Re: Can't access aliased ip address
Chad, It sounds like you've fallen prey to the perils of assymmetric routing. For simplicity, I'll refer to your (my machine) external server to be machine A, eth0 to be ip-address B, and eth0:1 to be ip-address C. Here is how things are happening : Machine A sends echo request to C. C replies. The routing table on your multihomed server says that the packet needs to travel out via eth0. The outgoing echo reply therefore will contain the source address of B. A is not listening for replies from B. It is listening for replies from C. Hence your problem. To see if I am right, filter tcpdump on the icmp protocol, rather than the host of C. If you see echo replies from B coming in, and echo requests for C going out, what I said is correct. Regards, Jor-el This doesn't appear to be the problem. When I ping ip address C, from machine A (my computer at a remote location) tcpdump icmp -i eth0 yields only a request. However, once I ping ip address B from Machine A it will show both the request and the reply. Also, I just looked at the syslog, which I probably should've done earlier and found the following: Jan 2 15:23:46 hostname kernel: Packet log: input DENY eth0 PROTO=1 MACHINEA:8 IPADDRC:0 L=92 S=0x00 I=0 F=0x4000 T=43 (#9) Should I be looking at the firewall as the cause of the problem. However temporarily using ipchains -P input ACCEPT and ipchains -P output ACCEPT before going back to the regular firewall settings gave me the exact same result. Do I need to specifically specifiy IP Address C in the firewall script or am I chasing a dead end? Chad
Re: Can't access aliased ip address
Chad, On Wed, 2 Jan 2002, Chad Morgan wrote: This doesn't appear to be the problem. When I ping ip address C, from machine A (my computer at a remote location) tcpdump icmp -i eth0 yields only a request. However, once I ping ip address B from Machine A it will show both the request and the reply. This is puzzling. Your first sentence breaks my hypothesis and the second sentence strengthens it. Perhaps if you could provide your routing table more legibly, it would be of more help (use the -n option of route). The hostnames in your prev. post were truncated and it was hard to guess how the routing was setup. Also try the following : from B / C, do 1. traceroute A 2. traceroute A -s C On A, monitor the traffic using a filter for src = A or dst = A and post the results. Also, I just looked at the syslog, which I probably should've done earlier and found the following: Jan 2 15:23:46 hostname kernel: Packet log: input DENY eth0 PROTO=1 MACHINEA:8 IPADDRC:0 L=92 S=0x00 I=0 F=0x4000 T=43 (#9) I dont know what this log entry means. Its possible that you have a firewall problem but your symptoms are more indicative of a routing problem. Perhaps the output of 'ipchains -L -v -n' would help (Note: I run iptables and I'm guessing that its options are similar to ipchains. The -n will produce numeric, rather than symbolic output). Regards, Jor-el
Re: Can't access aliased ip address
On 2002.01.02 22:19 Jor-el wrote: The hostnames in your prev. post were truncated and it was hard to guess how the routing was setup. Here is an easier to read routing table: Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface 216.86.213.93 0.0.0.0 255.255.255.255 UH0 00 eth0 216.86.213.94 0.0.0.0 255.255.255.255 UH0 00 eth0 192.168.0.0 0.0.0.0 255.255.255.0 U 0 00 eth1 216.86.213.00.0.0.0 255.255.255.0 U 0 00 eth0 0.0.0.0 216.86.213.10.0.0.0 UG1 00 eth0 Also try the following : from B / C, do 1. traceroute A 2. traceroute A -s C traceroute A works as expected. However traceroute A -s C results in: 1 traceroute: wrote 24.52.153.102 38 chars, ret=-1 *traceroute: wrote 24.52.153.102 38 chars, ret=-1 *traceroute: wrote 24.52.153.102 38 chars, ret=-1 Note: each of the above lines were preceded by: traceroute: sendto: Operation not permitted which for somereason wasn't included in the output oftraceroute A -s C traceroute I've noticed this on a few other procedures I've tried to do, but it isn't really that big of a deal to add the other information. But I know there is a way to capture the screen, I just don't know how to do it. On A, monitor the traffic using a filter for src = A or dst = A and post the results. I don't think that I can do this. A is a D-Link Wireless cable modem/dsl router. I tried it anyway