forwarding packets
HI
I have CentOS 6 running on server with 4 NIC [root@router-cb ~]# netstat -nr Kernel IP routing table Destination Gateway Genmask Flags MSS Window irtt Iface xxx.yyy.148.32 0.0.0.0 255.255.255.224 U 0 0 0 em1 172.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 em2 172.168.50.0 172.168.50.1 255.255.255.0 UG 0 0 0 p3p1 172.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 p3p1 172.168.20.0 172.168.20.1 255.255.255.0 UG 0 0 0 p3p2 172.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 p3p2 0.0.0.0 xxx.yyy.148.33 0.0.0.0 UG 0 0 0 em1 Em1 is routed through ISP1 and em2 through ISP2 # ip route show table main (ISP1) xxx.yyy.148.32/27 dev em1 proto kernel scope link src xxx.yyy.148.37 metric 1 172.168.1.0/24 dev em2 proto kernel scope link src 172.168.1.2 metric 1 172.168.50.0/24 via 172.168.50.1 dev p3p1 172.168.50.0/24 dev p3p1 proto kernel scope link src 172.168.50.1 metric 1 172.168.20.0/24 via 172.168.20.1 dev p3p2 172.168.20.0/24 dev p3p2 proto kernel scope link src 172.168.20.1 metric 1 default nexthop via xxx.yyy.148.33 dev em1 weight 1 nexthop via 172.168.1.1 dev em2 weight 1 [root@router-cb ~]# ip route show table ISP2 xxx.yyy.148.32/27 dev em1 proto kernel scope link src xxx.yyy.148.37 metric 1 172.168.1.0/24 dev em2 proto kernel scope link src 172.168.1.2 metric 1 172.168.50.0/24 via 172.168.50.1 dev p3p1 172.168.50.0/24 dev p3p1 proto kernel scope link src 172.168.50.1 metric 1 172.168.20.0/24 dev p3p2 proto kernel scope link src 172.168.20.1 metric 1 default via 172.168.1.1 dev em2 [root@router-cb ~]# iptables -nvL -t mangle Chain PREROUTING (policy ACCEPT 878K packets, 658M bytes) pkts bytes target prot opt in out source destination 28753 1384K MARK tcp -- * * 172.168.50.0/24 0.0.0.0/0 tcp dpt:80 MARK set 0x1 143K 14M MARK tcp -- * * 172.168.20.0/24 0.0.0.0/0 MARK set 0x2 Chain INPUT (policy ACCEPT 15676 packets, 4630K bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 853K packets, 653M bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 11658 packets, 2297K bytes) pkts bytes target prot opt in out source destination [root@router-cb ~]# iptables -nvL -t nat Chain PREROUTING (policy ACCEPT 33058 packets, 3858K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 334 packets, 20124 bytes) pkts bytes target prot opt in out source destination 21969 2227K SNAT all -- * em1 0.0.0.0/0 0.0.0.0/0 to:xxx.yyy.148.37 8450 563K SNAT all -- * em2 0.0.0.0/0 0.0.0.0/0 to:172.168.1.2 Chain OUTPUT (policy ACCEPT 2024 packets, 124K bytes) pkts bytes target prot opt in out source destination [root@router-cb ~]# ip rule show 0: from all lookup local 32761: from all to 172.168.20.0/24 lookup ISP2 32762: from 172.168.1.2 lookup ISP2 32763: from 172.168.50.0/24 lookup main 32764: from 172.168.20.0/24 lookup ISP2 32765: from 172.168.1.2 lookup ISP2 32766: from all lookup main 32767: from all lookup default Chain POSTROUTING (policy ACCEPT 865K packets, 655M bytes) pkts bytes target prot opt in out source destination NOW I can ping from network 172.168.50.xx to 172.168.20.xx but not from 172.168.20.xx to 172.168.50.xx. HOW can I ping this 172.168.20.xx network ? Moreover when I try to traceroute from other network it show root@ Juniper> traceroute 172.168.20.26 [from 172.168.1.1] traceroute to 172.168.20.26 (172.168.20.26), 30 hops max, 40 byte packets 1 ACA80102.ipt.aol.com (172.168.1.2) 2.058 ms 1.971 ms 1.628 ms 2 * * * 3 * * * OR [root@cb-proxy ~]# traceroute 172.168.20.26 [from 192.168.80.1] traceroute to 172.168.20.26 (172.168.20.26), 30 hops max, 60 byte packets 1 192.168.1.1 (192.168.1.1) 0.304 ms 0.262 ms 0.287 ms [this is root@ Juniper>] 2 xxx.yyy.148.37 (202.141.148.37) 0.611 ms 0.611 ms 0.605 ms 3 * * * 4 * * * 5 * * * 6 * * * BUT [root@router-cb ~]# traceroute -s 172.168.20.1 192.168.80.1 traceroute to 192.168.80.1 (192.168.80.1), 30 hops max, 60 byte packets 1 ACA80101.ipt.aol.com (172.168.1.1) 0.251 ms 0.240 ms 0.227 ms 2 192.168.80.1 (192.168.80.1) 0.524 ms 0.535 ms 0.534 ms |
Use the packet counters shown in your iptables output to find where the packets are being dropped.
|
Sorry couldnot understand.
Has it any thing to do default route? Jiba mandal |
Hi
I am yet to solve the problem. I think my problem lies with routing in my Linux box and packets are not properly being returned back. Juniper Router has 2 ISP and interface ge-2/0/7-- xxx.yyy.148.33 ISP1[connected to em1 of Linux server xxx.yyy.148.37 ] interface ge-2/0/5-- 172.168.1.1 ISP2[connected to em2 of Linux server 172.168.1.2 ] I have seen when I try to contact xxx.yyy.148.37 from 172.168.1.1 Juniper> ping 202.141.148.37 source 172.168.1.1 PING 202.141.148.37 (202.141.148.37): 56 data bytes (no packet is returned) [root@router-cb ~]# tcpdump -nni em2 -qtln icmp [em2 IP is 172.168.1.2] tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em2, link-type EN10MB (Ethernet), capture size 65535 bytes ^C 0 packets captured 0 packets received by filter 0 packets dropped by kernel [root@router-cb ~]# tcpdump -nni em1 -qtln icmp [em1 IP is xxx.yy.148.37] tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes IP 172.168.1.1 > xxx.yyy.148.37: ICMP echo request, id 17929, seq 2018, length 64 IP 172.168.1.1 > xxx.yyy.148.37: ICMP echo request, id 17929, seq 2024, length 64 ^C 7 packets captured 7 packets received by filter 0 packets dropped by kernel I feel packets reaching the Linux box tires to get out through the default route and hence does not return me ping. More over if i try to ping xx.yy.148.37 (em1) or 192.168.50.1 (p3p1) from juniper router port xx.yy.148.33 it works fine and 172.168.1.2(em2) from 172.168.1.1 it also works but 172.168.1.1 cannot ping 172.168.20.1(p3p2). Please note the SNAT works perfectly well and I can use the internet [through 2 ISP] properly. Jiba |
All times are GMT -5. The time now is 03:24 PM. |