Forwarding not work in FC9 but ip forward is turn on
Kevin Martin
kevintm at ameritech.net
Mon Sep 22 23:05:39 UTC 2008
ppps wrote:
> Hi Kevin, hier the information
>
> Information from FIREWALL
> -------------------------
> [root at marte [1] ~]# ifconfig
> eth4 Link encap:Ethernet HWaddr 00:19:D1:8C:02:5E
> inet addr:192.168.5.254 Bcast:192.168.5.255 Mask:255.255.255.0
> inet6 addr: fe80::219:d1ff:fe8c:25e/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:101 errors:0 dropped:0 overruns:0 frame:0
> TX packets:261 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:100
> RX bytes:7212 (7.0 KiB) TX bytes:18747 (18.3 KiB)
> Memory:52200000-52220000
>
> eth5 Link encap:Ethernet HWaddr 00:0A:5E:78:C4:8C
> inet addr:192.168.1.231 Bcast:192.168.1.255 Mask:255.255.255.0
> inet6 addr: fe80::20a:5eff:fe78:c48c/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:9091 errors:0 dropped:0 overruns:0 frame:0
> TX packets:412 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:861240 (841.0 KiB) TX bytes:43976 (42.9 KiB)
> Interrupt:18 Base address:0x4900
>
> eth6 Link encap:Ethernet HWaddr 00:0A:5E:79:81:85
> inet addr:192.168.10.250 Bcast:192.168.10.255 Mask:255.255.255.0
> inet6 addr: fe80::20a:5eff:fe79:8185/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:550 errors:0 dropped:0 overruns:0 frame:0
> TX packets:138 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:65826 (64.2 KiB) TX bytes:11900 (11.6 KiB)
> Interrupt:22 Base address:0xc980
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:13 errors:0 dropped:0 overruns:0 frame:0
> TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:1104 (1.0 KiB) TX bytes:1104 (1.0 KiB)
>
> [root at marte [2] ~]# netstat -nr
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt Iface
> 192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth4
> 192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth5
> 192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth6
> 169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth6
>
> [root at marte [3] ~]# cat /proc/sys/net/ipv4/ip_forward
> 1
> [root at marte [4] ~]# cat /etc/selinux/config
>
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - No SELinux policy is loaded.
> SELINUX=disabled
> # SELINUXTYPE= can take one of these two values:
> # targeted - Targeted processes are protected,
> # mls - Multi Level Security protection.
> SELINUXTYPE=targeted
>
> [root at marte [5] ~]# iptables -L -n -v
> Chain INPUT (policy ACCEPT 1758 packets, 182K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy ACCEPT 89 packets, 6036 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 600 packets, 69134 bytes)
> pkts bytes target prot opt in out source destination
> [root at marte [6] ~]# iptables -L -n -v -t nat
> Chain PREROUTING (policy ACCEPT 1006 packets, 135K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain POSTROUTING (policy ACCEPT 92 packets, 6288 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 4 packets, 312 bytes)
> pkts bytes target prot opt in out source destination
> [root at marte [7] ~]# iptables -L -n -v -t nat -t mangle
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
> [root at marte [8] ~]# traceroute 192.168.5.1
> traceroute to 192.168.5.1 (192.168.5.1), 30 hops max, 40 byte packets
> 1 * * *
> 2 (192.168.5.1) 0.928 ms 0.915 ms 0.296 ms
> [root at marte [9] ~]# traceroute 192.168.1.231
> traceroute to 192.168.1.231 (192.168.1.231), 30 hops max, 40 byte packets
> 1 (192.168.1.231) 0.054 ms 0.024 ms 0.022 ms
> [root at marte [10] ~]# traceroute 192.168.10.20
> traceroute to 192.168.10.20 (192.168.10.20), 30 hops max, 40 byte packets
> 1 * * *
> 2 * * *
> 3 * * *
> 4 * * *
> 5 * * *
> 6 * * *
> 7 * * *
> 8 * * *
> 9 * * *
> 10 * * *
> 11 * * *
> 12 * * *
> 13 * * *
> 14 * * *
> 15 * * *
> 16 * * *
> 17 * * *
> 18 * * *
> 19 * * *
> 20 * * *
> 21 * * *
> 22 * * *
> 23 * * *
> 24 * * *
> 25 * * *
> 26 * * *
> 27 * * *
> 28 * * *
> 29 * * *
> 30 * * *
> [root at marte [11] ~]# cat /etc/sysctl.conf
> # Kernel sysctl configuration file for Red Hat Linux
> #
> # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
> # sysctl.conf(5) for more details.
>
> # Controls IP packet forwarding
> net.ipv4.ip_forward = 1
>
> # Controls source route verification (1)
> net.ipv4.conf.default.rp_filter = 1
>
> # Do not accept source routing (0)
> net.ipv4.conf.default.accept_source_route = 1
>
> # Controls the System Request debugging functionality of the kernel
> kernel.sysrq = 1
>
> # Controls whether core dumps will append the PID to the core filename.
> # Useful for debugging multi-threaded applications.