and didn't pick up anything from things that I know work. Jan 2 15:23:46 hostname kernel: Packet log: input DENY eth0 PROTO=1 MACHINEA:8 IPADDRC:0 L=92 S=0x00 I=0 F=0x4000 T=43 (#9) I dont know what this log entry means. Its possible that you have a firewall problem but your symptoms are more indicative of a routing problem. Perhaps the output of 'ipchains -L -v -n' would help (Note: I run iptables and I'm guessing that its options are similar to ipchains. The -n will produce numeric, rather than symbolic output). That worked just fine, here is the output: Chain input (policy ACCEPT: 0 packets, 0 bytes): pkts bytes target prot opttosa tosx ifname mark outsize sourcedestination ports 39536 3757K ACCEPT all -- 0xFF 0x00 lo 0.0.0.0/00.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 !lo 127.0.0.0/8 0.0.0.0/0 n/a 89474 7888K ACCEPT all -- 0xFF 0x00 eth0 216.86.213.0/24 0.0.0.0/0 n/a 204K 21M ACCEPT all -- 0xFF 0x00 eth1 192.168.0.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 216.86.213.0/24 0.0.0.0/0 n/a 0 0 DENY all l- 0xFF 0x00 eth0 192.168.0.0/24 0.0.0.0/0 n/a 234K 189M ACCEPT all -- 0xFF 0x00 eth0 0.0.0.0/0216.86.213.93 n/a 0 0 ACCEPT all -- 0xFF 0x00 eth0 0.0.0.0/0216.86.213.255n/a 17858 1487K DENY all l- 0xFF 0x00 * 0.0.0.0/00.0.0.0/0 n/a Chain forward (policy DENY: 0 packets, 0 bytes): pkts bytes target prot opttosa tosx ifname mark outsize sourcedestination ports 0 0 MASQ all -- 0xFF 0x00 eth0 192.168.0.2 0.0.0.0/0 n/a 0 0 MASQ all -- 0xFF 0x00 eth0 192.168.0.21 0.0.0.0/0 n/a 4464 690K MASQ all -- 0xFF 0x00 eth0 192.168.0.22 0.0.0.0/0 n/a 443 66229 MASQ all -- 0xFF 0x00 eth0 192.168.0.23 0.0.0.0/0 n/a 257 38564 MASQ all -- 0xFF 0x00 eth0 192.168.0.24 0.0.0.0/0 n/a 58 4837 MASQ all -- 0xFF 0x00 eth0 192.168.0.25 0.0.0.0/0 n/a 0 0 MASQ all -- 0xFF 0x00 eth0 192.168.0.26 0.0.0.0/0 n/a 2606 571K MASQ all -- 0xFF 0x00 eth0 192.168.0.27 0.0.0.0/0 n/a 2641 367K MASQ all -- 0xFF 0x00 eth0 192.168.0.28 0.0.0.0/0 n/a 0 0 MASQ all -- 0xFF 0x00 eth0 192.168.0.2540.0.0.0/0 n/a Chain output (policy ACCEPT: 0 packets, 0 bytes): pkts bytes target prot opttosa tosx ifname mark
Re: Can't access aliased ip address
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wednesday 02 January 2002 07:02 pm, Jason M. Harvey wrote: yes, ipmasqadm should work for the port forwarding. actually, i know someone else who uses ipmasqadm to forward telnet traffic from his external ip to another pc with a private ip. having other users who may/will want pcanywhere may definitly be an issue for you to consider! i've never used it myself... one of these years i have to install it just to see what options it has - like specifying other ports! (yes, i'm stuck with that other os at my job!) I know this isn't much to add, but it is an idea to look at if other users might want pcanywhere access. (Mind you, I'm not very experienced with advanced routing configurations, but I'm fairly certain this is possible.) Find out the IP address of the user with DSL who wants in to his system. Then write a rule specifying that a request for the pcanywhere port on the firewall from this (and only this) IP should go to _his_ internal machine. Add more rules like this for other users. I would say that is more secure than having multiple ports open for pcanywhere, and much easier for your clients, as they wouldn't have to reconfigure. (Mind you, each person would require another line in your firewall script, and no dynamic IP's) snip - -- vmann reduce(lambda x,y:x+y,map(lambda x:chr(ord(x)^42),tuple('zS^BED\nX_FOY\x0b'))) GnuPG/PGP Fingerprint CE80 018B D825 6DF1 4990 C15F E11A B17E 4A0C D133 Sair Linux and GNU Certified Administrator #563619 Whidbey Linux Users Group - http://www.wlug.net http://vmann.net -BEGIN PGP SIGNATURE- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8NNEf4RqxfkoM0TMRAmcMAJ9aMJ8lMf4zq1sn8NoScsX0EG/m6gCggSiH cpdAjKQ2/I0HVvWib1JG5xE= =JGWK -END PGP SIGNATURE-
Re: Can't access aliased ip address
