[lug] IPChains issue (I think)
Jason Vallery
jason at vallery.net
Thu Apr 13 16:44:34 MDT 2006
Here is the output of iptables-save:
# Generated by iptables-save v1.2.11 on Thu Apr 13 15:21:25 2006
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13495:10851058]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -i eth1 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A FORWARD -i eth0 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A FORWARD -o eth1 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A FORWARD -i eth1 -j LOG --log-prefix "BANDWIDTH_IN:" --log-level 7
-A FORWARD -j RH-Firewall-1-INPUT
-A OUTPUT -o eth0 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A OUTPUT -o eth1 -j LOG --log-prefix "BANDWIDTH_OUT:" --log-level 7
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i ham0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 20000 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 80 -m state --state NEW -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Thu Apr 13 15:21:25 2006
# Generated by iptables-save v1.2.11 on Thu Apr 13 15:21:25 2006
*mangle
:PREROUTING ACCEPT [23745:2342634]
:INPUT ACCEPT [17196:1509769]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [13497:10851666]
:POSTROUTING ACCEPT [13578:10866262]
COMMIT
# Completed on Thu Apr 13 15:21:25 2006
# Generated by iptables-save v1.2.11 on Thu Apr 13 15:21:25 2006
*nat
:PREROUTING ACCEPT [9884:1264706]
:POSTROUTING ACCEPT [57:8121]
:OUTPUT ACCEPT [57:8121]
COMMIT
# Completed on Thu Apr 13 15:21:25 2006
I think you might be on to something with the routing tables. The output of
netstat -rn is:
Destination Gateway Genmask Flags MSS Window irtt
Iface
209.97.225.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
209.97.225.0 0.0.0.0 255.255.255.0 U 0 0 0
eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0
eth1
5.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0
ham0
0.0.0.0 209.97.225.1 0.0.0.0 UG 0 0 0
eth0
That doesn't seem right to me. Unfortunately I don't have any time right
now to pursue that further. I'll have to look at it more tomorrow.
Fyi, ham0 is my Hamachi VPN that I use to manage the server.
-J
On 4/13/06, Hugh Brown <hugh at math.byu.edu > wrote:
>
> You should also email the output of iptables-save so that we can see
> things like
>
> iptables -A INPUT -i eth0 .....
>
> vs
>
> iptables -A INPUT -i eth1 ....
>
> Hugh
>
> On Thu, 13 Apr 2006, Chip Atkinson wrote:
>
> > What does ifconfig -a show? Do you have addresses for both interfaces?
> > I don't know about the high availability aspects of the dual nics, but
> in
> > "normal" operation, you need to have a separate IP for each interface.
> > Traffic is then sent to the interface with the corresponding IP.
> >
> > Chip
> > On Thu, 13 Apr 2006, Jason Vallery wrote:
> >
> > > Hey all,
> > >
> > > Wow, it's been years since I've posted to this list. I've just
> recently
> > > sort of rediscovered you all and have been actively lurking (versus
> passive
> > > where the mail was just queueing up in a folder I never read).
> > >
> > > Recently I just got some new hardware for one of the boxes I run. The
> new
> > > box (a 1U rack mount) has integrated dual nics and is running CentOS
> 4.3 (
> > > 2.6.9-34.106.unsupportedsmp). I decided I wanted to take advantage of
> the
> > > redundancy dual nics offers me however I'm not really clear on how
> things
> > > should be setup. This box only does WWW and DNS serving so these
> along with
> > > SSH are the only services I run. I've got IPChains setup to reject
> all
> > > traffic except these core 3 services. My dual nics are configured
> with
> > > static IP addresses. For some reason however, only traffic pointed at
> eth0
> > > ever accesses the services on this box. The traffic on eth1 never
> > > connects. The symptoms indicate an IPChains issue, however looking at
> the
> > > rules I don't see anything that would cause this problem.
> > >
> > > Here is the output of "iptables -L"
> > >
> > >
> > > Chain INPUT (policy ACCEPT)
> > > target prot opt source destination
> > > LOG all -- anywhere anywhere LOG level
> debug
> > > prefix `BANDWIDTH_IN:'
> > > LOG all -- anywhere anywhere LOG level
> debug
> > > prefix `BANDWIDTH_IN:'
> > > RH-Firewall-1-INPUT all -- anywhere anywhere
> > >
> > > Chain FORWARD (policy ACCEPT)
> > > target prot opt source destination
> > > LOG all -- anywhere anywhere LOG level
> debug
> > > prefix `BANDWIDTH_OUT:'
> > > LOG all -- anywhere anywhere LOG level
> debug
> > > prefix `BANDWIDTH_IN:'
> > > LOG all -- anywhere anywhere LOG level
> debug
> > > prefix `BANDWIDTH_OUT:'
> > > LOG all -- anywhere anywhere LOG level
> debug
> > > prefix `BANDWIDTH_IN:'
> > > RH-Firewall-1-INPUT all -- anywhere anywhere
> > >
> > > Chain OUTPUT (policy ACCEPT)
> > > target prot opt source destination
> > > LOG all -- anywhere anywhere LOG level
> debug
> > > prefix `BANDWIDTH_OUT:'
> > > LOG all -- anywhere anywhere LOG level
> debug
> > > prefix `BANDWIDTH_OUT:'
> > >
> > > Chain RH-Firewall-1-INPUT (2 references)
> > > target prot opt source destination
> > > ACCEPT all -- anywhere anywhere
> > > ACCEPT all -- anywhere anywhere
> > > ACCEPT icmp -- anywhere anywhere icmp any
> > > ACCEPT ipv6-crypt-- anywhere anywhere
> > > ACCEPT ipv6-auth-- anywhere anywhere
> > > ACCEPT udp -- anywhere 224.0.0.251 udp
> dpt:5353
> > > ACCEPT udp -- anywhere anywhere udp
> dpt:ipp
> > > ACCEPT udp -- anywhere anywhere udp
> dpt:domain
> > > ACCEPT all -- anywhere anywhere state
> > > RELATED,ESTABLISHED
> > > ACCEPT tcp -- anywhere anywhere state NEW
> tcp
> > > dpt:webcache
> > > ACCEPT tcp -- anywhere anywhere state NEW
> tcp
> > > dpt:https
> > > ACCEPT tcp -- anywhere anywhere state NEW
> tcp
> > > dpt:ssh
> > > ACCEPT tcp -- anywhere anywhere tcp
> dpt:http
> > > state NEW
> > > REJECT all -- anywhere
> anywhere reject-with
> > > icmp-host-prohibited
> > >
> > > Any thoughts? Is there a HOW-TO out there somewhere for setting up a
> box
> > > with dual nics?
> > >
> > > Thanks
> > > -Jason
> > >
> >
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> >
> >
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20060413/dce4d927/attachment.html>
More information about the LUG
mailing list