dear All,
I'm facing this routing problem, the setup is actualy part of ltsp, but I think this problem is Centos-specific.
The server is a Dell Poweredge R210. The install is standard 6.4, updated.
I have one nic facing the public internet:
vi /etc/sysconfig/network-scripts/ifcfg-em1
DEVICE=em1 BOOTPROTO=none HWADDR=d4:ae:52:c1:28:2b NM_CONTROLLED=no ONBOOT=yes TYPE=Ethernet UUID="cdfe1d58-c56c-47fc-8a93-5df2e168d176" IPV6INIT=no USERCTL=no DNS2=195.238.2.22 DNS1=192.168.66.1 IPADDR=192.168.66.5 NETMASK=255.255.255.128 GATEWAY=192.168.66.1
and one nic serving the lan and dhpcd.
vi /etc/sysconfig/network-scripts/ifcfg-em2
DEVICE=em2 BOOTPROTO=none HWADDR=d4:ae:52:c1:28:2c NM_CONTROLLED=no ONBOOT=yes TYPE=Ethernet UUID="e72a17b6-fb5f-43f0-9136-fa4d92b542ae" IPADDR=192.168.70.129 NETMASK=255.255.255.128 IPV6INIT=no USERCTL=no
in iptables, prerouting and masquerading are configured :
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth+ -j MASQUERADE -A POSTROUTING -o em2 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth+ -j ACCEPT -A INPUT -i em2 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -i eth+ -j ACCEPT -A FORWARD -i em2 -j ACCEPT -A FORWARD -o eth+ -j ACCEPT -A FORWARD -o em2 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
and in /etc/sysctl.conf
ipforwarding is set to 1
# Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details.
# Controls IP packet forwarding net.ipv4.ip_forward = 1
clients get ip adresses from dhcp server, and there's no other dhcp server on the lan.
But clients cannot ping the public internet, e.g. 8.8.8.8
the only EM I'm seeing is when executing command :
[root@centoshofkwartier ~]# sysctl -p /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key error: "net.bridge.bridge-nf-call-iptables" is an unknown key error: "net.bridge.bridge-nf-call-arptables" is an unknown key kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296
I switched the cables and switches, and changed the connection with the public internet.
Can anybody offer some advise on this?
Greetings, J.
Johan Vermeulen wrote:
dear All,
I'm facing this routing problem, the setup is actualy part of ltsp, but I think this problem is Centos-specific.
The server is a Dell Poweredge R210. The install is standard 6.4, updated.
I have one nic facing the public internet:
First, we always have BOOTPROTO set - in your case, assuming you're getting em1's IP from DHCP, you should have that; in the case of em2, it's BOOTPROTO=static. As it is, I'd think (without testing) that em1 is trying to present a reserved IP to the 'Net, which is a no-no.
vi /etc/sysconfig/network-scripts/ifcfg-em1
DEVICE=em1 BOOTPROTO=none HWADDR=d4:ae:52:c1:28:2b NM_CONTROLLED=no ONBOOT=yes TYPE=Ethernet UUID="cdfe1d58-c56c-47fc-8a93-5df2e168d176" IPV6INIT=no USERCTL=no DNS2=195.238.2.22 DNS1=192.168.66.1 IPADDR=192.168.66.5 NETMASK=255.255.255.128 GATEWAY=192.168.66.1
and one nic serving the lan and dhpcd.
vi /etc/sysconfig/network-scripts/ifcfg-em2
DEVICE=em2 BOOTPROTO=none HWADDR=d4:ae:52:c1:28:2c NM_CONTROLLED=no ONBOOT=yes TYPE=Ethernet UUID="e72a17b6-fb5f-43f0-9136-fa4d92b542ae" IPADDR=192.168.70.129 NETMASK=255.255.255.128 IPV6INIT=no USERCTL=no
<snip> Secondly, what does route show?
mark
hello Mark,
thanks for the help. Op 04-06-13 15:56, m.roth@5-cent.us schreef:
Johan Vermeulen wrote:
dear All,
I'm facing this routing problem, the setup is actualy part of ltsp, but I think this problem is Centos-specific.
