LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Isolation on a non-router server with multiple ethernet? (https://www.linuxquestions.org/questions/linux-networking-3/isolation-on-a-non-router-server-with-multiple-ethernet-855874/)

mgood 01-12-2011 01:50 PM

Isolation on a non-router server with multiple ethernet?
 
Hello,

I have been working with Linux for about 10 years and I have a good understanding of IPv4 networking and routing but not so much detailed knowledge of implementation or specific networking packages.

I have a Linux system running a custom-built (Linux from Scratch) distribution and using 2.6.15 kernel. My system has 4 Ethernet controllers (eth0, eth1, eth2, and eth3). I have intentionally left out support for forwarding/routing of packets as this machine is not intended to be a router and I specifically do not want it to be able to so. My intent for the machine is to function as a server to 4 different and separate networks without allowing traffic or hosts on one LAN to access or adversely affect those on the other LANs.

My main question: is there a way to completely isolate the connections to these LANs and if so, how might I achieve it, and through what packages?

I have been having some issues:

1) Default gateway. With only a single default gateway, network requests from a LAN that is not directly connected to one of the 4 NICs and for which there may not be a static route defined, may send a response to the default gateway which is on one of the LANs connected to a different NIC than the one that I received the initial request on. Is there anyway to isolate outgoing messages to only go out on the NIC that the corresponding request was received through?

2) Default gateways. I have a requirement to allow DHCP on these interfaces. It is possible that the DCHP servers on each of the 4 LANs may provide a default gateway, but I don't see how I can make use of that. I know that there is a way to configure multiple default gateways via the iproute2 package (which is what I am using) but I don't know how to make sure that the correct default gateway is used for requests that were received on a specific interface.

Any help or ideas will be very much appreciated.

Thanks,
Mark

Person_1873 01-13-2011 08:25 AM

hello mgood, just to be clear, you want all 4 LAN's to be able to connect to the same default gateway but be completely invisible to eachother and all 4 be able to connect to your server?

it sounds to me as though you're trying to do too much with too little hardware, as your linux machine stands all 4 LAN's should already be completely separated however if i were you then i'd configure it in this way
Code:

                    Router - LAN1 - Svr port 1
                  <             
                /  Router - LAN2 - Svr port 2
Default Gateway<                 
                \  Router - LAN3 - Svr port 3
                  <
                    Router - LAN4 - Svr port 4

if done in this way then you could either have your server push out DHCP information, or you could use the routers

the other option is to have a single LAN and divide your machines with subnets using mac address reservations in your DHCP server or by setting static IP's to all machines

mgood 01-13-2011 09:20 AM

Hi Person,

Thanks for the reply.

That's not quite what I am trying to do. I would like each LAN to have its own default gateway. So if I receive a packet on eth0 but I do not have a route to respond to the sender, I want it to go out the default gateway for eth0. This same thing would apply to the other 3 interfaces as well.

Mark

---------- Post added 01-13-11 at 10:20 AM ----------

Hi Person,

Thanks for the reply.

That's not quite what I am trying to do. I would like each LAN to have its own default gateway. So if I receive a packet on eth0 but I do not have a route to respond to the sender, I want it to go out the default gateway for eth0. This same thing would apply to the other 3 interfaces as well.

Mark

mgood 01-13-2011 09:34 AM

I thought a sort of picture may help:
Code:

                                                    Host
                                                    |
                                          ------+---+------ LAN 4 ---------
                                                |
                                                |
                                            Gateway 0  Host Host
                                                |        |    |
                      +--- eth0 --- LAN 0 ------+--------+----+---...
                      |
                      |                    Gateway 1  Host Host
                      |                        |        |    |
                      +--- eth1 --- LAN 1 ------+--------+----+---...
                      |
    Server Machine ----+                    Gateway 2  Host Host
                      |                        |        |    |
                      +--- eth2 --- LAN 2 ------+--------+----+---...
                      |
                      |                    Gateway 3  Host Host
                      |                        |        |    |
                      +--- eth3 --- LAN 3 ------+--------+----+---...

For each interface, I would like a default gateway that is used for requests made by hosts that are on LANs that are on the other side of the gateway, for example a host on LAN 4 sends a request to the server, but the server does not know about LAN 4 so it would use a default gateway for LAN 0 since the request arrived on eth0. The same would apply to LANs located on the other side of the Gateways 1, 2, and 3. In this way, traffic received on one interface wont affect or initiate traffic on another interface.

Mark

Person_1873 01-13-2011 02:57 PM

well that should be the iptables standard configuration, if a host is not in the same subnet range as your current LAN then the packets should go to the default gateway, if the gateway then knows its route to that IP then you will be able to connect.

i will show this to the network admin at work today and get his thoughts, he understands these things better than i do

mgood 01-13-2011 04:15 PM

I think I have found the answer at this link.

I will be trying this out on my server and will post again here the results.

Mark


All times are GMT -5. The time now is 07:35 PM.