hello, if this person wants to use pcanywhere from home... which ip address is he using for pcanywhere to connect to? unless he's using some sort of vpn setup between home and work, he won't get to his office pc. are you running masquerading on the pc 216.86.213.93? if the 196.168 network is translated to that ip, you'll need to forward ports 5631 and 5632 from 216.86.213.93 back to his ip (192.168.y.z). once you've done that, he will be able to pcanywhere to 216.86.213.93 and invisible to him will be the forwarding of pcanywhere to his private ip. i've configured many routers that run NAT and needed to do the same thing. i've never done port forwarding with ipchains/iptables but i'm positive that it can be done. it sounds like what i'm advising is a little off-track of what you were looking at before... if someone else has better suggestion, listen to them! the port-forwarding will work, but it may be a little more for you to set up... good luck, jason On Wed, Jan 02, 2002 at 06:19:46PM -0800, Chad Morgan wrote: | I have a gateway to share a dsl line with about 20 users that all use win | 9x or a more recent windows product. One of the users wants to be able to | setup pcanywhere so he can access his office computer using his cable modem | at home instead of the phone line. | | This is the output of ifconfig: | | eth0 Link encap:Ethernet HWaddr 00:A0:CC:23:A3:AC | inet addr:216.86.213.93 Bcast:216.86.213.255 Mask:255.255.255.0 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | RX packets:241367 errors:0 dropped:0 overruns:0 frame:0 | TX packets:260291 errors:0 dropped:0 overruns:0 carrier:0 | collisions:41 txqueuelen:100 | Interrupt:10 Base address:0x6000 | | eth0:1Link encap:Ethernet HWaddr 00:A0:CC:23:A3:AC | inet addr:216.86.213.94 Bcast:216.86.213.255 Mask:255.255.255.0 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | Interrupt:10 Base address:0x6000 | | eth1 Link encap:Ethernet HWaddr 00:A0:CC:5A:CB:A2 | inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | RX packets:191550 errors:0 dropped:0 overruns:0 frame:0 | TX packets:233023 errors:0 dropped:0 overruns:0 carrier:0 | collisions:0 txqueuelen:100 | Interrupt:11 Base address:0x6100 | | loLink encap:Local Loopback | inet addr:127.0.0.1 Mask:255.0.0.0 | UP LOOPBACK RUNNING MTU:3924 Metric:1 | RX packets:38940 errors:0 dropped:0 overruns:0 frame:0 | TX packets:38940 errors:0 dropped:0 overruns:0 carrier:0 | collisions:0 txqueuelen:0 | | And this is the output of route: | | Kernel IP routing table | Destination Gateway Genmask Flags Metric RefUse | Iface | adsl-gte-la-216 * 255.255.255.255 UH0 00 | eth0 | adsl-gte-la-216 * 255.255.255.255 UH0 00 | eth0 | 192.168.0.0 * 255.255.255.0 U 0 00 | eth1 | 216.86.213.0* 255.255.255.0 U 0 00 | eth0 | default adsl-gte-la-216 0.0.0.0 UG1 00 | eth0 | | Note: the the first two entires are the hosts associated with eth:0 and | eth0:1 | | Now, I'm a remote location but when logged into this machine I can ping all | ip addresses. | | From my machine I get no responce when I try and ping the address | associated with eth0:1 however when I use tcpdump host 216.86.213.94 I get | the following result while pinging that address from my machine so it looks | like it is getting something but not answering. | | 11:31:07.232889 ca-brea2a-102.stmnca.adelphia.net | adsl-gte-la-216-86-213-94.mminternet.com: icmp: echo request (DF) | | Also, it is not possible for me to ask someone at the site to try to ping | the eth0:1 address from a machine on the 192.168.0 segment, however I'll be | in the area tomorrow (only 15-20 minutes out of my way) and can swing by | and see if it is working from there if absolutely necessary. | | This is also a repost, I've incorporated all of the advice from my original | post but more important priorities forced me to put this on the back | burner. That always catches up with me since now this is a fire that I need | to put out. | | If I can't get the aliasing to work the way I want it to, I'll have to go | down there tomorrow and throw in another NIC for the second address but I | don' really want to do that because it is possible that more people will | want the same and I don't want to have to keep adding cards. Space and | maintenance are more of issues than cost. | | Also, it isn't practical to just give that computer an external ip address | because it is behind another hub on the 192 segment. | | Any assistance or advice would be greatly appreciated. | | Chad
Re: Can't access aliased ip address
