[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday 03 June 2002 11:40 am, Jon Still wrote: mooo!
It might help if we can see some if the info in a more standard form - I've never used the ip command in my life ;)
iproute doesn't really show the correct information, as using 'ip' (the iproute2 stuff) gives you lots of kernel routing tables (255 to be exact) and policies that allow you to do things like symmetrical routing, qdisc, source path, qos, etc... 'ip <something> show' is basicly the same sort of thing as on IOS, as show 'ip <something> '.
netstat -nr, iptables -L and ifconfig -a please :)
here goes ;)
[anglerfish]~# ifconfig -a
eth0 Link encap:Ethernet HWaddr 00:03:47:AB:DF:D6
inet addr:172.16.0.3 Bcast:172.16.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:27509639 errors:0 dropped:0 overruns:0 frame:0
TX packets:516 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:1689379904 (1.5 GiB) TX bytes:22560 (22.0 KiB)
Interrupt:7
eth0:1 Link encap:Ethernet HWaddr 00:03:47:AB:DF:D6
inet addr:123.123.123.1 Bcast:80.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:7
eth1 Link encap:Ethernet HWaddr 00:03:47:AB:DF:D7
inet addr:172.16.0.4 Bcast:172.16.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1328926 errors:0 dropped:0 overruns:0 frame:0
TX packets:42773532 errors:0 dropped:0 overruns:1 carrier:0
collisions:0 txqueuelen:100
RX bytes:188690698 (179.9 MiB) TX bytes:3332124844 (3.1 GiB)
Interrupt:5 Base address:0x2000
eth2 Link encap:Ethernet HWaddr 00:02:B3:35:E7:C8
inet addr:10.2.0.1 Bcast:10.255.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:36746531 errors:0 dropped:0 overruns:0 frame:0
TX packets:20367736 errors:0 dropped:0 overruns:1521 carrier:0
collisions:0 txqueuelen:100
RX bytes:1721511177 (1.6 GiB) TX bytes:190764125 (181.9 MiB)
Interrupt:5 Base address:0x4000
eth3 Link encap:Ethernet HWaddr 00:02:B3:35:E7:C9
inet addr:10.1.0.1 Bcast:10.255.255.255 Mask:255.255.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:21284631 errors:0 dropped:0 overruns:0 frame:23
TX packets:8287994 errors:0 dropped:0 overruns:82 carrier:0
collisions:0 txqueuelen:100
RX bytes:2705795918 (2.5 GiB) TX bytes:1665392826 (1.5 GiB)
Interrupt:5 Base address:0x6000
ipsec0 Link encap:Ethernet HWaddr 00:02:B3:35:DC:48
inet addr:123.123.123.200 Mask:255.255.255.255
UP RUNNING NOARP MTU:16260 Metric:1
RX packets:35652 errors:0 dropped:1 overruns:0 frame:0
TX packets:23768 errors:0 dropped:2 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:2666077 (2.5 MiB) TX bytes:5717440 (5.4 MiB)
ipsec1 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec2 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
ipsec3 Link encap:IPIP Tunnel HWaddr
NOARP MTU:0 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:10
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1336 errors:0 dropped:0 overruns:0 frame:0
TX packets:1336 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:147550 (144.0 KiB) TX bytes:147550 (144.0 KiB)
vlan0002 Link encap:Ethernet HWaddr 00:02:B3:35:DC:49
inet addr:10.255.2.254 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:171073 errors:0 dropped:0 overruns:0 frame:0
TX packets:275954 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:29501620 (28.1 MiB) TX bytes:70261205 (67.0 MiB)
vlan0003 Link encap:Ethernet HWaddr 00:02:B3:35:DC:49
inet addr:10.255.5.254 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1337 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:72198 (70.5 KiB) TX bytes:0 (0.0 b)
vlan0004 Link encap:Ethernet HWaddr 00:02:B3:35:DC:49
inet addr:10.255.3.254 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:234605 errors:0 dropped:0 overruns:0 frame:0
TX packets:127279 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:46631347 (44.4 MiB) TX bytes:11082193 (10.5 MiB)
vlan0005 Link encap:Ethernet HWaddr 00:02:B3:35:DC:49
inet addr:10.255.1.254 Bcast:10.255.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:906 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:41676 (40.6 KiB)
(i'll come onto the vlan's and ipsec's in a wee bit... :p)
[anglerfish]~# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
172.16.0.100 0.0.0.0 255.255.255.255 UH 0 0 0 eth1
172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
172.16.0.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
123.123.123.0 - 255.255.255.0 ! 0 - 0 -
123.123.123.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
10.2.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth2
10.1.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth3
172.16.0.1 0.0.0.0 255.255.255.255 UH 0 0 0 ipsec0
217.35.14.14 172.16.0.1 255.255.255.255 UGH 0 0 0 ipsec0
10.255.2.0 0.0.0.0 255.255.255.0 U 0 0 0
vlan0002
10.255.3.0 0.0.0.0 255.255.255.0 U 0 0 0
vlan0004
10.255.1.0 0.0.0.0 255.255.255.0 U 0 0 0
vlan0005
10.255.5.0 0.0.0.0 255.255.255.0 U 0 0 0
vlan0003
0.0.0.0 172.16.0.1 0.0.0.0 UG 0 0 0 eth1
though that output doesn't show everyhitng, whats missing is basicly...
