Re: Forwarding not work in FC9 but ip forward is turn on

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




ppps wrote:
> Hi Kevin, hier the information
>
> Information from FIREWALL
> -------------------------
> [root@marte [1] ~]# ifconfig
> eth4      Link encap:Ethernet  HWaddr 00:19:D1:8C:02:5E
>           inet addr:192.168.5.254  Bcast:192.168.5.255  Mask:255.255.255.0
>           inet6 addr: fe80::219:d1ff:fe8c:25e/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:101 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:261 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:100
>           RX bytes:7212 (7.0 KiB)  TX bytes:18747 (18.3 KiB)
>           Memory:52200000-52220000
>
> eth5      Link encap:Ethernet  HWaddr 00:0A:5E:78:C4:8C
>           inet addr:192.168.1.231  Bcast:192.168.1.255  Mask:255.255.255.0
>           inet6 addr: fe80::20a:5eff:fe78:c48c/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:9091 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:412 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:861240 (841.0 KiB)  TX bytes:43976 (42.9 KiB)
>           Interrupt:18 Base address:0x4900
>
> eth6      Link encap:Ethernet  HWaddr 00:0A:5E:79:81:85
>           inet addr:192.168.10.250  Bcast:192.168.10.255  Mask:255.255.255.0
>           inet6 addr: fe80::20a:5eff:fe79:8185/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:550 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:138 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:65826 (64.2 KiB)  TX bytes:11900 (11.6 KiB)
>           Interrupt:22 Base address:0xc980
>
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:13 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:1104 (1.0 KiB)  TX bytes:1104 (1.0 KiB)
>
> [root@marte [2] ~]# netstat -nr
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> 192.168.5.0     0.0.0.0         255.255.255.0   U         0 0          0 eth4
> 192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth5
> 192.168.10.0    0.0.0.0         255.255.255.0   U         0 0          0 eth6
> 169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth6
>
> [root@marte [3] ~]# cat /proc/sys/net/ipv4/ip_forward
> 1
> [root@marte [4] ~]# cat /etc/selinux/config
>
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> #       enforcing - SELinux security policy is enforced.
> #       permissive - SELinux prints warnings instead of enforcing.
> #       disabled - No SELinux policy is loaded.
> SELINUX=disabled
> # SELINUXTYPE= can take one of these two values:
> #       targeted - Targeted processes are protected,
> #       mls - Multi Level Security protection.
> SELINUXTYPE=targeted
>
> [root@marte [5] ~]# iptables -L -n -v
> Chain INPUT (policy ACCEPT 1758 packets, 182K bytes)
>  pkts bytes target     prot opt in     out     source               destination
>
> Chain FORWARD (policy ACCEPT 89 packets, 6036 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>
> Chain OUTPUT (policy ACCEPT 600 packets, 69134 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> [root@marte [6] ~]# iptables -L -n -v -t nat
> Chain PREROUTING (policy ACCEPT 1006 packets, 135K bytes)
>  pkts bytes target     prot opt in     out     source               destination
>
> Chain POSTROUTING (policy ACCEPT 92 packets, 6288 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>
> Chain OUTPUT (policy ACCEPT 4 packets, 312 bytes)
>  pkts bytes target     prot opt in     out     source               destination
> [root@marte [7] ~]# iptables -L -n -v -t nat -t mangle
> Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>
> Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>
> Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>
> Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
>  pkts bytes target     prot opt in     out     source               destination
>
> [root@marte [8] ~]# traceroute 192.168.5.1
> traceroute to 192.168.5.1 (192.168.5.1), 30 hops max, 40 byte packets
>  1  * * *
>  2   (192.168.5.1)  0.928 ms  0.915 ms  0.296 ms
> [root@marte [9] ~]# traceroute 192.168.1.231
> traceroute to 192.168.1.231 (192.168.1.231), 30 hops max, 40 byte packets
>  1   (192.168.1.231)  0.054 ms  0.024 ms  0.022 ms
> [root@marte [10] ~]# traceroute 192.168.10.20
> traceroute to 192.168.10.20 (192.168.10.20), 30 hops max, 40 byte packets
>  1  * * *
>  2  * * *
>  3  * * *
>  4  * * *
>  5  * * *