On 2002.01.02 18:29 Jason M. Harvey wrote: hello, if this person wants to use pcanywhere from home... which ip address is he using for pcanywhere to connect to? unless he's using some sort of vpn setup between home and work, he won't get to his office pc. are you running masquerading on the pc 216.86.213.93? if the 196.168 network is translated to that ip, you'll need to forward ports 5631 and 5632 from 216.86.213.93 back to his ip (192.168.y.z). once you've done that, he will be able to pcanywhere to 216.86.213.93 and invisible to him will be the forwarding of pcanywhere to his private ip. This is actually a better idea for my worst case scenario of having to add another NIC if I can't get the aliased address to work. However, there is someone else that has been toying with the pcanywhere idea as well and I'm pretty sure once it is working for this guy the other one will want it too. I don't use pcanywhere so I don't know if you can manually specify a different port. If you can I guess I could give everyone that wants it a different port on the *.93 address but not using the defaults could create some unique support situations when people forget their assigned port or don't know how to change the defaults and I'd like to avoid that. i've configured many routers that run NAT and needed to do the same thing. i've never done port forwarding with ipchains/iptables but i'm positive that it can be done. I haven't setup the port forwarding yet since traffic to the address I wanted to use wasn't getting there anyway. I was planning on using ipmasqadm to do the port fowarding once I can forward traffic on the address that I would like to use. Thanks, Chad it sounds like what i'm advising is a little off-track of what you were looking at before... if someone else has better suggestion, listen to them! the port-forwarding will work, but it may be a little more for you to set up... good luck, jason On Wed, Jan 02, 2002 at 06:19:46PM -0800, Chad Morgan wrote: | I have a gateway to share a dsl line with about 20 users that all use win | 9x or a more recent windows product. One of the users wants to be able to | setup pcanywhere so he can access his office computer using his cable modem | at home instead of the phone line. | | This is the output of ifconfig: | | eth0 Link encap:Ethernet HWaddr 00:A0:CC:23:A3:AC | inet addr:216.86.213.93 Bcast:216.86.213.255 Mask:255.255.255.0 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | RX packets:241367 errors:0 dropped:0 overruns:0 frame:0 | TX packets:260291 errors:0 dropped:0 overruns:0 carrier:0 | collisions:41 txqueuelen:100 | Interrupt:10 Base address:0x6000 | | eth0:1Link encap:Ethernet HWaddr 00:A0:CC:23:A3:AC | inet addr:216.86.213.94 Bcast:216.86.213.255 Mask:255.255.255.0 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | Interrupt:10 Base address:0x6000 | | eth1 Link encap:Ethernet HWaddr 00:A0:CC:5A:CB:A2 | inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0 | UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 | RX packets:191550 errors:0 dropped:0 overruns:0 frame:0 | TX packets:233023 errors:0 dropped:0 overruns:0 carrier:0 | collisions:0 txqueuelen:100 | Interrupt:11 Base address:0x6100 | | loLink encap:Local Loopback | inet addr:127.0.0.1 Mask:255.0.0.0 | UP LOOPBACK RUNNING MTU:3924 Metric:1 | RX packets:38940 errors:0 dropped:0 overruns:0 frame:0 | TX packets:38940 errors:0 dropped:0 overruns:0 carrier:0 | collisions:0 txqueuelen:0 | | And this is the output of route: | | Kernel IP routing table | Destination Gateway Genmask Flags Metric RefUse | Iface | adsl-gte-la-216 * 255.255.255.255 UH0 00 | eth0 | adsl-gte-la-216 * 255.255.255.255 UH0 00 | eth0 | 192.168.0.0 * 255.255.255.0 U 0 00 | eth1 | 216.86.213.0* 255.255.255.0 U 0 00 | eth0 | default adsl-gte-la-216 0.0.0.0 UG1 00 | eth0 | | Note: the the first two entires are the hosts associated with eth:0 and | eth0:1 | | Now, I'm a remote location but when logged into this machine I can ping all | ip addresses. | | From my machine I get no responce when I try and ping the address | associated with eth0:1 however when I use tcpdump host 216.86.213.94 I get | the following result while pinging that address from my machine so it looks | like it is getting something but not answering. | | 11:31:07.232889 ca-brea2a-102.stmnca.adelphia.net | adsl-gte-la-216-86-213-94.mminternet.com: icmp: echo request (DF) | | Also, it is not possible for me
Re: Can't access aliased ip address
