1

Background

I run a server with two external IPv4 addresses. IP-address A (IP-A) and IP-address B (IP-B).

Goal

I would like to access IP-A over HTTPS port 443 and SSH port 22 only. IP-B shouldn't listen to any incoming traffic.

Then I'd like the server to use IP-B only for all outgoing traffic. Or at least to tell the server to use IP-B for outgoing traffic only for specific commands.

Example in pseudo code:

1: I connect to the server over IP-A and call `ping example.com`
2: The server executes it and sends the ping requests outgoing from IP-B to example.com.
3: I can read the output of the command on my connection with IP-A

Why would I want this?

Because the management console I'll be using is on IP-A. I want IP-A not to be directly related to IP-B (at least for the outside world). Instead I want example.com to see "I got a ping request from IP-B.". And when someone connects to IP-B that IP address is not listening to anything. While IP-A is nowhere in their logs.

Ultimately I'd like to add even more addresses and be able to tell IP-A:

  1. Use IP-B for this command
  2. Use IP-C for this command
  3. Use IP-D for this command
  4. ...

Any thoughts on how to configure the above scenario? I'm currently using Ubuntu but I'm open to suggestions for other Linux distributions.

Bob Ortiz
  • 442
  • 4
  • 21

1 Answers1

4

Most networking related tools like ping will have an option to select the source IP they will use for outgoing connections, so for example with ping you can use ping -I IP-B.

For all traffic to use IP-B you will need to adjust the primary/first IP for the interface that your default route points to to IP-B. What Linux does is look up a route for your destination, say 8.8.8.8, see that the default route is the one to take in this case, and then if the source of packet is unspecified i.e. 0.0.0.0 it will substitute that with the primary IP of the interface that points to that destination.

However if what you ultimately want to achieve is a finer grained control of the source IP for any traffic originating on your server you will want to read the Linux Advanced Routing & Traffic Control HOWTO and also look for examples of how to combine this with netfilter/iptables fwmark to manipulate which routing table to look into based on firewall rules that will allow you to route traffic category B out via a default route that has the B IP set as a source and so forth.

The keywords to search for here are policy based routing (PBR).

ZaphodB
  • 653
  • 3
  • 9