You need to SNAT the outbound traffic on eth0 and eth2 to use the
interface address that the packets leave from.
On 31/07/2021 02:27, Konstantin Boyandin via CentOS wrote:
Hello!
Given: a CentOS 8-powered computer with three network adapters.
eth0, eth2: external, connected to two different ISPs
eth1: faces home network (intranet)
The task: allow accessing certain internal services from either ISP.
There are several services, I only mention SSH below.
In the configs below:
IP1: external IP at first ISP (ISP1), assigned to eth0
Gateway1: IP of gateway provided by ISP1
Network1,Netmask1: related to IP1
IP2: external IP at second ISP (ISP2), assigned to eth2
Gateway2: IP of gateway provided by ISP2
Network2,Netmask2: related to IP2
LocalSSHIP: IP in intranet (eth1) where SSH server is running
Current configs follow. Routing tables:
echo "200 isp1" >> /etc/iproute2/rt_tables
echo "201 isp2" >> /etc/iproute2/rt_tables
Routing policies:
/etc/sysconfig/network-scripts/route-eth0
Network1 dev eth0 src IP1 table isp1
default via Gateway1 dev eth0 table isp1
/etc/sysconfig/network-scripts/route-eth2
Network2 dev eth2 src IP2 table isp2
default via Gateway2 dev eth2 table isp2
Routing rules:
/etc/sysconfig/network-scripts/rule-eth0
from IP1/32 table isp1
/etc/sysconfig/network-scripts/rule-eth2
from IP2/32 table isp2
iptables snippets. External traffic forwarded to local SSH server from
both interfaces:
iptables -A PREROUTING -t nat -i eth0 -p tcp -d IP1 --dport 22 -j DNAT
--to LocalSSHIP:22
iptables -A PREROUTING -t nat -i eth2 -p tcp -d IP2 --dport 22 -j DNAT
--to LocalSSHIP:22
iptables -A FORWARD -p tcp -d LocalSSHIP --dport 22 -j ACCEPT
eth0 is default gateway:
$ ip route
default via Gateway1 dev eth0 proto static metric 100
default via Gateway2 dev eth2 proto static metric 101
...
$ ip rule
0: from all lookup local
32764: from IP2 lookup isp2
32765: from IP1 lookup isp1
32766: from all lookup main
32767: from all lookup default
SNAT is applied for the traffic originating from eth1:
iptables -t nat -A POSTROUTING -i eth1 -o eth0 -j SNAT --to-source IP1
Current situation:
- All services forwarded from eth0 are working normally.
- All traffic originating from intranet passes out and back normally.
- All the attempts to access services from eth2 time out.
There are no obvious hints in /var/log/messages (such as complaints
about "martian IPs").
I am somewhat at a loss here, all the pieces of advice would be very
welcome.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos