forwarding packets

jibamandal · 07-31-2015, 03:06 AM

HI
I have CentOS 6 running on server with 4 NIC
[root@router-cb ~]# netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
xxx.yyy.148.32 0.0.0.0 255.255.255.224 U 0 0 0 em1
172.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 em2
172.168.50.0 172.168.50.1 255.255.255.0 UG 0 0 0 p3p1
172.168.50.0 0.0.0.0 255.255.255.0 U 0 0 0 p3p1
172.168.20.0 172.168.20.1 255.255.255.0 UG 0 0 0 p3p2
172.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 p3p2
0.0.0.0 xxx.yyy.148.33 0.0.0.0 UG 0 0 0 em1

Em1 is routed through ISP1 and em2 through ISP2
# ip route show table main (ISP1)
xxx.yyy.148.32/27 dev em1 proto kernel scope link src xxx.yyy.148.37 metric 1
172.168.1.0/24 dev em2 proto kernel scope link src 172.168.1.2 metric 1
172.168.50.0/24 via 172.168.50.1 dev p3p1
172.168.50.0/24 dev p3p1 proto kernel scope link src 172.168.50.1 metric 1
172.168.20.0/24 via 172.168.20.1 dev p3p2
172.168.20.0/24 dev p3p2 proto kernel scope link src 172.168.20.1 metric 1
default
nexthop via xxx.yyy.148.33 dev em1 weight 1
nexthop via 172.168.1.1 dev em2 weight 1
[root@router-cb ~]# ip route show table ISP2
xxx.yyy.148.32/27 dev em1 proto kernel scope link src xxx.yyy.148.37 metric 1
172.168.1.0/24 dev em2 proto kernel scope link src 172.168.1.2 metric 1
172.168.50.0/24 via 172.168.50.1 dev p3p1
172.168.50.0/24 dev p3p1 proto kernel scope link src 172.168.50.1 metric 1
172.168.20.0/24 dev p3p2 proto kernel scope link src 172.168.20.1 metric 1
default via 172.168.1.1 dev em2
[root@router-cb ~]# iptables -nvL -t mangle
Chain PREROUTING (policy ACCEPT 878K packets, 658M bytes)
pkts bytes target prot opt in out source destination
28753 1384K MARK tcp -- * * 172.168.50.0/24 0.0.0.0/0 tcp dpt:80 MARK set 0x1
143K 14M MARK tcp -- * * 172.168.20.0/24 0.0.0.0/0 MARK set 0x2

Chain INPUT (policy ACCEPT 15676 packets, 4630K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 853K packets, 653M bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 11658 packets, 2297K bytes)
pkts bytes target prot opt in out source destination

[root@router-cb ~]# iptables -nvL -t nat
Chain PREROUTING (policy ACCEPT 33058 packets, 3858K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 334 packets, 20124 bytes)
pkts bytes target prot opt in out source destination
21969 2227K SNAT all -- * em1 0.0.0.0/0 0.0.0.0/0 to:xxx.yyy.148.37
8450 563K SNAT all -- * em2 0.0.0.0/0 0.0.0.0/0 to:172.168.1.2

Chain OUTPUT (policy ACCEPT 2024 packets, 124K bytes)
pkts bytes target prot opt in out source destination
[root@router-cb ~]# ip rule show
0: from all lookup local
32761: from all to 172.168.20.0/24 lookup ISP2
32762: from 172.168.1.2 lookup ISP2
32763: from 172.168.50.0/24 lookup main
32764: from 172.168.20.0/24 lookup ISP2
32765: from 172.168.1.2 lookup ISP2
32766: from all lookup main
32767: from all lookup default

Chain POSTROUTING (policy ACCEPT 865K packets, 655M bytes)
pkts bytes target prot opt in out source destination

NOW I can ping from network 172.168.50.xx to 172.168.20.xx but not from 172.168.20.xx to 172.168.50.xx. HOW can I ping this 172.168.20.xx network ?

Moreover when I try to traceroute from other network it show
root@ Juniper> traceroute 172.168.20.26 [from 172.168.1.1]
traceroute to 172.168.20.26 (172.168.20.26), 30 hops max, 40 byte packets
1 ACA80102.ipt.aol.com (172.168.1.2) 2.058 ms 1.971 ms 1.628 ms
2 * * *
3 * * *

OR
[root@cb-proxy ~]# traceroute 172.168.20.26 [from 192.168.80.1]
traceroute to 172.168.20.26 (172.168.20.26), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 0.304 ms 0.262 ms 0.287 ms [this is root@ Juniper>]
2 xxx.yyy.148.37 (202.141.148.37) 0.611 ms 0.611 ms 0.605 ms
3 * * *
4 * * *
5 * * *
6 * * *
BUT
[root@router-cb ~]# traceroute -s 172.168.20.1 192.168.80.1
traceroute to 192.168.80.1 (192.168.80.1), 30 hops max, 60 byte packets
1 ACA80101.ipt.aol.com (172.168.1.1) 0.251 ms 0.240 ms 0.227 ms
2 192.168.80.1 (192.168.80.1) 0.524 ms 0.535 ms 0.534 ms

smallpond · 08-02-2015, 08:02 AM

Use the packet counters shown in your iptables output to find where the packets are being dropped.

jibamandal · 08-03-2015, 06:10 AM

Sorry couldnot understand.
Has it any thing to do default route?
Jiba mandal

jibamandal · 08-07-2015, 05:36 AM

Hi
I am yet to solve the problem.

I think my problem lies with routing in my Linux box and packets are not properly being returned back.

Juniper Router has 2 ISP and interface ge-2/0/7-- xxx.yyy.148.33 ISP1[connected to em1 of Linux server xxx.yyy.148.37 ]
interface ge-2/0/5-- 172.168.1.1 ISP2[connected to em2 of Linux server 172.168.1.2 ]

I have seen when I try to contact xxx.yyy.148.37 from 172.168.1.1
Juniper> ping 202.141.148.37 source 172.168.1.1
PING 202.141.148.37 (202.141.148.37): 56 data bytes
(no packet is returned)
[root@router-cb ~]# tcpdump -nni em2 -qtln icmp [em2 IP is 172.168.1.2]
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em2, link-type EN10MB (Ethernet), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
[root@router-cb ~]# tcpdump -nni em1 -qtln icmp [em1 IP is xxx.yy.148.37]
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on em1, link-type EN10MB (Ethernet), capture size 65535 bytes
IP 172.168.1.1 > xxx.yyy.148.37: ICMP echo request, id 17929, seq 2018, length 64
IP 172.168.1.1 > xxx.yyy.148.37: ICMP echo request, id 17929, seq 2024, length 64
^C
7 packets captured
7 packets received by filter
0 packets dropped by kernel

I feel packets reaching the Linux box tires to get out through the default route and hence does not return me ping.

More over if i try to ping xx.yy.148.37 (em1) or 192.168.50.1 (p3p1) from juniper router port xx.yy.148.33 it works fine and 172.168.1.2(em2) from 172.168.1.1 it also works but 172.168.1.1 cannot ping 172.168.20.1(p3p2).

Please note the SNAT works perfectly well and I can use the internet [through 2 ISP] properly.

Jiba