apache2 Web代理服务器上的多个NIC

Question

I have a question regarding traffic routing on a Linux machine with two NIC's. One of the NIC's is on our DMZ net ( 10.1.9.0/24 ) and the other is on our local net ( 10.1.0.0./21 ):

default via `10.1.4.1` dev eth0 
default via `10.1.9.1` dev eth1  metric 100 
`10.1.0.0/21` dev eth0  proto kernel  scope link  src `10.1.0.132` 
`10.1.9.0/24` dev eth1  proto kernel  scope link  src `10.1.9.25` 

We use the server as web proxy. The dmz interface (eth1) gets traffic from one of our external internet addresses. So there exists a NAT rule on our main Firewall/Router that translates requests to 10.1.9.25 . This works fine, requests are accepted and responded. In this situation the connection is established on eth1 and response is also on eth1.

The problem: When we want to access the webserver from inside our local network the firewall translates the external ip to the DMZ ip. Connections can be established to DMZ servers from within our local network, but not the other way around. In this case the connection is instantiated from the local net to DMZ, but the webserver dosn't respond.

sudo tcpdump -i eth1 port 443 and src host 10.1.1.154
10:09:35.626450 IP 10.1.1.154.48870 > 10.1.9.25.https: Flags [S], seq 2491947547, win 14600, options [mss 1460,sackOK,TS val 2066949 ecr 0,nop,wscale 4], length 0
10:09:35.825619 IP 10.1.1.154.48871 > 10.1.9.25.https: Flags [S], seq 1827990665, win 14600, options [mss 1460,sackOK,TS val 2067011 ecr 0,nop,wscale 4], length 0
10:09:36.575239 IP 10.1.1.154.48870 > 10.1.9.25.https: Flags [S], seq 2491947547, win 14600, options [mss 1460,sackOK,TS val 2067199 ecr 0,nop,wscale 4], length 0
10:09:36.823264 IP 10.1.1.154.48871 > 10.1.9.25.https: Flags [S], seq 1827990665, win 14600, options [mss 1460,sackOK,TS val 2067261 ecr 0,nop,wscale 4], length 0
10:09:38.579373 IP 10.1.1.154.48870 > 10.1.9.25.https: Flags [S], seq 2491947547, win 14600, options [mss 1460,sackOK,TS val 2067700 ecr 0,nop,wscale 4], length 0
10:09:38.827290 IP 10.1.1.154.48871 > 10.1.9.25.https: Flags [S], seq 1827990665, win 14600, options [mss 1460,sackOK,TS val 2067762 ecr 0,nop,wscale 4], length 0

SSH is the same, the interface recieves connections, but doesn't respond. I'm not sure exactly where the problem is (on the server or on the firewall/routersetup). We have other servers on in the DMZ that works fine, and the sysadmin here says the network configuration is the same.

Can anyone help me diagnose this problem?

Answer 1

Your problem is here

default via `10.1.4.1` dev eth0 
default via `10.1.9.1` dev eth1  metric 100 
`10.1.0.0/21` dev eth0  proto kernel  scope link  src `10.1.0.132` 
`10.1.9.0/24` dev eth1  proto kernel  scope link  src `10.1.9.25`

IP cannot use multiple default routes in the same routing table... think about it, if you ping 4.2.2.2 from the shell, which interface should it use?

The Linux Advanced Routing and Traffic Control Howto has some tricks you can use to implement multiple routing tables, but this is frequently making things more complicated than you will want to maintain.

The simplest solution is to pick an interface where you can aggregate all internal corporate networks into one supernet and assign a route for it... for instance, this route covers all 10.xxx networks that are not directly connected to the linux machine...

route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.1.0.132

Then remove the default from eth0