On Fri, Jul 10, 2020 at 8:30 PM Tom Eastep <teas...@shorewall.net> wrote: > > On 7/10/20 1:51 AM, Vieri Di Paola wrote: > > On Fri, Jul 10, 2020 at 3:20 AM Tom Eastep <teas...@shorewall.net> wrote: > > > >> Clearly the firewall is dropping the replies, but I can see no reason > >> why it should. You could try using 'shorewall iptrace' to try to > >> understand where. > > > > This is the trace I could get: > > > > # grep -i trace /var/log/messages |grep 10.215.144.251 > > Jul 10 10:38:34 inf-fw1 kernel: TRACE: raw:PREROUTING:policy:13 > > IN=lan.1 OUT= MAC=ac:1f:6b:f5:b7:1b:00:50:56:b6:1f:15:08:00 > > SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 PREC=0x00 TTL=128 > > ID=21549 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=26368 > ... > > Jul 10 10:39:07 inf-fw1 kernel: TRACE: mangle:POSTROUTING:policy:1 IN= > > OUT=lan.1 SRC=10.215.246.24 DST=10.215.144.251 LEN=60 TOS=0x00 > > PREC=0x00 TTL=127 ID=21632 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=27904 > > > > This is an updated dump: > > > > https://drive.google.com/file/d/1ixZz0m7DaTDK54Wiu_sJMLUQxE7fjiVl/view?usp=sharing > > > > You have captured nothing but echo requests. We need to see the echo > replies.
Well, that **IS** the issue. If I run the following on the Shorewall Firewall which is the default gateway: # tcpdump -n -i lan.1 "host 10.215.246.24 and host 10.215.144.251 and icmp or ( arp and ( host 10.215.144.251 or host 10.215.246.24 ) )" dropped privs to tcpdump tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on lan.1, link-type EN10MB (Ethernet), capture size 262144 bytes 11:10:15.279599 IP 10.215.246.24 > 10.215.144.251: ICMP echo request, id 512, seq 35584, length 40 11:10:15.279641 ARP, Request who-has 10.215.144.251 tell 10.215.144.91, length 28 11:10:15.279860 ARP, Reply 10.215.144.251 is-at 94:40:c9:26:dc:80, length 46 11:10:15.279880 IP 10.215.246.24 > 10.215.144.251: ICMP echo request, id 512, seq 35584, length 40 11:10:15.279996 IP 10.215.144.251 > 10.215.246.24: ICMP echo reply, id 512, seq 35584, length 40 11:10:20.671694 IP 10.215.246.24 > 10.215.144.251: ICMP echo request, id 512, seq 35840, length 40 11:10:20.671731 IP 10.215.246.24 > 10.215.144.251: ICMP echo request, id 512, seq 35840, length 40 11:10:20.671866 IP 10.215.144.251 > 10.215.246.24: ICMP echo reply, id 512, seq 35840, length 40 11:10:26.171698 IP 10.215.246.24 > 10.215.144.251: ICMP echo request, id 512, seq 36096, length 40 11:10:26.171734 IP 10.215.246.24 > 10.215.144.251: ICMP echo request, id 512, seq 36096, length 40 11:10:26.171875 IP 10.215.144.251 > 10.215.246.24: ICMP echo reply, id 512, seq 36096, length 40 11:10:31.671544 IP 10.215.246.24 > 10.215.144.251: ICMP echo request, id 512, seq 36352, length 40 11:10:31.671567 IP 10.215.246.24 > 10.215.144.251: ICMP echo request, id 512, seq 36352, length 40 11:10:31.671807 IP 10.215.144.251 > 10.215.246.24: ICMP echo reply, id 512, seq 36352, length 40 I can see the duplicated echo requests and a single echo reply. However, if I run 'shorewall iptrace", and then I grep all occurrences of 'TRACE' I can only see echo requests with SRC=10.215.246.24. > And please try to look at it yourself before sending it to me -- I'm not > your personal IP troubleshooter. I did, and I'm lost here as 'shorewall iptrace' did not show the replies. So I saved a tcpdump taken on the Shorewall system to a file and uploaded it here: https://drive.google.com/file/d/1waEUIIMHsPK0c-xAEyKkT2XSgNWrj5t3/view?usp=sharing I can see the reply in this dump, but frankly I don't know why it's not reaching the host at 10.215.246.24. The only thing I noticed in this dump is that the destination MAC is e8:ea:6a:0c:4c:1c. However, I see another MAC on the Shorewall gateway: # ip neigh show | grep 10.215.246.24 10.215.246.24 dev lan.1 lladdr 00:50:56:b6:1f:15 REACHABLE And, still on the Shorewall gateway: # ip neigh show | grep e8:ea:6a:0c:4c:1c # ip a s | grep e8:ea:6a:0c:4c:1c So I'm searching for that MAC addr. I know that the host at 10.215.246.24 is a vmware virtual machine so that MAC could be one of its interfaces. Even if it were, what could I try next? Could the echo replies be reaching the vmware host but not the VM somehow? Also, why are we seeing duplicate requests and when the ping completes, duplicate replies? Thanks for your help, Vieri _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
