Brian J. Murrell wrote: > On Fri, 2007-02-09 at 23:56 +0000, Andrew Suffield wrote: >> The message is somewhat obtusely phrased. > > Indeed. > >> The kernel has received a >> packet from 64.86.88.116 to 66.11.173.224 on eth1, and it doesn't like >> the source address for whatever reason, > > Or the destination address, considering that it's the destination > address for a different interface? > >> so it dropped the packet. Most >> likely, 64.86.88.116 is not routable via eth1, which implies either >> your routing tables are wrong > > # ip route ls > ... > default > nexthop via 72.38.184.1 dev eth1 weight 1 > nexthop via 192.168.200.1 dev ppp0 weight 1 > > That should make it routable, yes? > >> or you need to disable return-path >> filtering on this interface (I still haven't been paying enough >> attention to know which, but you must disable rpfilter if your routing >> is assymetric). > > Well, it should not be. I do have two interfaces but they are in > completely different subnets with different providers. IOW, completely > independent of each other. > > That's what makes it odd that a packet could arrive on my eth1 with a > destination address of 66.11.173.224. The Internet would not route that > destination address to my eth1 via my eth1 provider but rather to my > ppp0 via my ppp0 provider. > > But that packet should not even have that destination address as it is > replying to a packet I sent via my eth1 interface and had a source > address of my eth1 interface. > > In fact a tcpdump shows that at the demarcation of my eth1 interface, > addressing is indeed correct: > > 19:21:31.572939 IP 72.38.184.236.4697 > 64.86.88.116.3653: S > 2034318562:2034318562(0) win 5648 <mss 1412,sackOK,timestamp 61683401 > 0,nop,wscale 2> > 19:21:31.611442 IP 64.86.88.116.3653 > 72.38.184.236.4697: S > 1578824716:1578824716(0) ack 2034318563 win 32768 <mss 1460,nop,wscale > 0,nop,nop,timestamp 0 61683401> > > So somehow, I guess, in my gateway it's having it's destination address > rewritten? That seems strange/unlikely. > >> It's probably transient because the sending system notes that packets >> aren't getting through and tries a different route. > > Well, the sending system has no idea that my machine has these two > different addresses, so I can't see how it would. > > b.
Just wondering how you have your masq file setup, I hope your using the SNAT column in there. Jerry ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
