== Isolating network interfaces on Linux Consider a not entirely hypothetical situation: you have an office machine that serves as one end of a [[GRE tunnel GREThingsLearned]], and, in addition to its official network interface, has a fluctuating number of secondary interfaces on various internal VLANs for testing, debugging, and so on. The simple approach for such a machine is to just turn on global IP forwarding and cross your fingers that no one will decide to make the machine their gateway (apart from the GRE link). But this is not ideal; if nothing else, it may alarm coworkers that you have an unofficial router on the network. What we really want to do is to isolate the secondary interfaces, making it so that we won't forward their packets and we won't forward packets to them for other people. The first part is [[selective IP forwarding IpForwardingSettings]]; just turn forwarding on only for _eth0_ and the GRE tunnel. The easiest way to do the second part is to use some policy based routing. For my office machine, I decided to simplify things by declaring that the GRE tunnel was allowed to reach everything and thus only traffic from _eth0_ needed to be restricted. First we need to add a routing table for the non-local routes that _eth0_ is allowed to use, ie the target of the GRE link: > _ip route add ~~R~~ dev GRE table 10_ (Here ~~R~~ is the remote IP and _GRE_ is the GRE tunnel device. You may want to add a '_src ~~LOCAL-IP~~_' as well.) Next we need some rules to restrict _eth0_ traffic: > _ip rule add iif eth0 priority 5000 table 10_ \\ > _ip rule add type blackhole iif eth0 priority 5001_ Translated, this drops any traffic from _eth0_ that isn't going to the remote end of the GRE tunnel, exactly as if that interface didn't do IP forwarding. (Packets to the machine itself are dealt with by an earlier, default _ip rule_.) This is not complete isolation, because we have not given the machine a [[dual identity DualIdentityRouting]] for its own traffic. In my situation this is basically harmless, so I haven't gone to the extra effort.