if the packet is marked '2' by nfmark then route if out via eth1, witht he
gateway of the arrowpoint.
ok, sorry for the spam :p
[anglerfish]~# iptables -L -n
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp -- 1.1.1.1/0 0.0.0.0/0 tcp dpt:22
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code
10
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 9
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 5
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 2
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 1
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 code 0
ACCEPT tcp -- 0.0.0.0/0 1.1.1.1/0 tcp spt:22
[anglerfish]~#
[anglerfish]~#
[anglerfish]~#
[anglerfish]~# iptables -L -n -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT all -- 0.0.0.0/0 123.123.123.9 to:10.2.1.9
DNAT all -- 0.0.0.0/0 123.123.123.10 to:10.1.1.4
DNAT all -- 0.0.0.0/0 123.123.123.51 to:10.2.3.1
*snipetty snip (you get the idea ;))*
DNAT tcp -- 0.0.0.0/0 123.123.123.246 tcp dpt:80
to:172.16.0.2
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
SNAT all -- 172.16.0.2 0.0.0.0/0 to:123.123.123.245
SNAT all -- 10.2.1.9 0.0.0.0/0 to:123.123.123.9
SNAT all -- 10.1.1.2 0.0.0.0/0 to:123.123.123.13
* snip, snip, snip*
SNAT all -- 172.16.0.100 0.0.0.0/0 to:123.123.123.246
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[anglerfish]~# iptables -L -n -t mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
MARK all -- 10.1.0.0/16 123.123.123.0/24 MARK set 0x2
MARK all -- 10.2.0.0/16 123.123.123.0/24 MARK set 0x2
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Failing that, make sure that from the router you can ping the appropriate interfaces on the firewall. It's also a good idea to eliminate firewall rules until you've verified end to end connectivity
as you can see there are't really any... only allowing port 22 to/from my IP (1.1.1.1) and nowt else ;)
Hrm another issue I just noticed - are you running NAT on your core routers? Cos if not those 172.16.0.0/16 addresses will get filtered upsteam.
172.16.0.0/16 range is only used on agregated links as the peer point, although yes, upstream (or downstream in our case) routers may block it, i'm testing on a leased line directly from our core network, which isn't blocking them going out of my connection for degguging reasons. whoops, just reread that - no there is no NAT on the core routers.
Also, why is the packet going through the switch, hitting the firewall then getting passed back to the switch effectively. Why not just NAT straight from your public IP to the VIP on the arrowpoint and then turn off NAT on the firewall. The whole flow of information back and forth between the router and the arrowpoint is kinda screwed IMO...
tell me about it :/ however, the damn arrowpoint won't sit anywhere else on the network and let load balancing both internal and external IP's possible, sadly, thats an impossibility for sure. Failing that i can't get it working here, we need to get another one (one for internal, one for external) - and they're not cheap at 25k a pop!
Anyway, back to revising BGP!
mwahahaha - you'll be as mad as me soon then :p I'm going to scan in the million and one diagrams i've got and upload them to my site. Arghghghgghgg, now it's damn 802.1q (dot1q/vlan) trunking that is refuxing to work properly on a backend network, ARGHGH£$HG%G$!¬!$£$$%"£!$%¬¬ ~ Theo, who has a few loose packets ;) - -- Theo Zourzouvillys http://zozo.org.uk/ You will always get the greatest recognition for the job you least like. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8+1Ni448CrwpTn6YRAin+AKDb5uERZbbGZSZxskSaaeP0ltGoGgCfWPHb UuITeV803iOPB63AYVKzlLk= =BMMw -----END PGP SIGNATURE----- -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.