[rhelv6-list] network problem on RHEL6.3

Manuel Wolfshant wolfy at nobugconsulting.ro
Wed Jul 4 12:59:42 UTC 2012 

On 07/04/2012 03:46 PM, John Haxby wrote:
>
>
> On 4 July 2012 10:00, Tiziana Manfroni <manfroni at mat.uniroma3.it 
> <mailto:manfroni at mat.uniroma3.it>> wrote:
>
>     I do some tests and I have  problems with 192.168.114 private
>     network . Infact if I connect from public network (193.204.165.*)
>     or another private network (192.168.115.) it's all ok, but for
>     example, if I connect from a host with IP address 192.168.114.30
>     in 'ssh -vvv www at 193.204.165.224 <mailto:www at 193.204.165.224>' the
>     output is "ssh: connect to 193.204.165.224 port 22: no route to
>     host". When I connect with 'ssh -vvv www at 192.168.114.60
>     <mailto:www at 192.168.114.60>' I see "www at 192.168.114.60
>     <mailto:www at 192.168.114.60>'s password:" I have this network
>     problem for all services on server (http, https, mail) and not for
>     only ssh. This server worked with RHEL5.8 but after upgrade to
>     RHEL6.3 there is this problem.
>
>
>
> I'm pretty sure you're tripping over reverse path filtering change.   
> In 5.x, the "net.ipv4.conf.default.rp_filter = 1" means "[loose] 
> reverse path filtering".   In 6.x (indeed any kernel after about 
> 2.6.30) it leans "strict reverse path filtering".   See 
> /usr/share/doc/kernel-*/Documentation/networking/ip-sysctl.txt for 
> more details.   If you want loose mode, then change the "1" to "2" and 
> restart everything.
>
> Loose mode reverse path filtering isn't usually recommended, though, 
> not least because asymmetric routing can mess up TCP's flow control.   
> I keep hoping that someone will post a succinct guide to having 
> packets route back through the interface they came in on (I know it 
> can be done, I've just never sat down and worked it out in detail.)

EXTERNAL_INTERFACE1="eth1.5"
EXTERNAL_INTERFACE2="eth1.6"
$IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark
$IPTABLES -t mangle -A PREROUTING -i "$EXTERNAL_INTERFACE1" -j MARK 
--set-mark 2
$IPTABLES -t mangle -A PREROUTING -i "$EXTERNAL_INTERFACE2" -j MARK 
--set-mark 3
$IPTABLES -t mangle -A POSTROUTING -j CONNMARK --save-mark



[root at mail ~]# grep mark /etc/sysconfig/network-scripts/rule-eth*
/etc/sysconfig/network-scripts/rule-eth1.5:fwmark 2 table T1
/etc/sysconfig/network-scripts/rule-eth1.6:fwmark 3 table T2


The rest is left as exercise for the reader

More information about the rhelv6-list mailing list