Ok. I see the problem now. Default routes have always been a bit of a mystery
to me. Based on your reply, I manually deleted the default route for enp3s0 to
confirm it works. Then, I edited the connection with nmcli to remove the
default permanently across reboots.
For everyone's benefit, the property setting is ipv4.never-default in nmcli.
On 11/10/2016 09:02 AM, Stephan Wiesand wrote:
On 10 Nov 2016, at 15:41, Ken Teh <t...@anl.gov> wrote:
Default routes on the failing system.
[root@saudade ~]# ip --details route
unicast default via 192.168.203.1 dev enp3s0 proto static scope global
metric 100
unicast default via 146.139.198.1 dev enp4s0 proto static scope global
metric 101
unicast 146.139.198.0/23 dev enp4s0 proto kernel scope link src
146.139.198.23 metric 100
unicast 192.168.203.0/24 dev enp3s0 proto kernel scope link src
192.168.203.39 metric 100
This suggests tat saudade will send the response packages through enp3s0, unless the
request originates from "the same subnet" (146.139.198.0/23). Is that expected
to work?
You could check this with tcpdump.
On 11/10/2016 08:27 AM, Stephan Wiesand wrote:
On 10 Nov 2016, at 15:09, Ken Teh <t...@anl.gov> wrote:
I'm trying to isolate a network problem and I need some debugging help.
Frustrating when I am not fluent in the new sys admin tools.
Symptom is as follows: I have a machine running Fedora 24 with its firewall
zone set to work. I cannot ping the machine except from the same subnet. I
don't have this problem with a second machine running the same OS/rev with the
same firewall setup. I'm not sure where to look.
I've dumped out both machines iptables. See attachment. I did a diff -y and they look
almost identical. The machine that does not work has 2 nics, one which is connected to a
192.168 network. It has additional rules in the various chains but they are all
"from anywhere to anywhere". I'm assuming the additional rules come from the
second interface.
I've put a query to my networking folks to see if the problem is further
upstream. But I thought I'd ask if I have missed something obvious.
What's the default route on the "failing" system?
I know it's not SL7 but they use the same tools: nmcli and firewall-cmd.
<iptables.fails><iptables.works>
