Centos7 dual NICs: DMZ & Management

JoeSlav asked:

We have recently started to add to our DMZ servers a second NIC to be used in a management network. The server is supposed to do everything via the DMZ NIC (eth0, natted and on 10.x.x.x) unless trying to reach/reply to internal networks (all others RFC1918) via eth1.

Is the following solution (which works, as far as I can tell) OK? We struggled a bit with asymmetric routing and rp_filter (and tried this guide http://jensd.be/468/linux/two-network-cards-rp_filter) but at the end of the day I went with static routes which seems easier and cleaner.. but makes me wonder if I’m missing something. Any problem with this approach?

# DMZ
> cat /etc/sysconfig/network-scripts/ifcfg-eth0
TYPE="Ethernet"
BOOTPROTO="none"
DEFROUTE="yes"
NAME="eth0"
DEVICE="eth0"
ONBOOT="yes"
GATEWAY=10.0.0.1
IPADDR=10.0.0.2
NETMASK=255.255.255.0
IPV4_FAILURE_FATAL="yes"
IPV6INIT="no"
HWADDR="xyz"

# MNG
> cat /etc/sysconfig/network-scripts/ifcfg-eth1
TYPE="Ethernet"
BOOTPROTO="none"
DEFROUTE="no"
NAME="eth1"
DEVICE="eth1"
ONBOOT="yes"
IPADDR=192.168.35.2
NETMASK=255.255.255.0
GATEWAY=192.168.35.1
IPV4_FAILURE_FATAL="yes"
IPV6INIT="no"
HWADDR="wxz"

# Statics 
> cat /etc/sysconfig/network-scripts/route-eth1 
192.168.0.0/16 via 192.168.35.1
172.16.0.0/12 via 192.168.35.1

# rp_filter and ip r
> sysctl -a|grep "\.rp_filter"
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.eth0.rp_filter = 1
net.ipv4.conf.eth1.rp_filter = 1
net.ipv4.conf.lo.rp_filter = 0

> ip r
default via 10.0.0.1 dev eth0 
10.0.0.0/24 dev eth0 proto kernel scope link src 10.0.0.2 
169.254.0.0/16 dev eth0 scope link metric 1002 
169.254.0.0/16 dev eth1 scope link metric 1003 
172.16.0.0/12 via 192.168.35.1 dev eth1 
192.168.0.0/16 via 192.168.35.1 dev eth1 
192.168.35.0/24 dev eth1 proto kernel scope link src 192.

Thank a lot

My answer:


Only one of your NICs should have a GATEWAY= defined. This is the default gateway for all packets bound for the Internet. Right now they both have a GATEWAY= defined, so you have two default routes, and which one packets actually attempt to use is not predictable. Which means you’re going to have all sorts of connectivity problems.

Because you say that traffic on eth1 should not go to the Internet, but only to specific networks, you should remove GATEWAY= from that interface.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.