> kernel.core_uses_pid = 1
>
> # Controls the use of TCP syncookies
> net.ipv4.tcp_syncookies = 1
>
> net.ipv4.conf.all.disable_policy = 1
> net.ipv4.conf.default.proxy_arp = 0
> net.ipv4.conf.all.send_redirects=0
> net.ipv4.icmp_echo_ignore_broadcasts=1
> net.ipv4.conf.default.forwarding=1
>
> [root at marte [12] ~]# tcpdump -i any -n -nn -vvv host 192.168.5.1
> tcpdump: WARNING: Promiscuous mode not supported on the "any" device
> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
> 22:26:39.695282 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.5.254 > 192.168.5.1: ICMP echo request, id 35866, seq 1,length 64
> 22:26:39.696469 arp who-has 192.168.5.254 tell 192.168.5.1
> 22:26:39.696482 arp reply 192.168.5.254 is-at 00:19:d1:8c:02:5e
> 22:26:39.697161 IP (tos 0x0, ttl 254, id 764, offset 0, flags [none], proto ICMP (1), length 84) 192.168.5.1 > 192.168.5.254: ICMP echo reply, id 35866, seq1, length 64
> 22:26:40.696497 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.5.254 > 192.168.5.1: ICMP echo request, id 35866, seq 2,length 64
> 22:26:40.697511 IP (tos 0x0, ttl 254, id 765, offset 0, flags [none], proto ICMP (1), length 84) 192.168.5.1 > 192.168.5.254: ICMP echo reply, id 35866, seq2, length 64
> 22:26:41.697492 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.5.254 > 192.168.5.1: ICMP echo request, id 35866, seq 3,length 64
> 22:26:41.698544 IP (tos 0x0, ttl 254, id 766, offset 0, flags [none], proto ICMP (1), length 84) 192.168.5.1 > 192.168.5.254: ICMP echo reply, id 35866, seq3, length 64
> ^C
> 8 packets captured
> 9 packets received by filter
> 0 packets dropped by kernel
> [root at marte [13] ~]# tcpdump -i any -n -nn -vvv host 192.168.10.20
> tcpdump: WARNING: Promiscuous mode not supported on the "any" device
> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
> 22:27:39.709227 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq1, length 64
> 22:27:40.708502 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq2, length 64
> 22:27:41.708498 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq3, length 64
> 22:27:42.708499 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq4, length 64
> 22:27:43.708490 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq5, length 64
> ^C
> 5 packets captured
> 6 packets received by filter
> 0 packets dropped by kernel
> [root at marte [14] ~]# tcpdump -i any -n -nn -vvv host 192.168.10.20
> tcpdump: WARNING: Promiscuous mode not supported on the "any" device
> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
> 22:28:57.035666 IP (tos 0x0, ttl 128, id 549, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17664, length 40
> 22:28:57.035865 IP (tos 0x0, ttl 127, id 549, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17664, length 40
> 22:29:02.075864 IP (tos 0x0, ttl 128, id 550, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17920, length 40
> 22:29:02.075885 IP (tos 0x0, ttl 127, id 550, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17920, length 40
> ^C
> 4 packets captured
> 5 packets received by filter
> 0 packets dropped by kernel
> [root at marte [15] ~]# tcpdump -i any -n -nn -vvv host 192.168.10.250
> tcpdump: WARNING: Promiscuous mode not supported on the "any" device
> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
> 22:30:06.150282 IP (tos 0x0, ttl 128, id 552, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.10.250: ICMP echo request, id 512, seq 18176, length 40
> 22:30:06.150494 IP (tos 0x0, ttl 64, id 57368, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.250 > 192.168.10.20: ICMP echo reply, id 512, seq 18176, length 40
> 22:30:07.136361 IP (tos 0x0, ttl 128, id 553, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.10.250: ICMP echo request, id 512, seq 18432, length 40
> 22:30:07.136386 IP (tos 0x0, ttl 64, id 57369, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.250 > 192.168.10.20: ICMP echo reply, id 512, seq 18432, length 40
> 22:30:08.136321 IP (tos 0x0, ttl 128, id 554, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.10.250: ICMP echo request, id 512, seq 18688, length 40
> 22:30:08.136343 IP (tos 0x0, ttl 64, id 57370, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.250 > 192.168.10.20: ICMP echo reply, id 512, seq 18688, length 40
> 22:30:09.136300 IP (tos 0x0, ttl 128, id 555, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.10.250: ICMP echo request, id 512, seq 18944, length 40
> 22:30:09.136324 IP (tos 0x0, ttl 64, id 57371, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.250 > 192.168.10.20: ICMP echo reply, id 512, seq 18944, length 40
> 22:30:11.149463 arp who-has 192.168.10.20 tell 192.168.10.250
> 22:30:11.149845 arp reply 192.168.10.20 is-at 00:1c:c0:6c:12:27
> ^C
> 10 packets captured
> 14 packets received by filter
> 0 packets dropped by kernel
> [root at marte [16] ~]#
> Information from PC client from LAN 192.168.1.0
> -----------------------------------------------
> [root at localhost [17] ~]# ifconfig
> eth0 Link encap:Ethernet HWaddr 00:1F:C6:38:B1:C5
> inet addr:192.168.1.201 Bcast:192.168.1.255 Mask:255.255.255.0
> inet6 addr: fe80::21f:c6ff:fe38:b1c5/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:87616 errors:0 dropped:0 overruns:0 frame:0
> TX packets:66320 errors:0 dropped:0 overruns:0 carrier:6
> collisions:0 txqueuelen:1000
> RX bytes:92023721 (87.7 MiB) TX bytes:0 (0.0 b)
> Memory:feac0000-feb00000
>
> lo Link encap:Local Loopback
> inet addr:127.0.0.1 Mask:255.0.0.0
> inet6 addr: ::1/128 Scope:Host
> UP LOOPBACK RUNNING MTU:16436 Metric:1
> RX packets:166 errors:0 dropped:0 overruns:0 frame:0
> TX packets:166 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:0
> RX bytes:8700 (8.4 KiB) TX bytes:8700 (8.4 KiB)
>
> Kernel IP routing table
> Destination Gateway Genmask Flags MSS Window irtt Iface
> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth0
> link-local * 255.255.0.0 U 0 0 0 eth0
> default 192.168.1.231 0.0.0.0 UG 0 0 0 eth0
>
> [root at localhost [18] ~]# traceroute 192.168.1.231
> traceroute to 192.168.1.231 (192.168.1.231), 30 hops max, 40 byte packets
> 1 192.168.1.231 (192.168.1.231) 0.463 ms 0.371 ms 0.337 ms
>
> [root at localhost [19] ~]# traceroute 192.168.5.1
> traceroute to 192.168.5.1 (192.168.5.1), 30 hops max, 40 byte packets
> 1 (192.168.1.231) 0.478 ms 0.409 ms 0.373 ms
> 2 * * *
> 3 * * *
> 4 * * *
> 5 * * *
> 6 * * *
> 7 * * *
> 8 * * *
> 9 * * *
> 10 * * *
> 11 * * *
> 12 * * *
> 13 * * *
> 14 * * *
> 15 * * *
> 16 * * *
> 17 * * *
> 18 * * *
> 19 * * *
> 20 * * *
> 21 * * *
> 22 * * *
> 23 * * *
> 24 * * *
> 25 * * *
> 26 * * *
> 27 * * *
> 28 * * *
> 29 * * *
> 30 * * *
>
> [root at localhost [20] ~]# traceroute 192.168.5.254
> traceroute to 192.168.5.254 (192.168.5.254), 30 hops max, 40 byte packets
> 1 (192.168.5.254) 0.467 ms 0.392 ms 0.325 ms
>
>
>
> Links:
> ------
> [1] mailto:root at marte
> [2] mailto:root at marte
> [3] mailto:root at marte
> [4] mailto:root at marte
> [5] mailto:root at marte
> [6] mailto:root at marte
> [7] mailto:root at marte
> [8] mailto:root at marte
> [9] mailto:root at marte
> [10] mailto:root at marte
> [11] mailto:root at marte
> [12] mailto:root at marte
> [13] mailto:root at marte
> [14] mailto:root at marte
> [15] mailto:root at marte
> [16] mailto:root at marte
> [17] mailto:root at localhost
> [18] mailto:root at localhost
> [19] mailto:root at localhost
> [20] mailto:root at localhost
>
>
>
First off, what is that extra netstat -rn entry for eth6
(169.254.0.0...looks like some Windows default garbage)? Can't help but
wonder what that's doing to routing to the 192.168.10 network on the
machine.
Next, why do you get two different traceroute results when you
traceroute host 192.168.10.20 as shown below (doesn't make any sense)?:
[root at marte [13] ~]# tcpdump -i any -n -nn -vvv host 192.168.10.20
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
22:27:39.709227 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq1, length 64
22:27:40.708502 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq2, length 64
22:27:41.708498 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq3, length 64
22:27:42.708499 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq4, length 64
22:27:43.708490 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq5, length 64
^C
5 packets captured
6 packets received by filter
0 packets dropped by kernel
[root at marte [14] ~]# tcpdump -i any -n -nn -vvv host 192.168.10.20
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
22:28:57.035666 IP (tos 0x0, ttl 128, id 549, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17664, length 40
22:28:57.035865 IP (tos 0x0, ttl 127, id 549, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17664, length 40
22:29:02.075864 IP (tos 0x0, ttl 128, id 550, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17920, length 40
22:29:02.075885 IP (tos 0x0, ttl 127, id 550, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17920, length 40
try your tcpdump's with the actual interfaces that you expect results on
(eth4, 5, or 6) when you are running traceroutes/pings to boxes on the
different networks and see what results you see. Also, you had a
traceroute on marte that went to 192.168.1.231, which is one of marte's
interface addresses....that doesn't help much. a traceroute thru that
interface off-box would help more.
What does "arp" show?
Kevin
More information about the users
mailing list