You need to SNAT the outbound traffic on eth0 and eth2 to use the interface address that the packets leave from. On 31/07/2021 02:27, Konstantin Boyandin via CentOS wrote: > Hello! > > Given: a CentOS 8-powered computer with three network adapters. > > eth0, eth2: external, connected to two different ISPs > eth1: faces home network (intranet) > > The task: allow accessing certain internal services from either ISP. > There are several services, I only mention SSH below. > > In the configs below: > IP1: external IP at first ISP (ISP1), assigned to eth0 > Gateway1: IP of gateway provided by ISP1 > Network1,Netmask1: related to IP1 > IP2: external IP at second ISP (ISP2), assigned to eth2 > Gateway2: IP of gateway provided by ISP2 > Network2,Netmask2: related to IP2 > LocalSSHIP: IP in intranet (eth1) where SSH server is running > > Current configs follow. Routing tables: > > echo "200 isp1" >> /etc/iproute2/rt_tables > echo "201 isp2" >> /etc/iproute2/rt_tables > > Routing policies: > /etc/sysconfig/network-scripts/route-eth0 > > Network1 dev eth0 src IP1 table isp1 > default via Gateway1 dev eth0 table isp1 > > /etc/sysconfig/network-scripts/route-eth2 > > Network2 dev eth2 src IP2 table isp2 > default via Gateway2 dev eth2 table isp2 > > Routing rules: > /etc/sysconfig/network-scripts/rule-eth0 > > from IP1/32 table isp1 > > /etc/sysconfig/network-scripts/rule-eth2 > > from IP2/32 table isp2 > > iptables snippets. External traffic forwarded to local SSH server from > both interfaces: > > iptables -A PREROUTING -t nat -i eth0 -p tcp -d IP1 --dport 22 -j DNAT > --to LocalSSHIP:22 > iptables -A PREROUTING -t nat -i eth2 -p tcp -d IP2 --dport 22 -j DNAT > --to LocalSSHIP:22 > iptables -A FORWARD -p tcp -d LocalSSHIP --dport 22 -j ACCEPT > > eth0 is default gateway: > $ ip route > > default via Gateway1 dev eth0 proto static metric 100 > default via Gateway2 dev eth2 proto static metric 101 > ... > > $ ip rule > > 0: from all lookup local > 32764: from IP2 lookup isp2 > 32765: from IP1 lookup isp1 > 32766: from all lookup main > 32767: from all lookup default > > SNAT is applied for the traffic originating from eth1: > > iptables -t nat -A POSTROUTING -i eth1 -o eth0 -j SNAT --to-source IP1 > > Current situation: > > - All services forwarded from eth0 are working normally. > - All traffic originating from intranet passes out and back normally. > - All the attempts to access services from eth2 time out. > > There are no obvious hints in /var/log/messages (such as complaints > about "martian IPs"). > > I am somewhat at a loss here, all the pieces of advice would be very > welcome. >