LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Help! an IP Conflict in a strange case... (https://www.linuxquestions.org/questions/linux-networking-3/help-an-ip-conflict-in-a-strange-case-506398/)

romeo_tango 11-30-2006 10:20 PM
Help! an IP Conflict in a strange case...
 
Hello all,

Well my english is not too good to chit-chat, so i'm sorry if i'll go straight.

We have 8 servers, each running RHEL 4.3 and the first one is their gateway's with a public IP. (the gateway's ip is 10.10.10.1). Let's say the public IP is 20x.a.b.158. The rest are having just local IP. (10.10.10.2 to 10.10.10.8).

We have a firewall using iptables, so that the 'local ip' servers could be accessed via SSH with dnat-ted port, for example :
- ssh 20x.a.b.158 -p 2022 (to the 10.10.10.2)
- ssh 20x.a.b.158 -p 3022 (to the 10.10.10.3)
- ssh 20x.a.b.158 -p 4022 (to the 10.10.10.4)
- and so on

Here is the problem, we have another Win2K server, (20x.a.b.148 and 10.10.10.9) which happen to have an IP conflict in the system. At first i thought that it was the local's IP that causing the trouble so I immedeately change it to another one. But it doesn't solve the problem.

When I looked at the Event Viewer in the Win2k server there was an error :
"The system detected an address conflict for IP Address 20x.a.b.148 with the
system having network hardware address 00:ww:xx:yy:zz:30. Network operations
on this systems maybe disrupted as a result."

I checked all the servers we have and found that the mac address 00:ww:xx:yy:zz:30 is belong to the local interface of the 20x.a.b.158 which is 10.10.10.1.
After a few check, i found that if we were behind the firewall (10.10.10.1 to 10.10.10.8), we could run this command :
ssh 20x.a.b.148 (while the IP is currently belong to a Win2K server!).
I entered the password, and the "impossible ssh" command bring me to the 10.10.10.1.

Does anybody here has faced this kind of problem?
This is only happening between the 20x.a.b.158 and 20x.a.b.148. We have another servers running too such as 20x.a.b.147 and else and there are no problem at all.

Any help? :confused:

w7hd 12-01-2006 12:09 AM
IP Conflict
 
The source of your problem appears to be the DNAT. It must only be applied to the EXTERNAL interface - not the internal interface. The whole idea is to allow external boxes to access the 10.10.10.x using the 20x.a.b.158:x022 port. The fact that you can access it from inside the firewall using the 20x.a.b.158 address indicates this is being applied to both interfaces.

Hope this helps.

romeo_tango 12-01-2006 12:54 AM
In the iptables configuration's, we are using these terms :
$INET_IFACE="eth1" and $LAN_IFACE="eth0"

and I am sure that there is no DNAT rule for $LAN_IFACE in the configuration. I already
"cat firewall.sh | grep LAN_IFACE" and check it out.

all the DNAT is happen in the INET_IFACE.

or did i miss something here?

w7hd 12-01-2006 06:53 AM
Hmmm. Very strange, as you said. Do you by chance have dual IP addresses on the Win2K box -OR- have the 20x.a.b.148 address defined? That would do it. Or does the Win2K box only have the 10.10.10.1 address?


All times are GMT -5. The time now is 09:48 AM.