Join Log in
Score:0
avatar Server

CentOS 8: two external network adapters, two ISPs - routing problems

pr flag
Konstantin Boyandin

Given: a CentOS 8-powered computer with three network adapters.

eth0, eth2: external, connected to two different ISPs
eth1: faces home network (intranet)

The task: allow accessing certain internal services from either ISP. There are several services, I only mention SSH below.

In the configs below:
IP1: external IP at first ISP (ISP1), assigned to eth0
Gateway1: IP of gateway provided by ISP1
Network1,Netmask1: related to IP1
IP2: external IP at second ISP (ISP2), assigned to eth2
Gateway2: IP of gateway provided by ISP2
Network2,Netmask2: related to IP2
LocalSSHIP: IP in intranet (eth1) where SSH server is running

Current configs follow. Routing tables:

echo "200 isp1" >> /etc/iproute2/rt_tables
echo "201 isp2" >> /etc/iproute2/rt_tables

Routing policies:
/etc/sysconfig/network-scripts/route-eth0

Network1 dev eth0 src IP1 table isp1
default via Gateway1 dev eth0 table isp1

/etc/sysconfig/network-scripts/route-eth2

Network2 dev eth2 src IP2 table isp2
default via Gateway2 dev eth2 table isp2

Routing rules:
/etc/sysconfig/network-scripts/rule-eth0

from IP1/32 table isp1

/etc/sysconfig/network-scripts/rule-eth2

from IP2/32 table isp2

iptables snippets. External traffic forwarded to local SSH server from both interfaces:

iptables -A PREROUTING -t nat -i eth0 -p tcp -d IP1 --dport 22 -j DNAT --to LocalSSHIP:22
iptables -A PREROUTING -t nat -i eth2 -p tcp -d IP2 --dport 22 -j DNAT --to LocalSSHIP:22
iptables -A FORWARD -p tcp -d LocalSSHIP --dport 22 -j ACCEPT

eth0 is default gateway:
$ ip route

default via Gateway1 dev eth0 proto static metric 100 
default via Gateway2 dev eth2 proto static metric 101 
...

$ ip rule

0:  from all lookup local
32764:  from IP2 lookup isp2
32765:  from IP1 lookup isp1
32766:  from all lookup main
32767:  from all lookup default

SNAT is applied for the traffic originating from eth1:

iptables -t nat -A POSTROUTING -i eth1 -o eth0 -j SNAT --to-source IP1

Current situation:

  1. All services forwarded from eth0 are working normally.
  2. All traffic originating from intranet passes out and back normally.
  3. All the attempts to access services from eth2 time out.

There are no obvious hints in /var/log/messages (such as complaints about "martian IPs").

I am somewhat at a loss here, all the pieces of advice would be very welcome.

63
0 + 0
A.B avatar
cl flag
A.B
In short this requires to memorize the original path/route taken when contacting the same intranet host (eg from the same Internet source address) and retrieve this memorized piece of information to reply. Are you still interested in this question?
0
Reply
pr flag
Konstantin Boyandin
@A.B Yes, I am, since the problem isn't solved in full.
0
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.