[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [rhelv6-list] network problem on RHEL6.3

On 07/04/2012 03:46 PM, John Haxby wrote:

On 4 July 2012 10:00, Tiziana Manfroni <manfroni mat uniroma3 it <mailto:manfroni mat uniroma3 it>> wrote:

    I do some tests and I have  problems with 192.168.114 private
    network . Infact if I connect from public network (193.204.165.*)
    or another private network (192.168.115.) it's all ok, but for
    example, if I connect from a host with IP address
    in 'ssh -vvv www 193 204 165 224 <mailto:www 193 204 165 224>' the
    output is "ssh: connect to port 22: no route to
    host". When I connect with 'ssh -vvv www 192 168 114 60
    <mailto:www 192 168 114 60>' I see "www 192 168 114 60
    <mailto:www 192 168 114 60>'s password:" I have this network
    problem for all services on server (http, https, mail) and not for
    only ssh. This server worked with RHEL5.8 but after upgrade to
    RHEL6.3 there is this problem.

I'm pretty sure you're tripping over reverse path filtering change. In 5.x, the "net.ipv4.conf.default.rp_filter = 1" means "[loose] reverse path filtering". In 6.x (indeed any kernel after about 2.6.30) it leans "strict reverse path filtering". See /usr/share/doc/kernel-*/Documentation/networking/ip-sysctl.txt for more details. If you want loose mode, then change the "1" to "2" and restart everything.

Loose mode reverse path filtering isn't usually recommended, though, not least because asymmetric routing can mess up TCP's flow control. I keep hoping that someone will post a succinct guide to having packets route back through the interface they came in on (I know it can be done, I've just never sat down and worked it out in detail.)

$IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark
$IPTABLES -t mangle -A PREROUTING -i "$EXTERNAL_INTERFACE1" -j MARK --set-mark 2 $IPTABLES -t mangle -A PREROUTING -i "$EXTERNAL_INTERFACE2" -j MARK --set-mark 3
$IPTABLES -t mangle -A POSTROUTING -j CONNMARK --save-mark

[root mail ~]# grep mark /etc/sysconfig/network-scripts/rule-eth*
/etc/sysconfig/network-scripts/rule-eth1.5:fwmark 2 table T1
/etc/sysconfig/network-scripts/rule-eth1.6:fwmark 3 table T2

The rest is left as exercise for the reader

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]