-   Linux - Networking (
-   -   separate services on different network interfaces (

wrban 04-12-2009 08:15 AM

separate services on different network interfaces

I've got 2 NIC's that both have Internet connectivity as follows:
- eth0, public static IP (80.x.x.Y)
- eth1, private static IP (192.168.0.x goes through router: router also has a public static IP (80.x.x.Z)

Default route is set through eth0, however I'm trying to set up different services to be available on eth1 as well (or exclusively) - example: ftp server, ssh daemon.

So I connected eth1, assigned a private IP address ( with a default gateway (/25), set sshd to listen to all interfaces ( for testing), set port forwarding on router so that ssh connections on 80.x.x.Z would be sent to and got time out when trying to ssh 80.x.x.Z. I also tried ssh to which worked.

I guess I'm missing a step here hopefully (as I hope it's not the cheap router's fault). Could anyone provide a tip ?

grepmasterd 04-12-2009 02:51 PM

Incoming packets hit eth1 but are routed back through eth0, which will prevent the connection from going forward. This isn't a linux configuration issue, rather one of network basics. Basically your inbound paths and outbound paths are not the same, which is a problem when using private IP space and NAT.

Your goals with such a setup are not clear; there are likely better ways to accomplish what you need to do. But if your current setup is necessary, then i see two ways you can get it to work:

1) In addition to port-forwarding the incoming connections on the router, also NAT the connection's source address (at the router) to the 192.168.0.x space (SNAT in iptables nomenclature). Connections received on eth1 will be seen coming from 192.168.0.x and pkts will be returned to the router, which will handle all of the NAT. Most consumer-based broadband routers won't let you do this, but if you have a linux router and are using iptables this should be pretty straight forward.

2) Use policy routing using 'ip rule' and 'ip ro table' configurations. These are advanced networking features so if you aren't familiar with them you will need to spend some time learning about them.

If those options don't work for you, you should re-think your network design (best option in my opinion)

wrban 04-13-2009 05:02 PM

Thank you for your reply, grepmasterd

Regarding the network setup, actually, I have no specific restrictions: It just happened that eth1 is routed to the internet through a home router (being part of a LAN) so I decided to test it without changing anything; however I can plug in eth1 directly to the internet via the public IP currently used by the router.

As for the goal I'm aiming at, it is to have certain services available on a free interface (eth1). Given that eth0 sometimes gets overloaded by bandwidth consuming services, I'm looking at placing administration services (eg. ssh) on a different interface with more bandwidth availability.

I read some introductions about load balancing, but I wanted to start up with something simple first.

I wonder why was it that when ssh-ing in on from the local machine, the login prompt would show up (meaning that packets were not being routed back out on eth0) - Are local addresses translated to on lo interface ?

All times are GMT -5. The time now is 08:56 PM.