Configure an Ubuntu ethernet interface for inbound-only connection

Question

I'm trying to diagnose a connectivity problem on a headless ubuntu (16.04) server so I have a second ethernet interface (call it "eth1"), and I can use that to start a terminal ssh session from my laptop. What's the best way to disable outbound connections on that interface so that the terminal still works, but outbound requests will only go to the other interface that I am debugging?

I feel like a ufw rule to drop outbound packets is not the right answer, because the tcp/ip stack will still try to use the known good eth1 interface and it will just have it's packets discarded, and not necessarily reroute to eth0 where I want the traffic to go.

output of ip a s

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp6s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
    link/ether 40:8d:5c:14:04:e3 brd ff:ff:ff:ff:ff:ff
3: wlp7s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000
    link/ether 48:51:b7:84:10:66 brd ff:ff:ff:ff:ff:ff
4: enx0050b6294caf: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:b6:29:4c:af brd ff:ff:ff:ff:ff:ff
    inet 10.2.10.102/24 brd 10.2.10.255 scope global dynamic enx0050b6294caf
       valid_lft 4183sec preferred_lft 4183sec
    inet6 fe80::b104:ac65:6a10:caf1/64 scope link
       valid_lft forever preferred_lft forever
5: enx0050b6b50965: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:b6:b5:09:65 brd ff:ff:ff:ff:ff:ff
    inet 10.3.10.100/24 brd 10.3.10.255 scope global dynamic enx0050b6b50965
       valid_lft 6832sec preferred_lft 6832sec
    inet6 fe80::5809:6749:217a:20dc/64 scope link
       valid_lft forever preferred_lft forever
6: enx0050b6b50963: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:b6:b5:09:63 brd ff:ff:ff:ff:ff:ff
    inet 10.1.10.207/24 brd 10.1.10.255 scope global enx0050b6b50963
       valid_lft forever preferred_lft forever
    inet6 2603:3024:20b:2200:2565:531b:cc3c:2128/64 scope global temporary dynamic
       valid_lft 318817sec preferred_lft 18007sec
    inet6 2603:3024:20b:2200:250:b6ff:feb5:963/64 scope global mngtmpaddr dynamic
       valid_lft 318817sec preferred_lft 318817sec
    inet6 fe80::250:b6ff:feb5:963/64 scope link
       valid_lft forever preferred_lft forever
7: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:9a:df:18:e8 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever

output of ip r s

default via 10.2.10.10 dev enx0050b6294caf  proto static  metric 100
default via 10.3.10.10 dev enx0050b6b50965  proto static  metric 101
default via 10.1.10.1 dev enx0050b6b50963  metric 800
10.1.10.0/24 dev enx0050b6b50963  proto kernel  scope link  src 10.1.10.207
10.2.10.0/24 dev enx0050b6294caf  proto kernel  scope link  src 10.2.10.102  metric 100
10.3.10.0/24 dev enx0050b6b50965  proto kernel  scope link  src 10.3.10.100  metric 100
169.254.0.0/16 dev enx0050b6294caf  scope link  metric 1000
172.17.0.0/16 dev docker0  proto kernel  scope link  src 172.17.0.1 linkdown

I set a metric of 1000 for that interface, which may be good enough for now, but I'd rather seal it off completely — WiringHarness, Dec 19 '19 at 01:56
Can you add the output of `ip a s` and `ip r s` to your post? — fukawi2, Dec 19 '19 at 04:22

Configure an Ubuntu ethernet interface for inbound-only connection

0 Answers0