Who knows their linux routing?
Got a good question for people who know their linux routing.
We've got multiple networks at work.
I've got a machine with an interface on the external facing network, which has a range of 172.16.10.0/24 (yes, the IPs are changed to protect the innocent) That subnet is allowed access, so sitting on the internal network (192.168.22.0/24) I can connect into it. However, the external network is not allowed back into the internal network.
This has not been a problem in the past, but of course, now someone wants to access, not the internal network, but another network, lets call it the data network which is 192.168.33.0/24.
So I want to make a machine on the external network, talk to a machine on the data network.
For political reasons I can't multi-home the machine on the data network. I can however multi-home the machine on the internal network. The internal network can then talk to the data network since they're both considered to be inside.
So I end up with a machine with two interfaces:
eth0 172.16.10.100 / 255.255.255.0 (gw: 172.16.10.1)
eth1 192.168.22.100 / 255.255.255.0 (gw: 192.168.22.1)
and a default route on eth0 since that is the main interface.
I then give a route telling the machine to use the internal network to get to the data network.
route add net 192.168.33.0 netmask 255.255.255.0 gw 192.168.22.1 dev eth1
(yes, the dev eth1 is irrelevent here)
Great, now I can talk to the 192.168.33.0/24 subnet because the traffic gets routed out of eth1. Problem is, if I try to connect from the internal network, my packets arrive on eth0 since that is the external interface, but the system tries to route them out of eth1 because it sees it as a better match for the subnet.
My machine sees a request to 172.16.10.100 and a response from 192.168.22.100 and discards the packets.
I can get around this by connecting into eth1 instead from the production network. But this means I'll end up with two aliases for the machine, one for when I'm inside and one for when I'm outside. I can handle that, but try explaining it to some users and you'll see why I don't want to do it that way.
My first solution was to give the 192.168.22.100 a tight subnet (/32) then put in a route for the data network and I ended up with something like
eth0 172.16.10.100 / 255.255.255.0 (gw: 172.16.10.1)
eth1 192.168.22.100 / 255.255.255.255 (gw: none, single IP)
route add net 192.168.33.0 netmask 255.255.255.0 dev eth1
That worked. Connections coming into the machine would always go to and come from eth0 unless you were connecting to an IP on 192.168.33.0/24 IP, in which case they'd be sent out eth1.
Bad thing was it was working on proxy arp. Basically the machine would send a request out to eth1 saying "who knows about 192.168.33.x?" and the router would respond going "I do!" I did not have a problem with this, but my boss didn't like it, so he turned off proxy arp on the router interfaces and broke my solution.
So it was back to the drawing board.
I then came up with some additional routes:
eth0 172.16.10.100 / 255.255.255.0 (gw: 172.16.10.1)
eth1 192.168.22.100 / 255.255.255.255 (gw: none, single IP)
route add 192.168.22.1 netmask 255.255.255.255 dev eth1
route add net 192.168.33.0 netmask 255.255.255.0 gw 192.168.22.1 dev eth1
What this does is still use the /32 for the eth1 interface, but the first route explicitly tells the system that the 192.168.22.1 gateway is on eth1, so it knows where it is. The second route then tells the system, to get to 192.168.33.0/24 go via 192.168.22.1
This does work, but it is still a little sneaky. The first route is telling the system the 192.168.22.1 IP is explicitly on eth1, but I don't see this any different from using a /24 netmask and specifying a gateway.
So what I'm after is how would other people do this?
The short version is I basically want to force all the traffic via one interface except for a specific subnet. My boss things I can do it with RPF (Reverse Path Forwarding) but from what I've read, that is more for checking incoming packets match certain interfaces, not outgoing packets. Reading the net, other people have solved it via iptables, but I do not want to start doing that.
Can anyone see a problem with my solution? Have a better solution? Have no idea what I'm talking about? Want to offer me a well paid job sampling hotel rooms around the world?
Anyone?
We've got multiple networks at work.
I've got a machine with an interface on the external facing network, which has a range of 172.16.10.0/24 (yes, the IPs are changed to protect the innocent) That subnet is allowed access, so sitting on the internal network (192.168.22.0/24) I can connect into it. However, the external network is not allowed back into the internal network.
This has not been a problem in the past, but of course, now someone wants to access, not the internal network, but another network, lets call it the data network which is 192.168.33.0/24.
So I want to make a machine on the external network, talk to a machine on the data network.
For political reasons I can't multi-home the machine on the data network. I can however multi-home the machine on the internal network. The internal network can then talk to the data network since they're both considered to be inside.
So I end up with a machine with two interfaces:
eth0 172.16.10.100 / 255.255.255.0 (gw: 172.16.10.1)
eth1 192.168.22.100 / 255.255.255.0 (gw: 192.168.22.1)
and a default route on eth0 since that is the main interface.
I then give a route telling the machine to use the internal network to get to the data network.
route add net 192.168.33.0 netmask 255.255.255.0 gw 192.168.22.1 dev eth1
(yes, the dev eth1 is irrelevent here)
Great, now I can talk to the 192.168.33.0/24 subnet because the traffic gets routed out of eth1. Problem is, if I try to connect from the internal network, my packets arrive on eth0 since that is the external interface, but the system tries to route them out of eth1 because it sees it as a better match for the subnet.
My machine sees a request to 172.16.10.100 and a response from 192.168.22.100 and discards the packets.
I can get around this by connecting into eth1 instead from the production network. But this means I'll end up with two aliases for the machine, one for when I'm inside and one for when I'm outside. I can handle that, but try explaining it to some users and you'll see why I don't want to do it that way.
My first solution was to give the 192.168.22.100 a tight subnet (/32) then put in a route for the data network and I ended up with something like
eth0 172.16.10.100 / 255.255.255.0 (gw: 172.16.10.1)
eth1 192.168.22.100 / 255.255.255.255 (gw: none, single IP)
route add net 192.168.33.0 netmask 255.255.255.0 dev eth1
That worked. Connections coming into the machine would always go to and come from eth0 unless you were connecting to an IP on 192.168.33.0/24 IP, in which case they'd be sent out eth1.
Bad thing was it was working on proxy arp. Basically the machine would send a request out to eth1 saying "who knows about 192.168.33.x?" and the router would respond going "I do!" I did not have a problem with this, but my boss didn't like it, so he turned off proxy arp on the router interfaces and broke my solution.
So it was back to the drawing board.
I then came up with some additional routes:
eth0 172.16.10.100 / 255.255.255.0 (gw: 172.16.10.1)
eth1 192.168.22.100 / 255.255.255.255 (gw: none, single IP)
route add 192.168.22.1 netmask 255.255.255.255 dev eth1
route add net 192.168.33.0 netmask 255.255.255.0 gw 192.168.22.1 dev eth1
What this does is still use the /32 for the eth1 interface, but the first route explicitly tells the system that the 192.168.22.1 gateway is on eth1, so it knows where it is. The second route then tells the system, to get to 192.168.33.0/24 go via 192.168.22.1
This does work, but it is still a little sneaky. The first route is telling the system the 192.168.22.1 IP is explicitly on eth1, but I don't see this any different from using a /24 netmask and specifying a gateway.
So what I'm after is how would other people do this?
The short version is I basically want to force all the traffic via one interface except for a specific subnet. My boss things I can do it with RPF (Reverse Path Forwarding) but from what I've read, that is more for checking incoming packets match certain interfaces, not outgoing packets. Reading the net, other people have solved it via iptables, but I do not want to start doing that.
Can anyone see a problem with my solution? Have a better solution? Have no idea what I'm talking about? Want to offer me a well paid job sampling hotel rooms around the world?
Anyone?