mode off]. - aleksandr barakin
  • network manager tried to turn off, the problem persists - rekby
  • Please provide a list of processes ( $ ps aux ). perhaps this will help identify the "culprit". I hope that you have already inspected the cron-tasks of all users ( /var/spool/cron/crontabs/* ). - aleksandr barakin
  • This problem was gone by herself - after a few hours the route was appointed normally and did not fly anymore. For crown tasks, yes, I looked. In general, everything is configured there manually, there are no users - the server for backup copies + a pair of docker containers is running. So it is possible that it changes the docker, but it seems weakly (it does not fly off with normal connections). So the question itself remains - is it possible to somehow find out the process that changes the routing table (do not guess by the familiar name, namely, find out who is changing). - rekby
  • as far as I know, no. - aleksandr barakin

2 answers 2

team

 ip monitor

it shows all changes in real time with IP addresses, routing, etc.

In this particular case, I saw that the default route is deleted every time I try to create a ppp connection (the main way to connect to the Internet) and then it is restored again.

    If you prohibit changing the routing table for all processes via SELinux, then the culprit will be visible in audit.log

    • one
      In general, this may be the solution. I am familiar with SELinux very remotely. How can I prevent changing the routing table and how then in the audit to find this process. It may be possible not to ban it at all, but to put an event for an audit - i.e just to record happening? - rekby