Re: [LUGOS] SIT tunel, ICMP protocol 41 port 0 unreachable

[Rok Potočnik]

On 2.11.2011 17:10, Andraz Sraka wrote:

er

On Sun, 2011-10-30 at 18:39 +0100, Rok Potočnik wrote:

torej... mam ene težave, pa nism prepričan ali so distro/kernel based
al težava zarad tagiranih vlanov... ne izključujem možnosti, da sm js
kje zamučkal...

sit tunel med dvema kištama:
A - centos 5.7 eth0 ip 1.1.1.1
B - centos 6 eth0.2 ip 2.2.2.2 (vlan tagiran promet)

A lahko posredujes celotni config kako imas interface skonfigurirane na
masinah.

Pa output {ip addr sh | ip tun sh | ip -6 addr sh | ip -6 ro sh | ip ro
sh | iptables -L -v | ..} pa seveda katero verzijo kernela imas na eni
in drugi strani.

lp,
  Andraz

vse po spisku... plus tcpdump ob pinganju :)

mašina A, centos 5.7 x64, eth2 je untrust:

$ uname -r
2.6.18-274.7.1.el5

$ cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=A.domena.net
NOZEROCONF=yes
NETWORKING_IPV6=yes
IPV6FORWARDING=yes
GATEWAY=89.89.0.1

$ cat /etc/sysconfig/network-scripts/ifcfg-eth2
DEVICE=eth2
HWADDR=00:1F:D0:90:8D:54
ONBOOT=yes
BOOTPROTO=none
IPADDR=89.89.0.10
NETMASK=255.255.0.0
IPV6INIT=yes
IPV6ADDR=2001:2001:2001::2/126

$ ip a sh dev eth2

    link/ether 00:1f:d0:90:8d:54 brd ff:ff:ff:ff:ff:ff
    inet 89.89.0.10/16 brd 89.89.255.255 scope global eth2
    inet6 2001:2001:2001::2/126 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::21f:d0ff:fe90:8d54/64 scope link
       valid_lft forever preferred_lft forever

$ ip r sh dev eth2
89.89.0.0/16  proto kernel  scope link  src 89.89.0.10
default via 89.89.0.1


$ ip tu s test6
test6: ipv6/ip  remote 89.89.0.22  local 89.89.0.10  dev eth2  ttl inherit

$ ip -6 a s dev test6
15: test6@eth2: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480
    inet6 2001:2001:2001:1001::1/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::59d4:16d8/128 scope link
       valid_lft forever preferred_lft forever

$ ip -6 r s dev test6



$ iptables -nvL | head -3
Chain INPUT (policy DROP 4 packets, 274 bytes)

    0     0 ACCEPT     all  --  *      *       89.89.0.22        0.0.0.0/0

$ ip tu sh test6
test6: ipv6/ip  remote 89.89.0.22  local 89.89.0.10  dev eth2  ttl inherit

ip6tables accepta vse


mašina B, centos 6 x64, eth0.500 je untrust:

$ uname -r
2.6.32-71.29.1.el6.x86_64

$ cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=B.domena.net
NOZEROCONF=yes
GATEWAY=89.89.0.1
NETWORKING_IPV6=yes
IPV6FORWARDING=yes

$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:25:22:68:3C:FA
IPV6INIT=yes
IPV6_AUTOCONF=yes
NM_CONTROLLED=no
ONBOOT=yes
IPADDR=192.168.0.1
NETMASK=255.255.255.0
IPV6ADDR=2001:ffff:ffff:1::1/64

$ cat /etc/sysconfig/network-scripts/ifcfg-eth0.2
DEVICE=eth0.2
VLAN=yes
BOOTPROTO=none
IPADDR=193.193.193.59
NETMASK=255.255.255.224
ONBOOT=yes
IPV6INIT=yes
IPV6ADDR=2001:ffff:ffff:2::1/64

$ cat /etc/sysconfig/network-scripts/ifcfg-eth0.3
DEVICE=eth0.3
VLAN=yes
BOOTPROTO=none
IPADDR=178.178.178.2
NETMASK=255.255.255.224
ONBOOT=yes
IPV6INIT=yes
IPV6ADDR=2001:ffff:ffff:3::1/64

$ cat /etc/sysconfig/network-scripts/ifcfg-eth0.100
DEVICE=eth0.100
VLAN=yes
BOOTPROTO=none
IPADDR=192.168.100.1
NETMASK=255.255.255.0
ONBOOT=yes
IPV6INIT=yes
IPV6ADDR=2001:ffff:ffff:4::1/64

$ cat /etc/sysconfig/network-scripts/ifcfg-eth0.500
DEVICE=eth0.500
VLAN=yes
BOOTPROTO=none
IPADDR=89.89.0.22
NETMASK=255.255.0.0
ONBOOT=yes
IPV6INIT=no

$ ip a sh dev eth0.500

    link/ether 00:25:22:68:3c:fa brd ff:ff:ff:ff:ff:ff
    inet 89.89.0.22/16 brd 89.89.255.255 scope global eth0.500
    inet6 fe80::225:22ff:fe68:3cfa/64 scope link
       valid_lft forever preferred_lft forever

$ ip r s dev eth0.500
89.89.0.0/16  proto kernel  scope link  src 89.89.0.22
default via 89.89.0.1

$ ip tu s test6


# ip -6 a s dev test6
10: test6: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480
    inet6 2001:2001:2001:1001::2/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::59d4:703d/128 scope link
       valid_lft forever preferred_lft forever

$ ip -6 r s dev test6



$ iptables -nvL | head -3
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

    7   508 ACCEPT     all  --  *      *       89.89.0.10        0.0.0.0/0

ip6tables accepta vse



user@B $ ping6 2a01:2001:2001:1001::1
PING 2a01:2001:2001:1001::1(2a01:2001:2001:1001::1) 56 data bytes
^C
--- 2a01:2001:2001:1001::1 ping statistics ---
177 packets transmitted, 0 received, 100% packet loss, time 176015ms


root@B # tcpdump -nvs0 -ieth0.500 not tcp and not udp and not vlan




--
LP, Rok

5: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000 2001:2001:2001:1001::/64 via :: metric 256 expires 21010488sec mtu 1480 advmss 1420 hoplimit 4294967295 fe80::/64 via :: metric 256 expires 21010462sec mtu 1480 advmss 1420 hoplimit 4294967295 pkts bytes target prot opt in out source destination 6: eth0.500@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP test6: ipv6/ip remote 89.89.0.10 local 89.89.0.22 dev eth0.500 ttl inherit 2001:2001:2001:1001::/64 via :: proto kernel metric 256 mtu 1480 advmss 1420 hoplimit 4294967295 fe80::/64 via :: proto kernel metric 256 mtu 1480 advmss 1420 hoplimit 4294967295 pkts bytes target prot opt in out source destination tcpdump: listening on eth0.500, link-type EN10MB (Ethernet), capture size 65535 bytes 12:56:09.751481 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto IPv6 (41), length 124) 89.89.0.22 > 89.89.0.10: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2a01:2001:2001:1001::2 > 2a01:2001:2001:1001::1: [icmp6 sum ok] ICMP6, echo request, length 64, seq 58 12:56:09.800444 IP (tos 0xc0, ttl 64, id 62773, offset 0, flags [none], proto ICMP (1), length 152) 89.89.0.22 > 89.89.0.10: ICMP 89.89.0.22 protocol 41 port 0 unreachable, length 132 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto IPv6 (41), length 124) 89.89.0.10 > 89.89.0.22: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2a01:2001:2001:1001::1 > 2a01:2001:2001:1001::2: [icmp6 sum ok] ICMP6, echo reply, length 64, seq 58 12:56:10.751462 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto IPv6 (41), length 124) 89.89.0.22 > 89.89.0.10: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2a01:2001:2001:1001::2 > 2a01:2001:2001:1001::1: [icmp6 sum ok] ICMP6, echo request, length 64, seq 59 12:56:10.800581 IP (tos 0xc0, ttl 64, id 62774, offset 0, flags [none], proto ICMP (1), length 152) 89.89.0.22 > 89.89.0.10: ICMP 89.89.0.22 protocol 41 port 0 unreachable, length 132 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto IPv6 (41), length 124) 89.89.0.10 > 89.89.0.22: IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2a01:2001:2001:1001::1 > 2a01:2001:2001:1001::2: [icmp6 sum ok] ICMP6, echo reply, length 64, seq 59

smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
lugos-list mailing list
lugos-list@lugos.si
http://liste2.lugos.si/cgi-bin/mailman/listinfo/lugos-list