LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 09-22-2011, 10:20 AM   #1
sgb
LQ Newbie
 
Registered: Nov 2007
Posts: 5

Rep: Reputation: 0
Multiple default gateways - weird side-effect.


Hi all,

Centos 5.7 i386 multihomed.

I'm moving from one ISP to another and I can't allow our services to be unavailable for any length of time, so to cater for the DNS propagation window I have defined an extra routing table as described here and here, the effect of which is that any internet traffic coming in on an interface will be answered on that interface. It works extremely well. I am also taking this opportunity to resubnet the LAN, so currently each interface is on a completely different subnet.

I've hit an interesting side effect, however, and I think it could be useful in a DMZ situation.

I have two servers on the new network which are on the same switch & subnet - they can ping each other and server2 can SSH to server1. However, server1 cannot SSH to server2.

After much messing about with iptables and logging, I believe that what has happened is that ALL traffic on the interface on the new network is being forwarded to the gateway regardless of whether the target host is available on the same switch & subnet. I have confirmed this with a comparison of the traceroutes between the hosts. Server2 shows two hops to server1 via the the gateway, server1 shows one hop to server2.

In this case, the gateway is a stateful firewall. I think the response traffic (ACK SYN) is being discarded by the firewall because it has no knowledge of the original SYN. From testing, traceroute succeeds however tcptraceroute fails.

It strikes me that this would be useful in absence of VLANs in a DMZ situation where I would like to isolate each host in the DMZ from others. If every host had a route like this defined, then the firewall could protect each machine from the others. Even if a particular machine were compromised and the routes changed to allow subnet traffic, the target machine would not be able to reply because of the route in place pointing all traffic back to the firewall. This would limit attacks to flooding, given that a stateful connection between the compromised machine and the target could not be established and hence no interactive process could be leveraged. This, obviously, would be used in tandem with a local firewall running on each host.

Am I correct in my synopsis? Are there repercussions that I have not considered?

With thanks and regards,

S.
 
  


Reply

Tags
dmz, iproute2


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
multiple interfaces with different default gateways issue zaeem Linux - Networking 16 06-11-2010 02:10 PM
wget : any side effect after retrying ? centguy Linux - Software 4 06-12-2009 02:47 PM
multiple default gateways jireson Linux - Networking 3 02-04-2006 02:24 AM
how are multiple default gateways handled? eantoranz Linux - Networking 9 06-01-2005 03:09 PM
Red Hat 7.3 and multiple gateways on multiple interfaces bluefmc Linux - Networking 2 11-19-2004 06:01 PM


All times are GMT -5. The time now is 03:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration