Re: [rhelv6-list] network problem on RHEL6.3

Wed, 04 Jul 2012 06:05:45 -0700 

On 07/04/2012 03:46 PM, John Haxby wrote:




On 4 July 2012 10:00, Tiziana Manfroni <manfr...@mat.uniroma3.it 
<mailto:manfr...@mat.uniroma3.it>> wrote:


    I do some tests and I have  problems with 192.168.114 private
    network . Infact if I connect from public network (193.204.165.*)
    or another private network (192.168.115.) it's all ok, but for
    example, if I connect from a host with IP address 192.168.114.30
    in 'ssh -vvv www@193.204.165.224 <mailto:www@193.204.165.224>' the
    output is "ssh: connect to 193.204.165.224 port 22: no route to
    host". When I connect with 'ssh -vvv www@192.168.114.60
    <mailto:www@192.168.114.60>' I see "www@192.168.114.60
    <mailto:www@192.168.114.60>'s password:" I have this network
    problem for all services on server (http, https, mail) and not for
    only ssh. This server worked with RHEL5.8 but after upgrade to
    RHEL6.3 there is this problem.




I'm pretty sure you're tripping over reverse path filtering change.   
In 5.x, the "net.ipv4.conf.default.rp_filter = 1" means "[loose] 
reverse path filtering".   In 6.x (indeed any kernel after about 
2.6.30) it leans "strict reverse path filtering".   See 
/usr/share/doc/kernel-*/Documentation/networking/ip-sysctl.txt for 
more details.   If you want loose mode, then change the "1" to "2" and 
restart everything.



Loose mode reverse path filtering isn't usually recommended, though, 
not least because asymmetric routing can mess up TCP's flow control.   
I keep hoping that someone will post a succinct guide to having 
packets route back through the interface they came in on (I know it 
can be done, I've just never sat down and worked it out in detail.)


EXTERNAL_INTERFACE1="eth1.5"
EXTERNAL_INTERFACE2="eth1.6"
$IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark

$IPTABLES -t mangle -A PREROUTING -i "$EXTERNAL_INTERFACE1" -j MARK 
--set-mark 2
$IPTABLES -t mangle -A PREROUTING -i "$EXTERNAL_INTERFACE2" -j MARK 
--set-mark 3

$IPTABLES -t mangle -A POSTROUTING -j CONNMARK --save-mark



[root@mail ~]# grep mark /etc/sysconfig/network-scripts/rule-eth*
/etc/sysconfig/network-scripts/rule-eth1.5:fwmark 2 table T1
/etc/sysconfig/network-scripts/rule-eth1.6:fwmark 3 table T2


The rest is left as exercise for the reader

_______________________________________________
rhelv6-list mailing list
rhelv6-list@redhat.com
https://www.redhat.com/mailman/listinfo/rhelv6-list






















					Reply via email to