LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-04-2013, 11:47 PM   #1
raghavhosur
LQ Newbie
 
Registered: Jun 2013
Posts: 6

Rep: Reputation: Disabled
Network configuration


Hi,
I am Raghava, currently working on Fedora.
My application has to contact a remote server, accessible through VPN.
VPN connection is successful.
Before VPN connection is initiated, I did the following:
ifconfig em1:0 10.223.102.254 netmask 255.255.255.0 up
and then started the VPN and connection is successful.
Now to ping the destination, I did in the following way:
ping -I 10.223.102.254 10.123.102.1
which is working fine.
But when I do like this:
ping 10.123.102.1
it is not reaching the destination.
To contact the remote server, I need to contact by the IP address (either through application programme or in web browser). But I am not able to contact because 10.123.102.1 is not reachable directly.
Can you please suggest any settings do I need to do at my system.
Please let me know if you need any additional information.

Thanks and Regards
Raghav
 
Old 06-05-2013, 12:42 PM   #2
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
What sort of VPN service are you using? And why would you need to set up an alias (em1:0) before activating the VPN tunnel?

The fact that "ping" doesn't work while "ping -I <address>" does, suggests that the ping command normally chooses an interface different from the one you specified with "ping -I", which in turn suggests duplicate or overlapping IP subnets.

How is your system configured with regards to IP addresses and subnet masks? What's the output of ifconfig -a and route -n?
 
Old 06-05-2013, 09:46 PM   #3
raghavhosur
LQ Newbie
 
Registered: Jun 2013
Posts: 6

Original Poster
Rep: Reputation: Disabled
linux NIC configuration - reply

Hi,
Thank you for the reply.
I am using openvpn.
em1:0 is needed to connect to remote server. em1 is used for internet connection.

Output of ifconfig -a
em1 Link encap:Ethernet HWaddr D4:BE9:74:1E:B1
inet addr:10.132.7.11 Bcast:10.132.7.255 Mask:255.255.254.0
inet6 addr: fe80::d6be:d9ff:fe74:1eb1/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:5830 errors:0 dropped:0 overruns:0 frame:0
TX packets:4288 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4747989 (4.5 MiB) TX bytes:630377 (615.6 KiB)
Interrupt:20 Memory:f7e00000-f7e20000

em1:0 Link encap:Ethernet HWaddr D4:BE9:74:1E:B1
inet addr:10.223.102.254 Bcast:10.223.102.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Interrupt:20 Memory:f7e00000-f7e20000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:20 errors:0 dropped:0 overruns:0 frame:0
TX packets:20 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:1200 (1.1 KiB) TX bytes:1200 (1.1 KiB)

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.23.1.6 P-t-P:10.23.1.5 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

output of route -n

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.23.1.1 10.23.1.5 255.255.255.255 UGH 0 0 0 tun0
10.23.1.5 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
10.223.102.0 0.0.0.0 255.255.255.0 U 0 0 0 em1
10.132.6.0 0.0.0.0 255.255.254.0 U 1 0 0 em1
10.123.0.0 10.23.1.5 255.255.0.0 UG 0 0 0 tun0
0.0.0.0 10.132.6.1 0.0.0.0 UG 0 0 0 em1

Please let me know if you need any more details.

Thanks and Regards
Raghav
 
Old 06-06-2013, 02:22 AM   #4
Tabraiz
LQ Newbie
 
Registered: Jun 2013
Posts: 6

Rep: Reputation: Disabled
Execute following command from your terminal window and check if it works for you or not.

route add -host 10.123.102.1 dev em1:0

Regards,
Tabraiz
 
Old 06-06-2013, 02:33 AM   #5
raghavhosur
LQ Newbie
 
Registered: Jun 2013
Posts: 6

Original Poster
Rep: Reputation: Disabled
Network Configuration

Hi,
Thank you for your suggestion.
I did the same, but not destination is not reachable.
Details:
PING 10.123.102.1 (10.123.102.1) 56(84) bytes of data.
From 10.223.102.254 icmp_seq=2 Destination Host Unreachable
From 10.223.102.254 icmp_seq=3 Destination Host Unreachable
From 10.223.102.254 icmp_seq=4 Destination Host Unreachable.

Can you please suggest any other step to do.

