[rhelv6-list] network problem on RHEL6.3
Manuel Wolfshant
wolfy at nobugconsulting.ro
Wed Jul 4 12:59:42 UTC 2012
On 07/04/2012 03:46 PM, John Haxby wrote:
>
>
> On 4 July 2012 10:00, Tiziana Manfroni <manfroni at mat.uniroma3.it
> <mailto:manfroni at mat.uniroma3.it>> wrote:
>
> I do some tests and I have problems with 192.168.114 private
> network . Infact if I connect from public network (193.204.165.*)
> or another private network (192.168.115.) it's all ok, but for
> example, if I connect from a host with IP address 192.168.114.30
> in 'ssh -vvv www at 193.204.165.224 <mailto:www at 193.204.165.224>' the
> output is "ssh: connect to 193.204.165.224 port 22: no route to
> host". When I connect with 'ssh -vvv www at 192.168.114.60
> <mailto:www at 192.168.114.60>' I see "www at 192.168.114.60
> <mailto:www at 192.168.114.60>'s password:" I have this network
> problem for all services on server (http, https, mail) and not for
> only ssh. This server worked with RHEL5.8 but after upgrade to
> RHEL6.3 there is this problem.
>
>
>
> I'm pretty sure you're tripping over reverse path filtering change.
> In 5.x, the "net.ipv4.conf.default.rp_filter = 1" means "[loose]
> reverse path filtering". In 6.x (indeed any kernel after about
> 2.6.30) it leans "strict reverse path filtering". See
> /usr/share/doc/kernel-*/Documentation/networking/ip-sysctl.txt for
> more details. If you want loose mode, then change the "1" to "2" and
> restart everything.
>
> Loose mode reverse path filtering isn't usually recommended, though,
> not least because asymmetric routing can mess up TCP's flow control.
> I keep hoping that someone will post a succinct guide to having
> packets route back through the interface they came in on (I know it
> can be done, I've just never sat down and worked it out in detail.)
EXTERNAL_INTERFACE1="eth1.5"
EXTERNAL_INTERFACE2="eth1.6"
$IPTABLES -t mangle -A PREROUTING -j CONNMARK --restore-mark
$IPTABLES -t mangle -A PREROUTING -i "$EXTERNAL_INTERFACE1" -j MARK
--set-mark 2
$IPTABLES -t mangle -A PREROUTING -i "$EXTERNAL_INTERFACE2" -j MARK
--set-mark 3
$IPTABLES -t mangle -A POSTROUTING -j CONNMARK --save-mark
[root at mail ~]# grep mark /etc/sysconfig/network-scripts/rule-eth*
/etc/sysconfig/network-scripts/rule-eth1.5:fwmark 2 table T1
/etc/sysconfig/network-scripts/rule-eth1.6:fwmark 3 table T2
The rest is left as exercise for the reader
More information about the rhelv6-list
mailing list