[lug] IPChains issue (I think)
Hugh Brown
hugh at math.byu.edu
Thu Apr 13 12:17:04 MDT 2006
You should also email the output of iptables-save so that we can see
things like
iptables -A INPUT -i eth0 .....
vs
iptables -A INPUT -i eth1 ....
Hugh
On Thu, 13 Apr 2006, Chip Atkinson wrote:
> What does ifconfig -a show? Do you have addresses for both interfaces?
> I don't know about the high availability aspects of the dual nics, but in
> "normal" operation, you need to have a separate IP for each interface.
> Traffic is then sent to the interface with the corresponding IP.
>
> Chip
> On Thu, 13 Apr 2006, Jason Vallery wrote:
>
> > Hey all,
> >
> > Wow, it's been years since I've posted to this list. I've just recently
> > sort of rediscovered you all and have been actively lurking (versus passive
> > where the mail was just queueing up in a folder I never read).
> >
> > Recently I just got some new hardware for one of the boxes I run. The new
> > box (a 1U rack mount) has integrated dual nics and is running CentOS 4.3 (
> > 2.6.9-34.106.unsupportedsmp). I decided I wanted to take advantage of the
> > redundancy dual nics offers me however I'm not really clear on how things
> > should be setup. This box only does WWW and DNS serving so these along with
> > SSH are the only services I run. I've got IPChains setup to reject all
> > traffic except these core 3 services. My dual nics are configured with
> > static IP addresses. For some reason however, only traffic pointed at eth0
> > ever accesses the services on this box. The traffic on eth1 never
> > connects. The symptoms indicate an IPChains issue, however looking at the
> > rules I don't see anything that would cause this problem.
> >
> > Here is the output of "iptables -L"
> >
> >
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> > LOG all -- anywhere anywhere LOG level debug
> > prefix `BANDWIDTH_IN:'
> > LOG all -- anywhere anywhere LOG level debug
> > prefix `BANDWIDTH_IN:'
> > RH-Firewall-1-INPUT all -- anywhere anywhere
> >
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> > LOG all -- anywhere anywhere LOG level debug
> > prefix `BANDWIDTH_OUT:'
> > LOG all -- anywhere anywhere LOG level debug
> > prefix `BANDWIDTH_IN:'
> > LOG all -- anywhere anywhere LOG level debug
> > prefix `BANDWIDTH_OUT:'
> > LOG all -- anywhere anywhere LOG level debug
> > prefix `BANDWIDTH_IN:'
> > RH-Firewall-1-INPUT all -- anywhere anywhere
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> > LOG all -- anywhere anywhere LOG level debug
> > prefix `BANDWIDTH_OUT:'
> > LOG all -- anywhere anywhere LOG level debug
> > prefix `BANDWIDTH_OUT:'
> >
> > Chain RH-Firewall-1-INPUT (2 references)
> > target prot opt source destination
> > ACCEPT all -- anywhere anywhere
> > ACCEPT all -- anywhere anywhere
> > ACCEPT icmp -- anywhere anywhere icmp any
> > ACCEPT ipv6-crypt-- anywhere anywhere
> > ACCEPT ipv6-auth-- anywhere anywhere
> > ACCEPT udp -- anywhere 224.0.0.251 udp dpt:5353
> > ACCEPT udp -- anywhere anywhere udp dpt:ipp
> > ACCEPT udp -- anywhere anywhere udp dpt:domain
> > ACCEPT all -- anywhere anywhere state
> > RELATED,ESTABLISHED
> > ACCEPT tcp -- anywhere anywhere state NEW tcp
> > dpt:webcache
> > ACCEPT tcp -- anywhere anywhere state NEW tcp
> > dpt:https
> > ACCEPT tcp -- anywhere anywhere state NEW tcp
> > dpt:ssh
> > ACCEPT tcp -- anywhere anywhere tcp dpt:http
> > state NEW
> > REJECT all -- anywhere anywhere reject-with
> > icmp-host-prohibited
> >
> > Any thoughts? Is there a HOW-TO out there somewhere for setting up a box
> > with dual nics?
> >
> > Thanks
> > -Jason
> >
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
>
More information about the LUG
mailing list