[leaf-user] LEAF 2.0.3 'default setup' problems (ping failing)

[Wynne Crompton]

Hi,

I'm a newbie, but would be grateful for help with the following:

I set up the following isolated network in order to help learn/test my
set-up of Bering 2.0.3:

HOST'far'   IP 1.2.3.1 running RH Linux 6.2
|
|
|
1.2.3.4/24
Bering firewall
192.168.1.254/24
|
|
|
HOST'near'  IP 192.168.1.2 running RH Linux 7.3


The Bering/Shorewall set-up is almost standard - I only changed what I
believe is the necessary minimum.
In th elong run I want to set up a link between two networks and do 1-to-1
NAT (SNAT) for connections
from specific machines on one network (with private IPs) to the other (with
some allocated IPs on the second network
for these machines).
Some configuration file content and output debug from the three machines is
appended. I apologise if this doesn't include something that's particularly
significant...

In a nutshell, I can ping the firewall from both near and far. I can also
ping near
and  far from the firewall. However I cannot ping far from near, but do not
understand
why not - Help please!

OUTPUT on each machine:
===

HOST 'near'
=

netstat -nr
---
Kernel IP routing table
Destination Gateway Genmask Flags   MSS Window  irtt
Iface
192.168.1.0 0.0.0.0 255.255.255.0   U40 0  0
eth0
127.0.0.0   0.0.0.0 255.0.0.0   U40 0  0 lo
0.0.0.0 192.168.1.254   0.0.0.0 UG   40 0  0
eth0

ifconfig

eth0  Link encap:Ethernet  HWaddr 00:50:04:C9:CB:38
  inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:35 errors:0 dropped:0 overruns:0 frame:0
  TX packets:54 errors:0 dropped:0 overruns:0 carrier:4
  collisions:0 txqueuelen:100
  RX bytes:3088 (3.0 Kb)  TX bytes:4730 (4.6 Kb)
  Interrupt:9 Base address:0x4000

loLink encap:Local Loopback
  inet addr:127.0.0.1  Mask:255.0.0.0
  UP LOOPBACK RUNNING  MTU:16436  Metric:1
  RX packets:64 errors:0 dropped:0 overruns:0 frame:0
  TX packets:64 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:4834 (4.7 Kb)  TX bytes:4834 (4.7 Kb)

route
-
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse
Iface
192.168.1.0 *   255.255.255.0   U 0  00 eth0
127.0.0.0   *   255.0.0.0   U 0  00 lo
default 192.168.1.254   0.0.0.0 UG0  00 eth0

/etc/hosts
--
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1   localhost.localdomain   localhost
192.168.1.2 near

'ping'
--
PING 1.2.3.4 (1.2.3.4) from 192.168.1.2 : 56(84) bytes of data.
64 bytes from 1.2.3.4: icmp_seq=1 ttl=255 time=0.297 ms
64 bytes from 1.2.3.4: icmp_seq=2 ttl=255 time=0.276 ms
:
--- 1.2.3.4 ping statistics ---
4 packets transmitted, 4 received, 0% loss, time 2997ms
rtt min/avg/max/mdev = 0.276/0.283/0.297/0.018 ms

PING 192.168.1.254 (192.168.1.254) from 192.168.1.2 : 56(84) bytes of data.
64 bytes from 192.168.1.254: icmp_seq=1 ttl=255 time=0.295 ms
64 bytes from 192.168.1.254: icmp_seq=2 ttl=255 time=0.274 ms
64 bytes from 192.168.1.254: icmp_seq=3 ttl=255 time=0.272 ms

--- 192.168.1.254 ping statistics ---
3 packets transmitted, 3 received, 0% loss, time 1998ms
rtt min/avg/max/mdev = 0.272/0.280/0.295/0.017 ms

PING 192.168.1.2 (192.168.1.2) from 192.168.1.2 : 56(84) bytes of data.
64 bytes from 192.168.1.2: icmp_seq=1 ttl=255 time=0.045 ms
64 bytes from 192.168.1.2: icmp_seq=2 ttl=255 time=0.035 ms

--- 192.168.1.2 ping statistics ---
2 packets transmitted, 2 received, 0% loss, time 999ms
rtt min/avg/max/mdev = 0.035/0.040/0.045/0.005 ms
PING 1.2.3.1 (1.2.3.1) from 192.168.1.2 : 56(84) bytes of data.

--- 1.2.3.1 ping statistics ---
8 packets transmitted, 0 received, 100% loss, time 7011ms


HOST 'far'

ifconfig

eth0  Link encap:Ethernet  HWaddr 00:00:86:31:F1:C1
  inet addr:1.2.3.1  Bcast:1.2.3.255  Mask:255.255.255.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:51 errors:0 dropped:0 overruns:0 frame:0
  TX packets:69 errors:0 dropped:0 overruns:0 carrier:1
  collisions:0 txqueuelen:100
  Interrupt:10 Base address:0x300

loLink encap:Local Loopback
  inet addr:127.0.0.1  Mask:255.0.0.0
  UP LOOPBACK RUNNING  MTU:3924  Metric:1
  RX packets:25 errors:0 dropped:0 overruns:0 frame:0
  TX packets:25 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0

Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse
Iface
far *   

Re: [leaf-user] LEAF 2.0.3 'default setup' problems (ping failing)

[Ray Olszewski]

On the router, what is the output of this command?

cat /proc/sys/net/ipv4/ip_forward

It should be 1. If it is 0, then you do not have IP forwarding turned on on 
the rotuer, and it will not route anything. Fixing that would probably (I'm 
no expert on Bering config files, I fear) involve changing the first line 
in /etc/options:

/etc/options

ip_forward=no
spoofprotect=yes
syncookies=no


to  ip_forward=yes.

If that's not it, then the problem is most likely in the firewall ruleset. 
I'm also not a Shorewall expert, but either one of the Shorewall experts 
can tell you its command for reporting firewall details, or you can report 
the underlying rules with

iptables -nvL

Final thought: since this is an isolated network, I assume that the 
external network really is 1.2.3.0/24, not that you are chainging addresses 
to conceal information. If this assumption is wrong, please use the real 
numbers next time, since changing them in troubleshooting reports can 
conceal problems.

At 10:23 PM 1/9/03 -0800, Wynne Crompton wrote:
Hi,

I'm a newbie, but would be grateful for help with the following:

I set up the following isolated network in order to help learn/test my
set-up of Bering 2.0.3:

HOST'far'   IP 1.2.3.1 running RH Linux 6.2
|
|
|
1.2.3.4/24
Bering firewall
192.168.1.254/24
|
|
|
HOST'near'  IP 192.168.1.2 running RH Linux 7.3


The Bering/Shorewall set-up is almost standard - I only changed what I
believe is the necessary minimum.
In th elong run I want to set up a link between two networks and do 1-to-1
NAT (SNAT) for connections
from specific machines on one network (with private IPs) to the other (with
some allocated IPs on the second network
for these machines).
Some configuration file content and output debug from the three machines is
appended. I apologise if this doesn't include something that's particularly
significant...

In a nutshell, I can ping the firewall from both near and far. I can also
ping near
and  far from the firewall. However I cannot ping far from near, but do not
understand
why not - Help please!