>  6  * * *
>  7  * * *
>  8  * * *
>  9  * * *
> 10  * * *
> 11  * * *
> 12  * * *
> 13  * * *
> 14  * * *
> 15  * * *
> 16  * * *
> 17  * * *
> 18  * * *
> 19  * * *
> 20  * * *
> 21  * * *
> 22  * * *
> 23  * * *
> 24  * * *
> 25  * * *
> 26  * * *
> 27  * * *
> 28  * * *
> 29  * * *
> 30  * * *
> [root@marte [11] ~]# cat /etc/sysctl.conf
> # Kernel sysctl configuration file for Red Hat Linux
> #
> # For binary values, 0 is disabled, 1 is enabled.  See sysctl(8) and
> # sysctl.conf(5) for more details.
>
> # Controls IP packet forwarding
> net.ipv4.ip_forward = 1
>
> # Controls source route verification (1)
> net.ipv4.conf.default.rp_filter = 1
>
> # Do not accept source routing (0)
> net.ipv4.conf.default.accept_source_route = 1
>
> # Controls the System Request debugging functionality of the kernel
> kernel.sysrq = 1
>
> # Controls whether core dumps will append the PID to the core filename.
> # Useful for debugging multi-threaded applications.
> kernel.core_uses_pid = 1
>
> # Controls the use of TCP syncookies
> net.ipv4.tcp_syncookies = 1
>
> net.ipv4.conf.all.disable_policy = 1
> net.ipv4.conf.default.proxy_arp = 0
> net.ipv4.conf.all.send_redirects=0
> net.ipv4.icmp_echo_ignore_broadcasts=1
> net.ipv4.conf.default.forwarding=1
>
> [root@marte [12] ~]# tcpdump -i any -n -nn -vvv host 192.168.5.1
> tcpdump: WARNING: Promiscuous mode not supported on the "any" device
> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
> 22:26:39.695282 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.5.254 > 192.168.5.1: ICMP echo request, id 35866, seq 1,length 64
> 22:26:39.696469 arp who-has 192.168.5.254 tell 192.168.5.1
> 22:26:39.696482 arp reply 192.168.5.254 is-at 00:19:d1:8c:02:5e
> 22:26:39.697161 IP (tos 0x0, ttl 254, id 764, offset 0, flags [none], proto ICMP (1), length 84) 192.168.5.1 > 192.168.5.254: ICMP echo reply, id 35866, seq1, length 64
> 22:26:40.696497 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.5.254 > 192.168.5.1: ICMP echo request, id 35866, seq 2,length 64
> 22:26:40.697511 IP (tos 0x0, ttl 254, id 765, offset 0, flags [none], proto ICMP (1), length 84) 192.168.5.1 > 192.168.5.254: ICMP echo reply, id 35866, seq2, length 64
> 22:26:41.697492 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.5.254 > 192.168.5.1: ICMP echo request, id 35866, seq 3,length 64
> 22:26:41.698544 IP (tos 0x0, ttl 254, id 766, offset 0, flags [none], proto ICMP (1), length 84) 192.168.5.1 > 192.168.5.254: ICMP echo reply, id 35866, seq3, length 64
> ^C
> 8 packets captured
> 9 packets received by filter
> 0 packets dropped by kernel
> [root@marte [13] ~]# tcpdump -i any -n -nn -vvv host 192.168.10.20
> tcpdump: WARNING: Promiscuous mode not supported on the "any" device
> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
> 22:27:39.709227 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq1, length 64
> 22:27:40.708502 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq2, length 64
> 22:27:41.708498 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq3, length 64
> 22:27:42.708499 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq4, length 64
> 22:27:43.708490 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq5, length 64
> ^C
> 5 packets captured
> 6 packets received by filter
> 0 packets dropped by kernel
> [root@marte [14] ~]# tcpdump -i any -n -nn -vvv host 192.168.10.20
> tcpdump: WARNING: Promiscuous mode not supported on the "any" device
> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
> 22:28:57.035666 IP (tos 0x0, ttl 128, id 549, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17664, length 40
> 22:28:57.035865 IP (tos 0x0, ttl 127, id 549, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17664, length 40
> 22:29:02.075864 IP (tos 0x0, ttl 128, id 550, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17920, length 40
> 22:29:02.075885 IP (tos 0x0, ttl 127, id 550, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17920, length 40
> ^C
> 4 packets captured
> 5 packets received by filter
> 0 packets dropped by kernel
> [root@marte [15] ~]# tcpdump -i any -n -nn -vvv host 192.168.10.250
> tcpdump: WARNING: Promiscuous mode not supported on the "any" device
> tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
> 22:30:06.150282 IP (tos 0x0, ttl 128, id 552, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.10.250: ICMP echo request, id 512, seq 18176, length 40
