[lug] IPChains issue (I think)
Chip Atkinson
chip at pupman.com
Thu Apr 13 12:25:30 MDT 2006
That looks normal.
Do you see any traffic on eth1 when you attempt to connect to that IP
address? If you can disconnect it from the internet and put leave it on
the LAN, you can flush IP tables with iptables -F. If you suddenly get
through, it's IPtables related. If no traffic/connections are happening
through eth1 after flushing IP tables, check routing and the interface the
services are listening on.
netstat -rn for routing
netstat -lenp for listening services.
Chip
On Thu, 13 Apr 2006, Jason Vallery wrote:
> Ifconfig -a shows:
>
> eth0 Link encap:Ethernet HWaddr 00:02:B3:E9:CF:07
> inet addr:209.97.225.208 Bcast:209.97.225.255 Mask:255.255.255.0
> inet6 addr: fe80::202:b3ff:fee9:cf07/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:596 errors:0 dropped:0 overruns:0 frame:0
> TX packets:141 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:57964 (56.6 KiB) TX bytes:19097 (18.6 KiB)
>
> eth1 Link encap:Ethernet HWaddr 00:02:B3:E9:CF:06
> inet addr:209.97.225.209 Bcast:209.97.225.255 Mask:255.255.255.0
> inet6 addr: fe80::202:b3ff:fee9:cf06/64 Scope:Link
> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
> RX packets:439 errors:0 dropped:0 overruns:0 frame:0
> TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
> collisions:0 txqueuelen:1000
> RX bytes:36360 (35.5 KiB) TX bytes:750 (750.0 b)
> Base address:0xbc00 Memory:fc4e0000-fc500000
>
>
> On 4/13/06, Chip Atkinson <chip at pupman.com> wrote:
> >
> > What does ifconfig -a show? Do you have addresses for both interfaces?
> > I don't know about the high availability aspects of the dual nics, but in
> > "normal" operation, you need to have a separate IP for each interface.
> > Traffic is then sent to the interface with the corresponding IP.
> >
> > Chip
> > On Thu, 13 Apr 2006, Jason Vallery wrote:
> >
> > > Hey all,
> > >
> > > Wow, it's been years since I've posted to this list. I've just recently
> > > sort of rediscovered you all and have been actively lurking (versus
> > passive
> > > where the mail was just queueing up in a folder I never read).
> > >
> > > Recently I just got some new hardware for one of the boxes I run. The
> > new
> > > box (a 1U rack mount) has integrated dual nics and is running CentOS 4.3(
> > > 2.6.9-34.106.unsupportedsmp). I decided I wanted to take advantage of
> > the
> > > redundancy dual nics offers me however I'm not really clear on how
> > things
> > > should be setup. This box only does WWW and DNS serving so these along
> > with
> > > SSH are the only services I run. I've got IPChains setup to reject all
> > > traffic except these core 3 services. My dual nics are configured with
> > > static IP addresses. For some reason however, only traffic pointed at
> > eth0
> > > ever accesses the services on this box. The traffic on eth1 never
> > > connects. The symptoms indicate an IPChains issue, however looking at
> > the
> > > rules I don't see anything that would cause this problem.
> > >
> > > Here is the output of "iptables -L"
> > >
> > >
> > > Chain INPUT (policy ACCEPT)
> > > target prot opt source destination
> > > LOG all -- anywhere anywhere LOG level
> > debug
> > > prefix `BANDWIDTH_IN:'
> > > LOG all -- anywhere anywhere LOG level
> > debug
> > > prefix `BANDWIDTH_IN:'
> > > RH-Firewall-1-INPUT all -- anywhere anywhere
> > >
> > > Chain FORWARD (policy ACCEPT)
> > > target prot opt source destination
> > > LOG all -- anywhere anywhere LOG level
> > debug
> > > prefix `BANDWIDTH_OUT:'
> > > LOG all -- anywhere anywhere LOG level
> > debug
> > > prefix `BANDWIDTH_IN:'
> > > LOG all -- anywhere anywhere LOG level
> > debug
> > > prefix `BANDWIDTH_OUT:'
> > > LOG all -- anywhere anywhere LOG level
> > debug
> > > prefix `BANDWIDTH_IN:'
> > > RH-Firewall-1-INPUT all -- anywhere anywhere
> > >
> > > Chain OUTPUT (policy ACCEPT)
> > > target prot opt source destination
> > > LOG all -- anywhere anywhere LOG level
> > debug
> > > prefix `BANDWIDTH_OUT:'
> > > LOG all -- anywhere anywhere LOG level
> > debug
> > > prefix `BANDWIDTH_OUT:'
> > >
> > > Chain RH-Firewall-1-INPUT (2 references)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > > ACCEPT all -- anywhere anywhere
> > > ACCEPT icmp -- anywhere anywhere icmp any
> > > ACCEPT ipv6-crypt-- anywhere anywhere
> > > ACCEPT ipv6-auth-- anywhere anywhere
> > > ACCEPT udp -- anywhere 224.0.0.251 udp
> > dpt:5353
> > > ACCEPT udp -- anywhere anywhere udp dpt:ipp
> > > ACCEPT udp -- anywhere anywhere udp
> > dpt:domain
> > > ACCEPT all -- anywhere anywhere state
> > > RELATED,ESTABLISHED
> > > ACCEPT tcp -- anywhere anywhere state NEW
> > tcp
> > > dpt:webcache
> > > ACCEPT tcp -- anywhere anywhere state NEW
> > tcp
> > > dpt:https
> > > ACCEPT tcp -- anywhere anywhere state NEW
> > tcp
> > > dpt:ssh
> > > ACCEPT tcp -- anywhere anywhere tcp
> > dpt:http
> > > state NEW
> > > REJECT all -- anywhere anywhere reject-with
> > > icmp-host-prohibited
> > >
> > > Any thoughts? Is there a HOW-TO out there somewhere for setting up a
> > box
> > > with dual nics?
> > >
> > > Thanks
> > > -Jason
> > >
> >
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >
>
More information about the LUG
mailing list