You are not logged in.
- Topics: Active | Unanswered
#1 2013-12-03 10:10:59
- parpagnas
- Member
- Registered: 2013-05-15
- Posts: 17
How to use one NIC for everything and the other to allow ssh from
Hello,
I have two internet connexion at home:
- a cable connection (CABLEBOX) that i use for all of my devices as it's the fastest. All my computers are connected to it using ethernet or wifi.
- an adsl connection (ADSLBOX) that is connect to the second network card of one of my computers (MEDIABOX) only and that i want to use only to ssh that same device from the outside
I want that specific computer to use its:
- NIC1 to connect to the LAN and to the internet. Routing is enabled on CABLEBOX.
- NIC2 to connect to that device from the outside using ssh. ssh-D should also work through NIC2 as i need to be able to use that computer as a proxy on some occasions. Routing is enabled on ADSLBOX and it's set to port forward the port 22 to MEDIABOX.
Once this will be working i'd like to also route ftp connections to specific ips by NIC2.
No firewall is set on MEDIABOX yet, i'll do it later on.
I know basics on how to set routing rules, how to assign a specific LAN to a network card but i have a hard time on deciding which rules i should set...
Can someone guide me?
Thanks in advance
Last edited by parpagnas (2013-12-03 18:31:31)
Offline
#2 2013-12-03 14:05:33
- teekay
- Member
- Registered: 2011-10-26
- Posts: 271
Re: How to use one NIC for everything and the other to allow ssh from
A possible solution might be this.
On ADSLBOX and CABLEBOX configure different subnets for the LAN, e.g.
ADSLBOX: 192.168.1.0/24
CABLEBOX: 192.168.2.0/24
The MEDIABOX gets these static IPs:
ADSL-LAN: 192.168.1.2
CABLE-LAN: 192.168.2.2
On the MEDIABOX, configure the two network interfaces using two routing tables.
The ADSL-LAN routing table
ip route add 192.168.1.0/24 dev eth0 src 192.168.1.2 table 1
ip route add default via 192.168.1.1 table 1The CABLE-LAN routing table
ip route add 192.168.2.0/24 dev eth1 src 192.168.2.2 table 2
ip route add default via 192.168.2.1 table 2The main routing table
ip route add 192.168.1.0/24 dev eth0 src 192.168.1.2
ip route add 192.168.2.0/24 dev eth1 src 192.168.2.2
# use the CABLE-LAN gateway as default, so general internet traffic from MEDIABOX runs over CABLEBOX
ip route add default via 192.168.2.1define the lookup rules
ip rule add from 192.168.1.2 table 1
ip rule add from 192.168.2.2 table 2To test the setup:
ip route show
ip route show table 1
ip route show table 2I don't know how to persist something like this in ArchLinux using netctl. Might require to write a special systemd unit for it. Above is a working example from a RedHat box at my company.
Last edited by teekay (2013-12-04 07:42:22)
Offline
#3 2013-12-03 20:41:08
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,224
- Website
Re: How to use one NIC for everything and the other to allow ssh from
What you need is called Policy Based Routing:
http://en.wikipedia.org/wiki/Policy-based_routing
http://blog.scottlowe.org/2013/05/29/a- … y-routing/
https://github.com/fukawi2/pb-route (Disclaimer: this is my own script)
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline
#4 2013-12-03 21:13:13
- teekay
- Member
- Registered: 2011-10-26
- Posts: 271
Re: How to use one NIC for everything and the other to allow ssh from
Wouldn't that be overkill for the primary goal of having the box in basically two LANs, using one of those for incoming SSH and the other for the rest?
It reads like MEDIABOX isn't going to be a router.
For the goal
Once this will be working i'd like to also route ftp connections to specific ips by NIC2.
PBR comes in handy, if I understood the goal correctly (routing FTP to specific IPs inside "the other LAN")
Offline
#5 2013-12-03 23:15:40
- parpagnas
- Member
- Registered: 2013-05-15
- Posts: 17
Re: How to use one NIC for everything and the other to allow ssh from
Thanks for your answers:
- MEDIABOX will indeed not be a router
- MEDIABOX will need to connect to some ftps using NIC2's ip, not NIC1 when the rest will be working first
Offline
#6 2013-12-04 00:33:33
- parpagnas
- Member
- Registered: 2013-05-15
- Posts: 17
Re: How to use one NIC for everything and the other to allow ssh from
Thx teekay, it works! 
I'll just have to find out how to set it permanently, i'll check that tomorrow.
Offline
#7 2013-12-04 07:30:45
- teekay
- Member
- Registered: 2011-10-26
- Posts: 271
Re: How to use one NIC for everything and the other to allow ssh from
Now you got the basic setup with two simple lookup rules based on origin IP, and default via CABLEBOX
For "MEDIABOX will need to connect to some ftps using NIC2's ip" you will indeed need a policy.
That's where iptables prerouting marks and fwmark based ip rules enter the stage.
Something like:
# mark packages with destination to IP of FTP-Server, Port 21
iptables -A PREROUTING -t mangle -p tcp -d <ip of FTP server> --dport 21 -j MARK --set-mark 1
# add a rule to use ADSL-LAN table in that case
ip rule add fwmark 1 table 1fukawi2's script seems perfect to implement the complete setup, with proper netfilter chains and all (didn't test, just read the code. nice!)
Last edited by teekay (2013-12-04 07:53:36)
Offline
#8 2013-12-04 22:08:26
- fukawi2
- Ex-Administratorino
- From: .vic.au
- Registered: 2007-09-28
- Posts: 6,224
- Website
Re: How to use one NIC for everything and the other to allow ssh from
fukawi2's script seems perfect to implement the complete setup, with proper netfilter chains and all (didn't test, just read the code. nice!)
Thx, it's far from perfect, but it does help get the bulk of the required steps done
Are you familiar with our Forum Rules, and How To Ask Questions The Smart Way?
BlueHackers // fscanary // resticctl
Offline