> 22:30:06.150494 IP (tos 0x0, ttl 64, id 57368, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.250 > 192.168.10.20: ICMP echo reply, id 512, seq 18176, length 40
> 22:30:07.136361 IP (tos 0x0, ttl 128, id 553, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.10.250: ICMP echo request, id 512, seq 18432, length 40
> 22:30:07.136386 IP (tos 0x0, ttl 64, id 57369, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.250 > 192.168.10.20: ICMP echo reply, id 512, seq 18432, length 40
> 22:30:08.136321 IP (tos 0x0, ttl 128, id 554, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.10.250: ICMP echo request, id 512, seq 18688, length 40
> 22:30:08.136343 IP (tos 0x0, ttl 64, id 57370, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.250 > 192.168.10.20: ICMP echo reply, id 512, seq 18688, length 40
> 22:30:09.136300 IP (tos 0x0, ttl 128, id 555, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.10.250: ICMP echo request, id 512, seq 18944, length 40
> 22:30:09.136324 IP (tos 0x0, ttl 64, id 57371, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.250 > 192.168.10.20: ICMP echo reply, id 512, seq 18944, length 40
> 22:30:11.149463 arp who-has 192.168.10.20 tell 192.168.10.250
> 22:30:11.149845 arp reply 192.168.10.20 is-at 00:1c:c0:6c:12:27
> ^C
> 10 packets captured
> 14 packets received by filter
> 0 packets dropped by kernel
> [root@marte [16] ~]#
> Information from PC client from LAN 192.168.1.0
> -----------------------------------------------
> [root@localhost [17] ~]# ifconfig
> eth0      Link encap:Ethernet  HWaddr 00:1F:C6:38:B1:C5  
>           inet addr:192.168.1.201  Bcast:192.168.1.255  Mask:255.255.255.0
>           inet6 addr: fe80::21f:c6ff:fe38:b1c5/64 Scope:Link
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:87616 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:66320 errors:0 dropped:0 overruns:0 carrier:6
>           collisions:0 txqueuelen:1000 
>           RX bytes:92023721 (87.7 MiB)  TX bytes:0 (0.0 b)
>           Memory:feac0000-feb00000 
>
> lo        Link encap:Local Loopback  
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           inet6 addr: ::1/128 Scope:Host
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:166 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:166 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0 
>           RX bytes:8700 (8.4 KiB)  TX bytes:8700 (8.4 KiB)
>
> Kernel IP routing table
> Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
> 192.168.1.0     *               255.255.255.0   U         0 0          0 eth0
> link-local      *               255.255.0.0     U         0 0          0 eth0
> default         192.168.1.231   0.0.0.0         UG        0 0          0 eth0
>
> [root@localhost [18] ~]# traceroute 192.168.1.231
> traceroute to 192.168.1.231 (192.168.1.231), 30 hops max, 40 byte packets
>  1  192.168.1.231 (192.168.1.231)  0.463 ms  0.371 ms  0.337 ms
>
> [root@localhost [19] ~]# traceroute 192.168.5.1
> traceroute to 192.168.5.1 (192.168.5.1), 30 hops max, 40 byte packets
>  1   (192.168.1.231)  0.478 ms  0.409 ms  0.373 ms
>  2  * * *
>  3  * * *
>  4  * * *
>  5  * * *
>  6  * * *
>  7  * * *
>  8  * * *
>  9  * * *
> 10  * * *
> 11  * * *
> 12  * * *
> 13  * * *
> 14  * * *
> 15  * * *
> 16  * * *
> 17  * * *
> 18  * * *
> 19  * * *
> 20  * * *
> 21  * * *
> 22  * * *
> 23  * * *
> 24  * * *
> 25  * * *
> 26  * * *
> 27  * * *
> 28  * * *
> 29  * * *
> 30  * * *
>
> [root@localhost [20] ~]# traceroute 192.168.5.254
> traceroute to 192.168.5.254 (192.168.5.254), 30 hops max, 40 byte packets
>  1   (192.168.5.254)  0.467 ms  0.392 ms  0.325 ms
>
>
>
> Links:
> ------
> [1] mailto:root@marte
> [2] mailto:root@marte
> [3] mailto:root@marte
> [4] mailto:root@marte
> [5] mailto:root@marte
> [6] mailto:root@marte
> [7] mailto:root@marte
> [8] mailto:root@marte
> [9] mailto:root@marte
> [10] mailto:root@marte
> [11] mailto:root@marte
> [12] mailto:root@marte
> [13] mailto:root@marte
> [14] mailto:root@marte
> [15] mailto:root@marte
> [16] mailto:root@marte
> [17] mailto:root@localhost
> [18] mailto:root@localhost
> [19] mailto:root@localhost
> [20] mailto:root@localhost
>
>
>   
First off, what is that extra netstat -rn entry for eth6
(169.254.0.0...looks like some Windows default garbage)?  Can't help but
wonder what that's doing to routing to the 192.168.10 network on the
machine.

