FC6 and Network

Tom Rivers tom at impact-crater.com
Wed Nov 29 21:22:30 UTC 2006


On Wed, 2006-11-29 at 16:02 -0500, Jeffrey Ross wrote:
> Tom,
> 
> he's using a supernet/CIDR block/classless (or whatever you want to call 
> it) addressing, his valid range would be from 192.168.128.1 through 
> 192.168.135.254 so yes his gateway exists on his network.
> 

Hi Jeffrey,

Oops!  You're right.  I thought I saw 255.255.255.248 instead of
255.255.248.0 like he has.  Thanks for the correction.  :)

This problem reminds me of one I had when I upgraded from FC3 to FC5 on
one of my linux systems that functions as a VPN router.  I preserved all
of the settings, but after the upgrade I was getting the same kind of
"Destination unreachable" when I tried to configure the VPN.  To make a
long story short, there were two things wrong.  First, I needed to tweak
the SELinux settings to allow traffic across the VPN.  Second, and this
is the one that really threw me for a loop, I needed to adjust the
following line in my iptables firewall script from:

$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE

to:

$IPTABLES -A POSTROUTING -t nat -o $EXTIF -s $INTLAN -d \!
192.168.0.0/16 -j MASQUERADE

The "-d \! 192.168.0.0/16" was required to keep the VPN packets from
being masqueraded to all of the other class C networks with which I have
VPN's established.  Why it changed from FC3 to FC5 is beyond me, but it
took me a while to find out what was really causing the problem.

By the way, I noticed you asked him to execute "arp -a" and post the
output.  For the record, I saw I was getting a lot of "who has..."
messages from arp requests that were never being answered when I turned
on tcpdump and watched for a while.  I'm wondering if Michael is having
a similar problem to what I had.  If so, he may want to take a look at
his SELinux log (if he has it enabled) as well as his iptables rules.


Tom




More information about the fedora-list mailing list