Thanks and Regards
Raghav
 
Old 06-06-2013, 02:48 AM   #6
Tabraiz
LQ Newbie
 
Registered: Jun 2013
Posts: 6

Rep: Reputation: Disabled
Hello,

You've moved one step forward, your destination IP now hitting the right interface;

1. Can you pls check if 10.123.102.1 is up and running?
2. Your 10.223.102.254 is allowed/trusted at far end (i.e. 10.123.102.1) to send requests? It seems that you're not trusted on far end side.
3. Can you enable Wireshark and capture packets of your requests on both sides (i.e. 10.123.102.1/10.223.102.254)?
4. Also pls provide output of "iptables -L -v".

Regards,
Tabraiz
 
Old 06-06-2013, 03:19 AM   #7
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
Quote:
Originally Posted by raghavhosur View Post
em1:0 is needed to connect to remote server. em1 is used for internet connection.
I thought you said the remote server was at the end of an OpenVPN tunnel?

You say you want to reach 10.123.102.1 using a VPN connection, but at the same time you add 10.123.102.254 as an alias to em1 with a netmask of 255.255.255.0. The netmask means 10.123.102.1 must be in the same local network as em1.

10.123.102.0/24 is either local or at the end of the tunnel. Which is it? Because right now you've explicitly told your machine that 10.123.102.0/24 is directly connected to em1.
 
Old 06-06-2013, 04:46 AM   #8
Tabraiz
LQ Newbie
 
Registered: Jun 2013
Posts: 6

Rep: Reputation: Disabled
Quote:
Originally Posted by Ser Olmy View Post
but at the same time you add 10.123.102.254 as an alias to em1 with a netmask of 255.255.255.0. The netmask means 10.123.102.1 must be in the same local network as em1.
Dear Olmy: Please note correction in IP assigned to em1:0 interface, it's 10.223.102.254 and not 10.123.102.254. Please share your comments after considering this change.

Regards,
Tabraiz
 
Old 06-06-2013, 05:52 AM   #9
raghavhosur
LQ Newbie
 
Registered: Jun 2013
Posts: 6

Original Poster
Rep: Reputation: Disabled
Network configuration

Hi Tabraiz,

Here are the answers for the questions:
1. Can you pls check if 10.123.102.1 is up and running?
After adding: route add -host 10.123.102.1 dev em1:0
I am not able to reach 10.123.102.1 in either ways: ping or ping -I.
If I delete that by route del -host 10.123.102.1 dev em1:0
then I am able to ping with ping -I but not with ping.

2. Your 10.223.102.254 is allowed/trusted at far end (i.e. 10.123.102.1) to send requests? It seems that you're not trusted on far end side.
Yes the remote server System Administrator told that the ip at my side should be 10.223.102.254 which is configured as part of vpn settings.
3. Can you enable Wireshark and capture packets of your requests on both sides (i.e. 10.123.102.1/10.223.102.254)?
Please find the captures attached. with direct IP and with interface.
Please remove the extention .log for those files to open in wireshark.
4. Also pls provide output of "iptables -L -v".
output:
Chain INPUT (policy ACCEPT 86074 packets, 21M bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 19445 packets, 2424K bytes)
pkts bytes target prot opt in out source destination

Can you please suggest any other settings need to be done my side.

Thanks and Regards
Raghav
Attached Files
File Type: log capture_WithInterface.log (6.6 KB, 13 views)
File Type: log capture_WithIP.log (9.8 KB, 11 views)
 
Old 06-06-2013, 08:57 AM   #10
Tabraiz
LQ Newbie
 
Registered: Jun 2013
Posts: 6

Rep: Reputation: Disabled
Hi,

I checked both trace files but unfortunately they are of no use. I cant see any packet destined towards 10.123.102.1 in them.

As far as I understood your objective, you're trying to reach destination IP 10.123.102.1 with Source IP as 10.223.102.254. Am I right? If yes then please follow below steps;

1. service iptables status (if status is "not running" go to step 2)/(if running, it will give some o/p & u shud move to step 3 then)
2. service iptables start.
3. iptables -t nat -A POSTROUTING -d 10.123.102.1 -j SNAT --to-source 10.223.102.254
4. service iptables save

Execute these steps and share your results.

***Please note that all changes prior to these should be removed (like "route add -host 10.123.102.1 dev em1:0" etc). Best of luck.

Regards,
Tabraiz
 
1 members found this post helpful.
Old 06-06-2013, 09:04 AM   #11
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
Quote:
Originally Posted by Tabraiz View Post
Dear Olmy: Please note correction in IP assigned to em1:0 interface, it's 10.223.102.254 and not 10.123.102.254. Please share your comments after considering this change.
Ah, I see. That does change things. I see the correct information is indeed listed in your other post with the output from ifconfig -a.

Since the ping command succeeds when you choose the source address/interface manually, the problem is related to the source address (or the return route, depending on your point of view).

When sending locally generated traffic through any interface, the IP stack will always select the address of the outgoing interface as the source address, unless you can somehow manually override that default, as one can with the ping "-I" switch.

Try this:
Code:
iptables -t nat -A OUTPUT -o tun0 -j SNAT --to-source 10.223.102.254
Edit: I see Tabraiz sort of beat me to it, but I would argue that the -o option is better suited in this case.

Last edited by Ser Olmy; 06-06-2013 at 09:05 AM.
 
1 members found this post helpful.
Old 06-06-2013, 10:06 AM   #12
raghavhosur
LQ Newbie
 
Registered: Jun 2013
Posts: 6

Original Poster
Rep: Reputation: Disabled
Hi Tabraiz,
Yes It worked. I followed the steps as suggested by you (iptables were stopped).
Now I am able to ping with the ip address (without interface).
This is really a great help.
Just have one small doubt in continuation to that.
Do I need to execute these commands for every system reboot or it will be saved permanently.

Thanks and Regards
Raghav
 
Old 06-06-2013, 10:10 AM   #13
raghavhosur
LQ Newbie
 
Registered: Jun 2013
Posts: 6

Original Poster
Rep: Reputation: Disabled
Hi Olmy,
I tried the command as suggested by you.

iptables -t nat -A OUTPUT -o tun0 -j SNAT --to-source 10.223.102.254

But got the following message:
iptables: Invalid argument. Run `dmesg' for more information.
so when I changed the command to
iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source 10.223.102.254
no error message and I am able to ping to the IP address.
Thank you very much for your support.

Best Regards
Raghav
 
Old 06-06-2013, 10:35 AM   #14
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 2,404

Rep: Reputation: Disabled
Quote:
Originally Posted by raghavhosur View Post
so when I changed the command to
iptables -t nat -A POSTROUTING -o tun0 -j SNAT --to-source 10.223.102.254
no error message and I am able to ping to the IP address.
Thank you very much for your support.
My mistake, that should teach me to test stuff rather than just post from memory.

Glad to hear you solved the problem!
 
Old 06-07-2013, 01:58 AM   #15
Tabraiz
LQ Newbie
 
Registered: Jun 2013
Posts: 6

Rep: Reputation: Disabled
Smile

Quote:
Originally Posted by raghavhosur View Post
Just have one small doubt in continuation to that.
Do I need to execute these commands for every system reboot or it will be saved permanently.

Thanks and Regards
Raghav
Dear Raghav,

Point 4 (service iptables save) ensures that you don't need to do this every time system is rebooted. Cheers!

Dear Olmy,

I would humbly disagree with your argue that -o option is better suited here reasons for that are;

1. -o will only be effective on tun0 interface whereas -d option which I've chosen is not bonded to any specific interface and will always be effective regardless of any routing change takes place in future.
2. All traffic passes through tun0 interface will have source IP changed to 10.223.102.254 whereas -d ensures that source IP is only modified for a specific IP 10.123.102.1 in this case.

Kindly have your say on these points because you're a senior pro of-course and I might be learning many things from you in future.

Thanks,
Tabraiz
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Network configuration failure: "network unreachable" after start-up slackj Linux - Networking 3 10-06-2012 09:09 PM
ifconfig configuration changes are not reflected in the network configuration GUI nkd Linux - Networking 4 12-25-2008 02:17 PM
Slackware 10 network configuration. Problem with 8139 network card drivers ! Padmakiran Linux - Networking 8 03-27-2007 07:48 AM
Network Configuration in Debian (laptop network card) legendaryhwk Linux - Networking 6 04-06-2006 04:59 AM
Network Configuration Hanging in FC4 After Using Wireless Network Wizard Trip in VA Linux - Wireless Networking 2 07-18-2005 09:32 AM


All times are GMT -5. The time now is 12:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration