Totally isolate two interfaces -Linux

Question

I'm a bit embarrassed but I need your help.

I have three interfaces on a virtual machines. I want to completely isolate my interfaces between them. I created one route table for each interface:

    inet 192.168.1.100/24 brd 192.168.1.255 scope global ens192
3: ens224: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.10.100/24 brd 192.168.10.255 scope global ens224
4: ens256: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    inet 192.168.20.100/24 brd 192.168.20.255 scope global ens256
Network interface exemple:
        up /sbin/ip route add default via 192.168.10.1 dev ens224 table in
        up /sbin/ip rule add from 192.168.10.100/32 table  in
        post-down /sbin/ip rule del from 192.168.10.100/32 table  in
        post-down /sbin/ip route del default via 192.168.10.1 dev ens224 table  in

But when I try to telnet or ping or whatever from one interface to another one, all the traffic go through the loopback. Is there a way to correct that?

Answer 1

As per this answer, you can use the -I flag to specify an interface for ping to use.

Also, unless you enable net.ipv4.ip_forward in sysctl, the interfaces won't route between them. You can mitigate this further by dropping all FORWARD traffic with iptables.

If you wanted to further isolate the interfaces then I expect you could use iptables to drop traffic that has the inbound and outbound interfaces different, something like:

iptables -A OUTPUT -i ens192 -o ens224 -j DROP
iptables -A OUTPUT -i ens192 -o ens256 -j DROP
... etc for other permutations of the 3 interfaces ...

Without understanding the problem space more, that's the best answer I can give.