hi chad, yes, ipmasqadm should work for the port forwarding. actually, i know someone else who uses ipmasqadm to forward telnet traffic from his external ip to another pc with a private ip. having other users who may/will want pcanywhere may definitly be an issue for you to consider! i've never used it myself... one of these years i have to install it just to see what options it has - like specifying other ports! (yes, i'm stuck with that other os at my job!) ~jason On Wed, Jan 02, 2002 at 06:52:24PM -0800, Chad Morgan wrote: | On 2002.01.02 18:29 Jason M. Harvey wrote: | hello, | | if this person wants to use pcanywhere from home... which ip address is | he using for pcanywhere to connect to? unless he's using some sort of | vpn setup between home and work, he won't get to his office pc. | are you running masquerading on the pc 216.86.213.93? if the 196.168 | network is translated to that ip, you'll need to forward ports 5631 and | 5632 from 216.86.213.93 back to his ip (192.168.y.z). once you've done | that, he will be able to pcanywhere to 216.86.213.93 and invisible | to him will be the forwarding of pcanywhere to his private ip. | | This is actually a better idea for my worst case scenario of having to add | another NIC if I can't get the aliased address to work. | However, there is someone else that has been toying with the pcanywhere | idea as well and I'm pretty sure once it is working for this guy the other | one will want it too. | I don't use pcanywhere so I don't know if you can manually specify a | different port. If you can I guess I could give everyone that wants it a | different port on the *.93 address but not using the defaults could create | some unique support situations when people forget their assigned port or | don't know how to change the defaults and I'd like to avoid that. | | i've configured many routers that run NAT and needed to do the same | thing. i've never done port forwarding with ipchains/iptables but i'm | positive that it can be done. | | I haven't setup the port forwarding yet since traffic to the address I | wanted to use wasn't getting there anyway. | I was planning on using ipmasqadm to do the port fowarding once I can | forward traffic on the address that I would like to use. | | Thanks, | Chad | | | -- registered linux user #202942 http://counter.li.org/ http://www.theigloo.dhs.org
Re: Can't access aliased ip address
On Wed, 2 Jan 2002, Chad Morgan wrote: eth0 Link encap:Ethernet HWaddr 00:A0:CC:23:A3:AC inet addr:216.86.213.93 Bcast:216.86.213.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:241367 errors:0 dropped:0 overruns:0 frame:0 TX packets:260291 errors:0 dropped:0 overruns:0 carrier:0 collisions:41 txqueuelen:100 Interrupt:10 Base address:0x6000 eth0:1Link encap:Ethernet HWaddr 00:A0:CC:23:A3:AC inet addr:216.86.213.94 Bcast:216.86.213.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:10 Base address:0x6000 snip Kernel IP routing table Destination Gateway Genmask Flags Metric RefUse Iface adsl-gte-la-216 * 255.255.255.255 UH0 00 eth0 adsl-gte-la-216 * 255.255.255.255 UH0 00 eth0 192.168.0.0 * 255.255.255.0 U 0 00 eth1 216.86.213.0* 255.255.255.0 U 0 00 eth0 default adsl-gte-la-216 0.0.0.0 UG1 00 eth0 Note: the the first two entires are the hosts associated with eth:0 and eth0:1 Now, I'm a remote location but when logged into this machine I can ping all ip addresses. From my machine I get no responce when I try and ping the address associated with eth0:1 however when I use tcpdump host 216.86.213.94 I get the following result while pinging that address from my machine so it looks like it is getting something but not answering. 11:31:07.232889 ca-brea2a-102.stmnca.adelphia.net adsl-gte-la-216-86-213-94.mminternet.com: icmp: echo request (DF) Chad, It sounds like you've fallen prey to the perils of assymmetric routing. For simplicity, I'll refer to your (my machine) external server to be machine A, eth0 to be ip-address B, and eth0:1 to be ip-address C. Here is how things are happening : Machine A sends echo request to C. C replies. The routing table on your multihomed server says that the packet needs to travel out via eth0. The outgoing echo reply therefore will contain the source address of B. A is not listening for replies from B. It is listening for replies from C. Hence your problem. To see if I am right, filter tcpdump on the icmp protocol, rather than the host of C. If you see echo replies from B coming in, and echo requests for C going out, what I said is correct. Regards, Jor-el