FC6 and Network
Tom Rivers
tom at impact-crater.com
Wed Nov 29 21:22:30 UTC 2006
On Wed, 2006-11-29 at 16:02 -0500, Jeffrey Ross wrote:
> Tom,
>
> he's using a supernet/CIDR block/classless (or whatever you want to call
> it) addressing, his valid range would be from 192.168.128.1 through
> 192.168.135.254 so yes his gateway exists on his network.
>
Hi Jeffrey,
Oops! You're right. I thought I saw 255.255.255.248 instead of
255.255.248.0 like he has. Thanks for the correction. :)
This problem reminds me of one I had when I upgraded from FC3 to FC5 on
one of my linux systems that functions as a VPN router. I preserved all
of the settings, but after the upgrade I was getting the same kind of
"Destination unreachable" when I tried to configure the VPN. To make a
long story short, there were two things wrong. First, I needed to tweak
the SELinux settings to allow traffic across the VPN. Second, and this
is the one that really threw me for a loop, I needed to adjust the
following line in my iptables firewall script from:
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
to:
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -s $INTLAN -d \!
192.168.0.0/16 -j MASQUERADE
The "-d \! 192.168.0.0/16" was required to keep the VPN packets from
being masqueraded to all of the other class C networks with which I have
VPN's established. Why it changed from FC3 to FC5 is beyond me, but it
took me a while to find out what was really causing the problem.
By the way, I noticed you asked him to execute "arp -a" and post the
output. For the record, I saw I was getting a lot of "who has..."
messages from arp requests that were never being answered when I turned
on tcpdump and watched for a while. I'm wondering if Michael is having
a similar problem to what I had. If so, he may want to take a look at
his SELinux log (if he has it enabled) as well as his iptables rules.
Tom
More information about the fedora-list
mailing list