Isolating network interfaces in Linux

I’m working on a server config that involves splitting network traffic between 2 interfaces on different subnets. One interface is for management traffic (ssh, updates) and the other is for services (dns, samba, http, whatever). Both interfaces receive static addresses from a DHCP server.

ip route list shows the following (no customizations here):

default via X.X.X.1 dev enpABC proto static metric 100
default via Y.Y.Y.1 dev enpXYZ proto static metric 300
X.X.X.0/24 dev enpABC proto kernel scope link src X.X.X.100 metric 100
Y.Y.Y.0/24 dev enpXYZ proto kernel scope link src Y.Y.Y.100 metric 300

So the server is always using the default gateway with the lowest metric (X.X.X.1), which makes sense. But if I ssh [email protected] I want to keep the ssh traffic bound to that interface. As is, the server responds over X.X.X.0/24 because it has the lower metric.

I have tried manipulating the routes, using namespaces and binding services individually, but everything I tried felt kind of hacky/high maintenance.

Does anyone else have this configured in a way they’re happy with? If you’re using namespaces, what does your systemd service unit file look like?

I apologize for the rambling nonsense in my previous post, I’ve had a long day.

You could try altering what ports you allow on your iptables?

ServerFault Answer:

iptables -A INPUT -i eth1 -p icmp -j ACCEPT # allow ping
iptables -A INPUT -i eth1 -p tcp --dport 21 -j ACCEPT # allow SSH
iptables -A INPUT -i eth1 -j DROP # drop everything else

Oh man, I missed out on the rambling nonsense.

The inbound rules on the firewall are already set. It’s the outbound traffic that is the problem. Maybe it’s possible to solve with outbound rules, but I believe the outbound ports are random.

TL;DR for the rambling nonsense: You could try removing your gateway(s) to force the paths to use what you give it, rather than using the single default connection Linux uses. Basically boiled down to a quirk in Linux using the default path if both are connected to the same servers and the command tried to use a path that had a gateway, even if no gateway was needed.

So if I have:
Server A: with a subnet of on eth0 (default) with a subnet of on eth1

Server B: with a subnet of on eth0 (default) with a subnet of on eth1

I could get rid of my gateways and use ssh [email protected] from Server A, and the data path would use the 192.168.20.x path every time. But if I had a gateway on both eth ports, it would use 192.168.10.x instead,

I hope that was less rambling than before.

1 Like

Yes, this is the direction I am leaning towards–removing the gateway from the service port, and adding static routes to client subnets.

I honestly have never had to manually configure ip routes on a server before. Do you no how to make changes to the routes persist? They reset after systemctl restart network or reboot. I’m on CentOS 7. I’m manipulating them with ip route.


Found it

1 Like