The server is a Dell Poweredge R210. The install is standard 6.4, updated.
I have one nic facing the public internet:
First, we always have BOOTPROTO set - in your case, assuming you're getting em1's IP from DHCP, you should have that; in the case of em2, it's BOOTPROTO=static. As it is, I'd think (without testing) that em1 is trying to present a reserved IP to the 'Net, which is a no-no.
both ifcfg's now have BOOTPROTO=static and I restarted network and dhcpd.
vi /etc/sysconfig/network-scripts/ifcfg-em1
DEVICE=em1 BOOTPROTO=none HWADDR=d4:ae:52:c1:28:2b NM_CONTROLLED=no ONBOOT=yes TYPE=Ethernet UUID="cdfe1d58-c56c-47fc-8a93-5df2e168d176" IPV6INIT=no USERCTL=no DNS2=195.238.2.22 DNS1=192.168.66.1 IPADDR=192.168.66.5 NETMASK=255.255.255.128 GATEWAY=192.168.66.1
and one nic serving the lan and dhpcd.
vi /etc/sysconfig/network-scripts/ifcfg-em2
DEVICE=em2 BOOTPROTO=none HWADDR=d4:ae:52:c1:28:2c NM_CONTROLLED=no ONBOOT=yes TYPE=Ethernet UUID="e72a17b6-fb5f-43f0-9136-fa4d92b542ae" IPADDR=192.168.70.129 NETMASK=255.255.255.128 IPV6INIT=no USERCTL=no
<snip> Secondly, what does route show?
mark
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[root@centoshofkwartier ~]# route Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.70.128 * 255.255.255.128 U 0 0 0 em2 192.168.66.0 * 255.255.255.128 U 0 0 0 em1 link-local * 255.255.0.0 U 1002 0 0 em1 link-local * 255.255.0.0 U 1003 0 0 em2 default 192.168.66.1 0.0.0.0 UG 0 0 0 em1
greetings, J.
On 06/04/2013 09:20 AM, Johan Vermeulen wrote:
dear All,
I'm facing this routing problem, the setup is actualy part of ltsp, but I think this problem is Centos-specific.
The server is a Dell Poweredge R210. The install is standard 6.4, updated.
I have one nic facing the public internet:
vi /etc/sysconfig/network-scripts/ifcfg-em1
DEVICE=em1 BOOTPROTO=none HWADDR=d4:ae:52:c1:28:2b NM_CONTROLLED=no ONBOOT=yes TYPE=Ethernet UUID="cdfe1d58-c56c-47fc-8a93-5df2e168d176" IPV6INIT=no USERCTL=no DNS2=195.238.2.22 DNS1=192.168.66.1 IPADDR=192.168.66.5 NETMASK=255.255.255.128 GATEWAY=192.168.66.1
and one nic serving the lan and dhpcd.
vi /etc/sysconfig/network-scripts/ifcfg-em2
DEVICE=em2 BOOTPROTO=none HWADDR=d4:ae:52:c1:28:2c NM_CONTROLLED=no ONBOOT=yes TYPE=Ethernet UUID="e72a17b6-fb5f-43f0-9136-fa4d92b542ae" IPADDR=192.168.70.129 NETMASK=255.255.255.128 IPV6INIT=no USERCTL=no
in iptables, prerouting and masquerading are configured :
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth+ -j MASQUERADE -A POSTROUTING -o em2 -j MASQUERADE
Shouldn't this be em1?
COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth+ -j ACCEPT -A INPUT -i em2 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -i eth+ -j ACCEPT -A FORWARD -i em2 -j ACCEPT -A FORWARD -o eth+ -j ACCEPT -A FORWARD -o em2 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
and in /etc/sysctl.conf
ipforwarding is set to 1
# Kernel sysctl configuration file for Red Hat Linux # # For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and # sysctl.conf(5) for more details.
