Dual NIC Routing


Routing for dual nics in a typical DMZ ensuring that any traffic into a network card, routes out on the same card remembering that /etc/network/interfaces can only have a single gateway configured. Example interface file below with only 1 default gateway.

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
#iface eth0 inet dhcp

iface eth0 inet static

auto eth1
iface eth1 inet static

so assume the following:

eth0 – netmask
eth0’s gateway is:
eth1 – netmask
eth1’s gateway is:

Assume the system’s initial route configuration looks like this:

# netstat -anr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface U 0 0 0 eth1 U 0 0 0 eth0 UG 0 0 0 eth1

So, basically, the system is using eth1 as the default route. If anyone pings, then the response packets will properly go out eth1 to the upstream gateway of But what about pinging Sure, the incoming ICMP packets will properly arrive on eth0, but the outgoing response packets will be sent out via eth1! That’s bad.

Here’s how to fix this issue. You’ll first need to create a new policy routing table entry within the /etc/iproute2/rt_tables. Let’s call it table #1, named “admin” (for routing administrative traffic onto eth0).

echo “1 admin” >> /etc/iproute2/rt_tables

Next, we’re going to set a couple of new entries within this “admin” table. Specifically, we’ll provide information about eth0‘s local /24 subnet, along with eth0‘s default gateway.

ip route add dev eth1 src table admin
ip route add default via dev eth1 table admin

At this point, you’ve created a new, isolated routing table named “admin” that really isn’t used by the OS just yet. Why? Because we still need to create a rule referencing how the OS should use this table. For starters, type ip rule show to see your current policy routing ruleset. Here’s what an empty ruleset looks like:

0: from all lookup local
32766: from all lookup main
32767: from all lookup default

Without going into all the boring details, each rule entry is evaluated in ascending order. The main gist is that your normal main routing table appears as entry 32766 in this list. (This would be the normal route table you’d see when you type netstat -anr.)

We’re now going to create two new rule entries, that will be evaluated before the main rule entry.

ip rule add from table admin
ip rule add to table admin

Typing ip rule show now shows the following policy routing rulesets:

0: from all lookup local
32764: from all to lookup admin
32765: from lookup admin
32766: from all lookup main
32767: from all lookup default

Rule 32764 specifies that for all traffic going to eth0‘s IP, make sure to use the “admin” routing table, instead of the “main” one. Likewise, rule 32765 indicates that for all traffic originating from eth0‘s IP, make sure to use the “admin” routing table as well. For all other packets, use the “main” routing table. In order to commit these changes, it’s a good idea to type ip route flush cache.

Adding to startup

Just add commands including echo, route and rule lines to /etc/rc.local

Original link on http://kindlund.wordpress.com/2007/11/19/configuring-multiple-default-routes-in-linux/