[nmglug] iptables / routing question,
Ed Brown
ebrown at lanl.gov
Wed Dec 13 16:14:45 PST 2006
Andres Paglayan wrote:
> weird,
>
> root at ipcop:~ # tcpdump -n -i eth2 | grep 254
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth2, link-type EN10MB (Ethernet), capture size 68 bytes
> 16:40:45.683806 IP 192.168.50.254 > 224.0.0.10: eigrp 40
> 16:40:50.171288 IP 192.168.50.254 > 224.0.0.10: eigrp 40
> 16:40:54.818047 IP 192.168.1.89 > 192.168.50.254: icmp 64: echo request
> seq 0
> 16:40:55.110730 IP 192.168.50.254 > 224.0.0.10: eigrp 40
> 16:40:55.818169 IP 192.168.1.89 > 192.168.50.254: icmp 64: echo request
> seq 1
> 16:40:56.818366 IP 192.168.1.89 > 192.168.50.254: icmp 64: echo request
> seq 2
> 16:40:57.818462 IP 192.168.1.89 > 192.168.50.254: icmp 64: echo request
> seq 3
> 16:40:58.818660 IP 192.168.1.89 > 192.168.50.254: icmp 64: echo request
Looks like the pings from the .1 are getting through the firewall, but
192.168.50.254 is not replying (dropping the requests, doesn't know
where to send them(no gateway), or something else). Though you show
some traffic from 192.168.50.254, it is multicast, not necessarily an
indication that knows it how to reply or get to the .1, if it wanted
to. If 192.168.50.1 isn't 192.168.50.254's default gateway, it might
also need a static route set up.
Try 'tcpdump -n -i eth2 | grep 254' again, and this time try to ping
or ssh to mac (192.168.1.89). I'd expect to see the traffic with
tcpdump on eth2, but not on eth0, because your rules don't allow ssh
or pings from the .50.
You might also see what, if anything, is in those mangle and nat tables:
iptables -t nat -L
iptables -t mangle -L
More information about the nmglug
mailing list