My redhat 9.0 machine is set up in a dmz, and right now I can ping other boxes in the dmz, and can ping the default gateway, but can't get out. I can't ping the dns ips that I need to use, and so can't ping anything on the internet or browse the internet. My resolv.conf file has the following:

nameserver 123.123.123.123

My ifconfig shows the following:

eth0 Link encap:Ethernet HWaddr 00:00:50:06:FE:C9
inet addr:10.45.45.4 Bcast:10.45.45.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2233 errors:0 dropped:0 overruns:0 frame:0
TX packets:280 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:260814 (254.7 Kb) TX bytes:38498 (37.5 Kb)
Interrupt:14 Base address:0x2400 Memory:f4101000-f4101038

My netstat shows the following:

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
10.45.45.0 * 255.255.255.0 U 0 0 0 eth0
169.254.0.0 * 255.255.0.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default 10.45.45.254 0.0.0.0 UG 0 0 0 eth0

I'm not sure what the 169.254.0.0 is doing in there, I have tried removing it using route del .... but have not been successful. reboots do not change that table. Any ideas on what is wrong and how to fix it?

Thanks much!

That looks ok. I assume that 10.45.45.254 is your gateway?

What sorf of router/firewall are you using? If it is linux has it been setup to forward packets correctly?

yeah, 10.45.45.254 is gateway. That is dmz ip of pix firewall... my boss has told me that I shouldn't need to change any rules on that in order to get internet access, though... I just set up a win2k laptop to use the same IP that linux box was using, and can't ping out either... sounds like it is not my linux box, then....
How can I get rid of that 169.254 line, though?

I'll have my boss look at the firewall in the meantime...

thanks

I think that is auto generated - I wouldn't worry about it.

I'd check the firewall If I was you.

is that a dhcp or a static IP address? sounds like it could possible be a layer one problem...do you have actual connectivity...cables good...so on

--dubman

can you ping outside the dmz by ip address? can you ping the name server by ip? is the firewall set to let dns in and out?

also, i assume lo shows up when you type ifconfig? and can you ping the external card ip of the router. if you can ping the internal router ip and not the external, i would think it is the router.

Sounds to me like your firewall is stopping all ICMP traffic.This is quite normal...

I don't think the 169.254 should be there. I wonder if you are setting the 10.x.x.x and then dhcp is picking up 169.254.x.x.

Try:
#ip address show

it looks like RH is using iproute2, the above command (if it works) should provide all the ip's for your eth0 card. If there is a 169 ip on the card you will have to figure out why. Especially if your nameserver is on that network, in which case it certainly won't work. If 'ip address show' indicates an ip on the 169. net you can delete it with:

#ip address del dev eth0 169.254.x.x
where x.x is the ip the card is assigned.

Is it possible that the gateway on the 10.x.x.x net is forwarding dhcp replies so that your correct 10.x.x.x settings are being rewritten?

Try:
$ps aux |grep dhc
and look for dhclient or dhcpcd. If the address is provided by dhcp with an infinite lease you won't find anything anyway, and you will have to check the startup configs.

weird. Good luck,
Craig

I'm not sure how much help I'm going to be cause I'm a newbie, but I can say that I was just in a similar situation. We have one linux, and one winXP box set up on a dmz of a pix firewall and we were having the same issues with both machines.

What was happening was:
1. can ping by IP address but not FQN
2. could not resolve DNS server
3. could receive requests (i.e. the servers could be telnet'd to) but we could not make requests (the servers could not telnet out).

Basically what it seemed like was that the outside (Internet and other inhouse subnets) could see those two servers on the dmz, but those two servers couldn't see past the dmz.

What ended up happening in our case is that those two servers were behind a Nortel switch, which was behind the pix firewall. The switch was improperly configured. ICMP traffic was being let through, which would explain why the servers could ping. However, IP traffic was not being allowed. Two statements were added to the VLAN config to allow IP traffic, and suddenly as if by magic everything worked.

I'm not a networking person, and actually a consultant worked on this for us... but I'm just letting you know what happened in our case hopefully it might give you some ideas of what else to check for... But if you have a question about the fix or about the firewall/switch settings, post it - I can asked my Network admin who worked with the consultant to resolve it...

good luck

Actually I just found out that those access list statements were added on the pix firewall....

I'm not sure how safe that is - cause that is apparently allowing ANY IP traffic through.... I'm going to post that that one in the security forum

Sorry for the delay in the reply, but I had been waiting on my boss. Our firewall is set up to only allow registered hosts from that subnet communicate with anything, so all we had to do was register the host in the firewall, and then things worked fine.
I'll do some more checking on the 169. junk, it shouldn't be there, but it's not a big deal if it is--it won't go anywhere.

Thanks again!