Asymmetric routing problems are driving me crazy!
I am trying to build a multi-homed server with 3 NICs. Each NIC is connected to 3 different subnets:
eth0: LAN connected, 10.99.72.38; function: Management traffic
eth1: LAN connected, 10.99.70.150; function: User traffic
eth2: WAN connected, 10.99.74.85; function: User traffic
I am using an Amazon Linux image (Linux 3.14.20-20.44.amzn1.x86_64 x86_64) but I can switch to CentOS if it really makes a difference.
The functionality I am trying to implement:
eth0: Management traffic
- address: 10.99.72.38
- I want this to be an 'isolated' interface, only accepting and replying to addresses in 10.0.0.0/8
- Think of this as a 'ssh only from local LAN' NIC.
- Can ONLY respond back through eth0
- All other destinations are blocked, meaning, no other destinations can be reached through this interface
- WILL NOT use eth1 or eth2 for reply traffic for traffic arriving on eth0.
eth1: User traffic to/from LAN
- Address: 10.99.70.150
- accepts any user traffic from the LAN to any destination
- routes packets out through eth1 for traffic destined for 10.x.x.x.
- routes packets out through eth2 for any other destination (default route)
- will NOT route incoming packets through eth0
eth2: User traffic to/from WAN
- address: 10.99.74.85
- accepts any user traffic from eth1 and will send packets out eth2 for any destination not in 10.x.x.x
- accepts reply packets on eth2 and routes through eth1 for any traffic destined for 10.x.x.x
- will NOT route incoming packets through eth0
I have created a iproute2 table in rt_tables called 'mgmt' and added policy based routing rules with high priority to try and isolate this interface, but no matter what I try, the main routing table still seems to be called as eth0 is the default route. Problems include:
- Incoming packets from eth1 are routed through eth0 (I don't want this!)
- Incoming packets from eth2 destined for 10.x.x.x are routed through eth0 (I don't want this!)
- When I delete the default eth0 route from main, I lose eth0 functionality completely, even with a route in the mgmt table, but eth1 then replies correctly.
Starting from the beginning, the unmodified route table (route -n):
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.99.72.1 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 10.99.70.1 0.0.0.0 UG 10001 0 0 eth1
0.0.0.0 10.99.74.1 0.0.0.0 UG 10002 0 0 eth2
10.99.70.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
10.99.72.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.99.74.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
Unmodified IP rules are:
0: from all lookup local
32766: from all lookup main
32767: from all lookup default
Any assistance in correctly formulating the specific routing rules, tables, and routes, and showing me what the final routing tables and rules would look like would be greatly appreciated!
route
command, esp. if you're also using rules. Showip ro sh
output,ip ru sh
output, andip ro sh table mgmt
output and the same for any other tables you may have created. You may also neediptables
rules to prevent packets going out to eth0 that originated from eth1.eth0
be from 10.99.72.x?eth1
what is to be accepted. There is no internal routing between interfaces. Do I understand it right:eth2
shall not accept new incoming connections at all? If you useip rule
then you should show us its output.