[ale] iptables issues with dual NIC'd hosts?
Ed Cashin
ecashin at noserose.net
Fri Jan 26 14:27:15 EST 2018
By "tracing it through" do you mean looking at the counts for the iptables
rules, and noticing which rules incremented and which did not?
Tracing with tcpdump is great for debugging, but I don't see how that would
catch things getting stopped between chains inside the kernel---that's why
I ask.
On Fri, Jan 26, 2018 at 2:12 PM, Jim Kinney via Ale <ale at ale.org> wrote:
> Sounds like a routing problem. ip route will show the defaults. If BOTH
> are not pointed at each other, nothing happens. Verify with tcpdump on both
> ends - look for traffic to/from <host>
>
> Host A has nics 1 & 2 (A1 & A2)
> Host B has nics 1 & 2 (B1 & B2)
>
> Assumption is A1 and B1 are on network 192.168.0.0 and A2 and B2 are on
> 10.1.1.0. Assumption default route is 192.168.0.0.
>
> To get those machines to talk on the 10.1.1.0 network, you will need to
> use explicit IP address and adding a custom name in /etc/hosts is a good
> idea.
>
> Also need to verify that the database is listing on the correct IP - ditto
> for tomcat.
>
> I just spent _days_ trying to trace a multi-homed network FSCKUP through
> iptables. Data in on port A never appears anywhere else. tracing it through
> just showed where it vanished - between PREROUTING RAW and PREROUTING NAT.
> I feel your pain.
>
> On Fri, 2018-01-26 at 13:01 -0500, leam hall via Ale wrote:
>
> Using RHEL 6, two hosts (A, B) each with two NICs, Each host has one
> NIC on each of two VLANs. Tomcat on Host_A rying to connect to MySQL
> on Host_B, port 3306. iptables on Host_B looks open (0.0.0.0) for
> TCP/3306.
>
> Host_A_NIC_0 can connect to Host_B_NIC_0 TCP/3306
> HOST_A_NIC_1 can NOT connect to HOST_B_NIC_1 TCP/3306.
>
> They are 1 IP off and NIC_1 can ping NIC_1, but not connect TCP/3306.
>
> Thoughts on how to figure out why when iptables looks open?
>
> Leam
> _______________________________________________
> Ale mailing listAle at ale.orghttp://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists athttp://mail.ale.org/mailman/listinfo
>
> --
>
> James P. Kinney III Every time you stop a school, you will have to build a
> jail. What you gain at one end you lose at the other. It's like feeding a
> dog on his own tail. It won't fatten the dog. - Speech 11/23/1900 Mark
> Twain http://heretothereideas.blogspot.com/
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
--
Ed Cashin <ecashin at noserose.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20180126/69562bf5/attachment.html>
More information about the Ale
mailing list