[ale] iptables issues with dual NIC'd hosts?
Jim Kinney
jim.kinney at gmail.com
Fri Jan 26 14:58:16 EST 2018
I actually setup an iptable trace target
example:
iptables -t raw -A PREROUTING -p tcp --destination <myexternalhostip>
--dport 80 -j TRACE #tweak the rules to select just traffic you want
iptables -t raw -A OUTPUT -p tcp --destination <myinternalhostip> --
dport 80 -j TRACE #uses internal IP now since after the DNAT rule
Now tail -f /var/log/messages
Oh. Need to set
kern.*;*.info;mail.none;authpriv.none;cron.none /var/log/messages in
/etc/rsyslog.conf and restart rsyslog.On Fri, 2018-01-26 at 14:27
-0500, Ed Cashin wrote:
> By "tracing it through" do you mean looking at the counts for the
> iptables rules, and noticing which rules incremented and which did
> not?
> Tracing with tcpdump is great for debugging, but I don't see how that
> would catch things getting stopped between chains inside the kernel
> ---that's why I ask.
>
>
>
> On Fri, Jan 26, 2018 at 2:12 PM, Jim Kinney via Ale <ale at ale.org>
> wrote:
> > Sounds like a routing problem. ip route will show the defaults. If
> > BOTH are not pointed at each other, nothing happens. Verify with
> > tcpdump on both ends - look for traffic to/from <host>
> >
> > Host A has nics 1 & 2 (A1 & A2)
> > Host B has nics 1 & 2 (B1 & B2)
> >
> > Assumption is A1 and B1 are on network 192.168.0.0 and A2 and B2
> > are on 10.1.1.0. Assumption default route is 192.168.0.0.
> >
> > To get those machines to talk on the 10.1.1.0 network, you will
> > need to use explicit IP address and adding a custom name in
> > /etc/hosts is a good idea.
> >
> > Also need to verify that the database is listing on the correct IP
> > - ditto for tomcat.
> >
> > I just spent _days_ trying to trace a multi-homed network FSCKUP
> > through iptables. Data in on port A never appears anywhere else.
> > tracing it through just showed where it vanished - between
> > PREROUTING RAW and PREROUTING NAT. I feel your pain.
> >
> > On Fri, 2018-01-26 at 13:01 -0500, leam hall via Ale wrote:
> > > Using RHEL 6, two hosts (A, B) each with two NICs, Each host has
> > > one
> > > NIC on each of two VLANs. Tomcat on Host_A rying to connect to
> > > MySQL
> > > on Host_B, port 3306. iptables on Host_B looks open (0.0.0.0) for
> > > TCP/3306.
> > >
> > > Host_A_NIC_0 can connect to Host_B_NIC_0 TCP/3306
> > > HOST_A_NIC_1 can NOT connect to HOST_B_NIC_1 TCP/3306.
> > >
> > > They are 1 IP off and NIC_1 can ping NIC_1, but not connect
> > > TCP/3306.
> > >
> > > Thoughts on how to figure out why when iptables looks open?
> > >
> > > Leam
> > > _______________________________________________
> > > Ale mailing list
> > > Ale at ale.org
> > > http://mail.ale.org/mailman/listinfo/ale
> > > See JOBS, ANNOUNCE and SCHOOLS lists at
> > > http://mail.ale.org/mailman/listinfo
> >
> > --
> > James P. Kinney III
> >
> > Every time you stop a school, you will have to build a jail. What
> > you
> > gain at one end you lose at the other. It's like feeding a dog on
> > his
> > own tail. It won't fatten the dog.
> > - Speech 11/23/1900 Mark Twain
> >
> > http://heretothereideas.blogspot.com/
> >
> > _______________________________________________
> >
> > Ale mailing list
> >
> > Ale at ale.org
> >
> > http://mail.ale.org/mailman/listinfo/ale
> >
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> >
> > http://mail.ale.org/mailman/listinfo
> >
> >
>
>
>
--
James P. Kinney III
Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
http://heretothereideas.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20180126/8f6c0186/attachment.html>
More information about the Ale
mailing list