LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 01-29-2014, 03:41 PM   #16
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 3,331

Rep: Reputation: Disabled

Here's what I think. The outbound packets from the PC with the address 172.16.78.138 are being routed properly, and replies are coming in. The tcpdump session proved that. I'd say that proves the policy routing is actually working; the outbound packet is being processed by the right routing table.

The question is, why isn't the reply packet being routed back to 172.16.78.138? It can't be policy routing, as the packet doesn't match the criteria in the iptables fwmark rule, and shouldn't be subject to policy routing anyway.

The way I see it, there are just three mechanisms that could prevent the packet from reaching 172.16.78.138:
  1. Routing
  2. Reverse path verification
  3. The iptables firewall
You've ruled out (1) and (2), which leaves (3).

I think you may be onto something when you suspect a kernel/iproute2/firewall bug. If the policy routing somehow conflicts with the iptables state engine, the reply packet may not match the state rules for ESTABLISHED or RELATED traffic.

I believe it's possible to troubleshoot this further. How about adding a temporary rule to the top of the FORWARD chain in the filter table, like this:
Code:
iptables -I FORWARD 1 -i eth0.666 -s 8.8.8.8 -d 172.16.78.138 -p icmp -j ACCEPT
That rule would match ANY icmp packet from 8.8.8.8 to 172.16.78.138 arriving at eth0.666, regardless of whether it's a reply or not. The packet would have to reach the routing engine, no matter how erroneous the entries in the firewall state engine might be.

Could you try the ping test again with that rule in place? (There should be no risk of it disturbing network traffic, and it can be easily removed afterwards with iptables -D FORWARD 1.)
 
Old 01-30-2014, 06:44 AM   #17
rahulgrover
LQ Newbie
 
Registered: Jan 2014
Posts: 11

Original Poster
Rep: Reputation: Disabled
I solved it ......finally it works

Hello

Finally after so much mess.....I was able to get solution after reading this

https://access.redhat.com/site/solutions/53031

Actually in rhel6 value of /proc/sys/net/ipv4/conf/<interface>/rp_filter is an integer not a boolean

and particularly in rhel 6 even if you do it "0" it defaults to strict filteration so....


In our implementation we have to use these two lines in syscyl.conf ::


net.ipv4.conf.default.rp_filter = 2
net.ipv4.conf.all.rp_filter = 2


I shall be thankfull to the people out there who took so serious interest in my issue over here

Best Regards


Rahul Grover

Last edited by rahulgrover; 01-30-2014 at 06:55 AM. Reason: mis typed
 
Old 02-03-2017, 05:39 PM   #18
saravanan1987
LQ Newbie
 
Registered: Nov 2015
Posts: 6

Rep: Reputation: Disabled
@Ser olmy
cat /proc/sys/net/ipv4/conf/eth0.666/rp_filter returns 0
why do we need to disable rp_filter here? i don't see asymmetric routing here
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Policy routing question and problem !? Piziwate Linux - Networking 2 03-30-2013 11:57 AM
Mutiple IPs and network cards routing (source policy routing?) shogun1234 Linux - Networking 1 01-17-2013 01:09 AM
policy routing mail2mphani Linux - Newbie 1 04-16-2009 01:48 AM
policy rule routing problem - help me pandanvn Linux - Networking 3 04-02-2007 07:24 PM
policy rule routing problem - help me pandanvn Linux - Networking 0 03-16-2007 01:03 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration