Re: [CentOS] Route traffic through private IP for only certain hosts

[Ashish Yadav]

Hi,

On Sun, Apr 26, 2015 at 4:36 PM, Ian  wrote:

> Hi
>
> I am having a weird problem which I cant figure out - so I was hoping
> someone here could give me a hand.
>
> First off the end goal is that a specific server in my network runs an
> IPSEC connection to another company and I want all other servers to route
> traffic for the IP on that network through this single server.
>
> Server 1 in this example is the server that runs the IPSEC connection.
> (CentOS 6.6)
>
> Server 2 in this example is an app server that would route traffic for only
> that specific IP through server 1. (CentOS 6.5)


You can follow below link to setup the IPsec site to site VPN tunnel
between two GW.

<
http://www.enterprisenetworkingplanet.com/netsysm/article.php/3845966/Build-an-IPSEC-VPN-Without-Losing-Your-Mind.htm
>

After that you have to open up the following port is your Firewall and add
route on both gateway for communicating to respective LAN,

iptables -A input_rule -p esp -j ACCEPT
iptables -A input_rule -p udp --dport 500 -j ACCEPT
iptables -A input_rule -p udp --dport 4500 -j ACCEPT

--Regards
Ashishkumar S. Yadav
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] Route traffic through private IP for only certain hosts

[Gordon Messmer]

Thanks for providing a lot of information.  My first guess is that the 
remote hosts you're trying to reach don't have the routes that they 
require to use the IPSec tunnel.  You demonstrated that server 2 has the 
route it needs to reach the remote network, and that server 1 appears to 
be routing those packets properly.  All of the same setup has to exist 
on the other side.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] Route traffic through private IP for only certain hosts

[Ian]

Hi

I am having a weird problem which I cant figure out - so I was hoping
someone here could give me a hand.

First off the end goal is that a specific server in my network runs an
IPSEC connection to another company and I want all other servers to route
traffic for the IP on that network through this single server.

Server 1 in this example is the server that runs the IPSEC connection.
(CentOS 6.6)

Server 2 in this example is an app server that would route traffic for only
that specific IP through server 1. (CentOS 6.5)

**Some IP's that will be used below:**

Server 1

Server 1 Public IP: x.x.x.x
Server 1 Public Broadcast: x.x.x.y
Server 1 Public Gateway: x.x.x.z
Server 1 Internal IP: 10.0.64.10/24


Server 2

Server 2 Public IP: y.y.y.y
Server 2 Public Broadcast: y.y.y.z
Server 2 Public Gateway: y.y.y.a
Server 2 Internal IP: 10.0.64.150/24


Those servers have full connectivity between them internally (i.e. I can
ping, ssh etc from one to the other without problem). They also both have
full acceess to the internet and can be reached that way


--


**Server 1**

Here is an *ip a* for that

# ip a
1: lo:  mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc pfifo_fast state
UP qlen 1000
link/ether 00:0c:29:99:12:85 brd ff:ff:ff:ff:ff:ff
inet x.x.x.x/28 brd x.x.x.y scope global eth0
inet6 :::/64 scope link
   valid_lft forever preferred_lft forever
3: eth1:  mtu 1500 qdisc pfifo_fast state
UP qlen 1000
link/ether 00:0c:29:99:12:8f brd ff:ff:ff:ff:ff:ff
inet 10.0.64.10/24 brd 10.0.64.255 scope global eth1
inet6 fe80::20c:29ff:fe99:128f/64 scope link
   valid_lft forever preferred_lft forever


Here is an *ip route*
# ip route
x.x.x.y/28 dev eth0  proto kernel  scope link  src x.x.x.x
10.0.64.0/24 dev eth1  proto kernel  scope link  src 10.0.64.10
169.254.0.0/16 dev eth0  scope link  metric 1002
169.254.0.0/16 dev eth1  scope link  metric 1003
default via x.x.x.z dev eth0


Here is a *sysctl -p*

# sysctl -p
net.ipv4.conf.default.rp_filter = 1
net.ipv4.conf.default.accept_source_route = 0
kernel.sysrq = 0
kernel.core_uses_pid = 1
net.ipv4.tcp_syncookies = 1
kernel.msgmnb = 65536
kernel.msgmax = 65536
kernel.shmmax = 68719476736
kernel.shmall = 4294967296
net.ipv4.ip_forward = 1
net.ipv6.conf.all.forwarding = 1
net.ipv4.conf.default.proxy_arp = 1
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 1



--

**Server 2**

I've added a single test ip (8.8.8.8) to server two to test if it works
before bringing IPSEC into the equation

Here is an *ip a*

# ip a
1: lo:  mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
   valid_lft forever preferred_lft forever
2: eth0:  mtu 1500 qdisc mq state UP qlen
1000
link/ether 00:0c:29:15:8b:01 brd ff:ff:ff:ff:ff:ff
inet y.y.y.y/29 brd y.y.y.z scope global eth0
inet6 fe80::20c:29ff:fe15:8b01/64 scope link
   valid_lft forever preferred_lft forever
3: eth1:  mtu 1500 qdisc mq state UP qlen
1000
link/ether 00:0c:29:15:8b:0b brd ff:ff:ff:ff:ff:ff
inet 10.0.64.150/24 brd 10.0.64.255 scope global eth1
inet6 fe80::20c:29ff:fe15:8b0b/64 scope link
   valid_lft forever preferred_lft forever


Here is an *ip route*

# ip route
8.8.8.8 via 10.0.64.10 dev eth1
y.y.y.z/29 dev eth0  proto kernel  scope link  src y.y.y.y
10.0.64.0/24 dev eth1  proto kernel  scope link  src 10.0.64.150
default via y.y.y.a dev eth0



--
Now when I try do a ping from Server 2 -> 8.8.8.8 here are the tcpdumps
from each server:

**Server 2**

If I tcpdump on eth0 i get no matches (so the route appears right!). eth1
gets matches:

# tcpdump -vvv -i eth1 -n host 8.8.8.8
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535
bytes
11:25:55.609902 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP
(1), length 84)
10.0.64.150 > 8.8.8.8: ICMP echo request, id 17999, seq 1, length 64
11:25:56.609262 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP
(1), length 84)
10.0.64.150 > 8.8.8.8: ICMP echo request, id 17999, seq 2, length 64


**Server 1 (The hopeful gateway for 8.8.8.8)**

On eth1 (Private)

# tcpdump -vv -i eth1 -n host 8.8.8.8
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 65535
bytes

11:27:20.608766 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP
(1), length 84)
10.0.64.150 > 8.8.8.8: ICMP echo request, id 17999, seq 86, length 64
11:27:21.608738 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto ICMP
(1), length 84)
10.0.64.150 > 8.8.8.8: ICMP echo request, id 17999, seq 87, length 64


On eth0 (public)

# tcpdump -vv -i eth0 -n host 8.8.8.8
tcpd