[detailed diagnostics deleted]


--
---Never tell me the odds!
Ray Olszewski	-- Han Solo
Palo Alto, California, USA			  [EMAIL PROTECTED]
---



---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] LEAF 2.0.3 'default setup' problems (ping failing)

[Mike Noyes]

On Thu, 2003-01-09 at 16:05, Ray Olszewski wrote:
 If that's not it, then the problem is most likely in the firewall ruleset. 
 I'm also not a Shorewall expert, but either one of the Shorewall experts 
 can tell you its command for reporting firewall details, or you can report 
 the underlying rules with
 
  iptables -nvL

Ray,
Tom recommends the use of

/sbin/shorewall status

Ref.
http://shorewall.net/support.htm

-- 
Mike Noyes mhnoyes @ users.sourceforge.net
http://sourceforge.net/users/mhnoyes/
http://leaf-project.org/  http://sitedocs.sf.net/  http://ffl.sf.net/




---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] LEAF 2.0.3 'default setup' problems (ping failing)

[Brad Fritz]

Wynne,

Ray did a good job with the general, low-level debugging
suggestions.  Unless you've made drastic setup changes, I expect
IP forwarding to already be enabled.  If that's the case, the
next place to check is firewall rules and policies.  The best
advice I can give is to keep a close eye on /var/log/syslog while
debugging.  Both

  tail -f /var/log/syslog

and

  shorewall status

can be invaluable.  You may also want to check the value of
FORWARDPING in /etc/shorewall/shorewall.conf and noping and
filterping in /etc/shorewall/interfaces.  Failed pings are also
documented well in the shorewall docs.  Search for ping in the
FAQs and Troubleshooting documents at http://shorewall.net/ for
details.

Hope that helps get you started.

--Brad

On Thu, 09 Jan 2003 22:23:21 PST Wynne Crompton wrote:

 Hi,
 
 I'm a newbie, but would be grateful for help with the following:
 
 I set up the following isolated network in order to help learn/test my
 set-up of Bering 2.0.3:
 
 HOST  'far'   IP 1.2.3.1 running RH Linux 6.2
   |
   |
   |
   1.2.3.4/24
 Bering firewall
   192.168.1.254/24
   |
   |
   |
 HOST  'near'  IP 192.168.1.2 running RH Linux 7.3
 
 
 The Bering/Shorewall set-up is almost standard - I only changed what I
 believe is the necessary minimum.
 In th elong run I want to set up a link between two networks and do 1-to-1
 NAT (SNAT) for connections
 from specific machines on one network (with private IPs) to the other (with
 some allocated IPs on the second network
 for these machines).
 Some configuration file content and output debug from the three machines is
 appended. I apologise if this doesn't include something that's particularly
 significant...
 
 In a nutshell, I can ping the firewall from both near and far. I can also
 ping near
 and  far from the firewall. However I cannot ping far from near, but do not
 understand
 why not - Help please!

[setup details snipped]




---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] LEAF 2.0.3 'default setup' problems (ping failing)

[Mike Noyes]

On Thu, 2003-01-09 at 16:58, Brad Fritz wrote:
 Failed pings are also
 documented well in the shorewall docs.  Search for ping in the
 FAQs and Troubleshooting documents at http://shorewall.net/ for
 details.

Brad,
The Shorewall ping information is here:

ICMP Echo-request (Ping)
http://shorewall.sourceforge.net/ping.html

And ours is here:

What are the ways that ping fails and what do they mean?
http://sourceforge.net/docman/display_doc.php?docid=4099group_id=13751

Why can't the LEAF router ping its own interfaces?
http://sourceforge.net/docman/display_doc.php?docid=1433group_id=13751
 
Why can't the LEAF router ping hosts on the LAN?
http://sourceforge.net/docman/display_doc.php?docid=1434group_id=13751

Why can't the LEAF router ping its external gateway?
http://sourceforge.net/docman/display_doc.php?docid=1435group_id=13751
 
Why can't the LEAF router ping hosts on the Internet?
http://sourceforge.net/docman/display_doc.php?docid=4100group_id=13751

Why can't hosts on the LAN ping hosts on the Internet?
http://sourceforge.net/docman/display_doc.php?docid=1436group_id=13751

-- 
Mike Noyes mhnoyes @ users.sourceforge.net
http://sourceforge.net/users/mhnoyes/
http://leaf-project.org/  http://sitedocs.sf.net/  http://ffl.sf.net/




---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html