# Controls IP packet forwarding net.ipv4.ip_forward = 1
clients get ip adresses from dhcp server, and there's no other dhcp server on the lan.
But clients cannot ping the public internet, e.g. 8.8.8.8
the only EM I'm seeing is when executing command :
[root@centoshofkwartier ~]# sysctl -p /etc/sysctl.conf net.ipv4.ip_forward = 1 net.ipv4.conf.default.rp_filter = 1 net.ipv4.conf.default.accept_source_route = 0 kernel.sysrq = 0 kernel.core_uses_pid = 1 net.ipv4.tcp_syncookies = 1 error: "net.bridge.bridge-nf-call-ip6tables" is an unknown key error: "net.bridge.bridge-nf-call-iptables" is an unknown key error: "net.bridge.bridge-nf-call-arptables" is an unknown key kernel.msgmnb = 65536 kernel.msgmax = 65536 kernel.shmmax = 68719476736 kernel.shmall = 4294967296
I switched the cables and switches, and changed the connection with the public internet.
Can anybody offer some advise on this?
Greetings, J.
On 06/04/2013 04:20 PM, Steve Clark wrote:
On 06/04/2013 09:20 AM, Johan Vermeulen wrote:
in iptables, prerouting and masquerading are configured :
# Firewall configuration written by system-config-firewall # Manual customization of this file is not recommended. *nat :PREROUTING ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -o eth+ -j MASQUERADE -A POSTROUTING -o em2 -j MASQUERADE
Shouldn't this be em1?
Yes, -o is outgoing and it should be em1, not em2
COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth+ -j ACCEPT -A INPUT -i em2 -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -i lo -j ACCEPT -A FORWARD -i eth+ -j ACCEPT -A FORWARD -i em2 -j ACCEPT -A FORWARD -o eth+ -j ACCEPT -A FORWARD -o em2 -j ACCEPT
Check if you should have this line. It has been a long time I needed to use iptables for forwarding, nut I do not remember using -A FORWARD and -o together. Do you at all need all those -A FORWARD lines for masquerading?
-A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT
Check if you should have this line. It has been a long time I needed to use iptables for forwarding, nut I do not remember using -A FORWARD and -o together. Do you at all need all those -A FORWARD lines for masquerading?
Long time here too... But MASQUERADE on both interfaces feels wrong given what it does... Shouldn't this only be on the 'outside' of a router... Or did this change at some point in the last few years?
Long time here too... But MASQUERADE on both interfaces feels wrong given
what it does... Shouldn't this only be on the 'outside' of a router... Or did this change at some point in the last few years?
That's what I get for checking mailing lists when I first wake up... The OP has eth+ lines in his iptables but the interfaces are em+
OP was this iptables generated from some sort of tool or hand crafted? I'd go back to basics personally and flush it all starting from scratch and do it properly for the system at hand...
Op 05-06-13 07:23, James Hogarth schreef:
Long time here too... But MASQUERADE on both interfaces feels wrong given
what it does... Shouldn't this only be on the 'outside' of a router... Or did this change at some point in the last few years?
That's what I get for checking mailing lists when I first wake up... The OP has eth+ lines in his iptables but the interfaces are em+
OP was this iptables generated from some sort of tool or hand crafted? I'd go back to basics personally and flush it all starting from scratch and do it properly for the system at hand... _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
hello,
thanks for the reactions
it's generated by a script, and I probably put too much in iptables manually trying to get it to work.
I would be happy to test further and determine what is the minimum needed in iptables to make it work, but this ltsp-setup is giving me other problems that I have to solve first, if I ever want to use it.
Lesson learned here is : do not use the script but indeed do it properly.
Greetings, J.
-
James Hogarth -
Johan Vermeulen -
Ljubomir Ljubojevic -
m.roth@5-cent.us -
Steve Clark