I have 3 interfaces on my Linux router:
172.16.4.0/23 (Called: eth0, GW: 172.16.4.1)
172.16.2.0/23 (Called: lan0, GW: 172.16.2.1)
192.168.10.0/24 (Called: wan0, masqs to lan0 and eth0, is an internet connection)

All hosts can ping each other correctly and routing seems to be working fine (ie, if a host is down, ping obviously fails).

Now here's where it gets weird, if I SSH from any host in 172.16.2.0 into and try to connect to a host in 172.16.4.0, then my router that's routing traffic will always reply. Likewise if I try to from 172.16.4.0 into 172.16.2.0, my router always answers.

I can SSH into any machine perfectly fine on the same network, and from the internet inwards. The router itself can SSH into any host on any network.

It only does this for SSH. VNC remote desktop for example will work fine between the networks.

I've checked IP Tables, and there seems to be no SSH rule that would cause this (It's quite long), I made doubly sure by commenting some out to see if it had any changes.

You could very well be running into issues because you have multiple gateways. A easy way of thinking about it generally, you need a gateway to connect to a subnet you cannot reach through you router.

Try setting a single gateway and see what happens.

Some links that could help

http://superuser.com/questions/53860...h-given-interf

http://generationip.com/documentatio...teway-on-linux

http://kindlund.wordpress.com/2007/1...utes-in-linux/

I may have mis-explained what I meant with the GWs. I mean that the DHCP server (that's also running on the router) gives these IPs out as the default gateway when it assigns an IP for that subnet.
Here's is my route -n

Since all other protocols are routed between the two networks very well.
Except for ssh which your linux replies to on behalf of the receiving end .
Then it is an iptables issue and it is in the nat table .
Because i think there is a rule that performs some kind of dnat translating the destination address to the ip address of your router

Sorry, a quick question, what exactly are you trying to accomplish with 2 subnets? Is it for home? 2 nics as well? For a home setup i do believe there would be more straight forward setups not requiring all the complex nat configurations

But on a sidenote I recommend using iproute2 for these type of setups. Other than nat as mentioned, by using iproute2 it is good for making sure traffic returns on the intended interface.

A little more about iproute2

http://lartc.org/howto/index.html

But i agree that there is something up with your nat or somewhere else in iptables with the setup seeing most things work as intended.

I'm assuming this happens because you are doing all this on a single L2 device -- e.g. a single switch. If you want this to work you will need to set up source based routing as the previous reply indicates with the iproute documentation. I've only had marginal success with that when trying to implement a multipath iscsi network using the same switch. If you can use multiple switches to actually isolate the networks, that will make your life far easier.

I don't see what the switch could possibly have to do with the destination IP address of a tcp packet, or where source-based routing enters the picture. He's having issues with the gateway intercepting SSH packets destined for the opposite network, which is neither a layer 2 problem nor a routing issue.

@Slyke: I believe hussam.dh is right; this has to be NAT related. The SSH daemon on the router should only reply to packets destined for a local IP address, which means that at some point the destination address packets from these networks must have been altered.

Look for rules in the PREROUTING chain of the nat table, specifically any rules matching tcp port 22 (iptables-save -t nat | grep PREROUTING).