We have recently started to add to our DMZ servers a second NIC to be used in a management network. The server is supposed to do everything via the DMZ NIC (eth0, natted and on 10.x.x.x) unless trying to reach/reply to internal networks (all others RFC1918) via eth1.
Is the following solution (which works, as far as I can tell) OK? We struggled a bit with asymmetric routing and rp_filter (and tried this guide http://jensd.be/468/linux/two-network-cards-rp_filter) but at the end of the day I went with static routes which seems easier and cleaner.. but makes me wonder if I’m missing something. Any problem with this approach?
# DMZ > cat /etc/sysconfig/network-scripts/ifcfg-eth0 TYPE="Ethernet" BOOTPROTO="none" DEFROUTE="yes" NAME="eth0" DEVICE="eth0" ONBOOT="yes" GATEWAY=10.0.0.1 IPADDR=10.0.0.2 NETMASK=255.255.255.0 IPV4_FAILURE_FATAL="yes" IPV6INIT="no" HWADDR="xyz" # MNG > cat /etc/sysconfig/network-scripts/ifcfg-eth1 TYPE="Ethernet" BOOTPROTO="none" DEFROUTE="no" NAME="eth1" DEVICE="eth1" ONBOOT="yes" IPADDR=192.168.35.2 NETMASK=255.255.255.0 GATEWAY=192.168.35.1 IPV4_FAILURE_FATAL="yes" IPV6INIT="no" HWADDR="wxz" # Statics > cat /etc/sysconfig/network-scripts/route-eth1 192.168.0.0/16 via 192.168.35.1 172.16.0.0/12 via 192.168.35.1 # rp_filter and ip r > sysctl -a|grep "\.rp_filter" net.ipv4.conf.all.rp_filter = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.eth0.rp_filter = 1 net.ipv4.conf.eth1.rp_filter = 1 net.ipv4.conf.lo.rp_filter = 0 > ip r default via 10.0.0.1 dev eth0 10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.2 169.254.0.0/16 dev eth0 scope link metric 1002 169.254.0.0/16 dev eth1 scope link metric 1003 172.16.0.0/12 via 192.168.35.1 dev eth1 192.168.0.0/16 via 192.168.35.1 dev eth1 192.168.35.0/24 dev eth1 proto kernel scope link src 192.
Thank a lot
Only one of your NICs should have a
GATEWAY= defined. This is the default gateway for all packets bound for the Internet. Right now they both have a
GATEWAY= defined, so you have two default routes, and which one packets actually attempt to use is not predictable. Which means you’re going to have all sorts of connectivity problems.
Because you say that traffic on eth1 should not go to the Internet, but only to specific networks, you should remove
GATEWAY= from that interface.
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.