Next, why do you get two different traceroute results when you
traceroute host 192.168.10.20 as shown below (doesn't make any sense)?:

[root@marte [13] ~]# tcpdump -i any -n -nn -vvv host 192.168.10.20
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
22:27:39.709227 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq1, length 64
22:27:40.708502 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq2, length 64
22:27:41.708498 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq3, length 64
22:27:42.708499 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq4, length 64
22:27:43.708490 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP (1), length 84) 192.168.10.250 > 192.168.10.20: ICMP echo request, id 36634, seq5, length 64
^C
5 packets captured
6 packets received by filter
0 packets dropped by kernel
[root@marte [14] ~]# tcpdump -i any -n -nn -vvv host 192.168.10.20
tcpdump: WARNING: Promiscuous mode not supported on the "any" device
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 96 bytes
22:28:57.035666 IP (tos 0x0, ttl 128, id 549, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17664, length 40
22:28:57.035865 IP (tos 0x0, ttl 127, id 549, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17664, length 40
22:29:02.075864 IP (tos 0x0, ttl 128, id 550, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17920, length 40
22:29:02.075885 IP (tos 0x0, ttl 127, id 550, offset 0, flags [none], proto ICMP (1), length 60) 192.168.10.20 > 192.168.5.1: ICMP echo request, id 512, seq17920, length 40


try your tcpdump's with the actual interfaces that you expect results on
(eth4, 5, or 6) when you are running traceroutes/pings to boxes on the
different networks and see what results you see.  Also, you had a
traceroute on marte that went to 192.168.1.231, which is one of marte's
interface addresses....that doesn't help much.  a traceroute thru that
interface off-box would help more.

What does "arp" show?

Kevin

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines

[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux