<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Feb 17, 2015 at 5:58 PM, Alex Carver <span dir="ltr"><<a href="mailto:agcarver+ale@acarver.net" target="_blank">agcarver+ale@acarver.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Are these the rules entirely or did you edit?<br></blockquote><div><br></div><div>I pulled out the rules for the working vIP and changed the external IPs. <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
If edited, there might be a rule matching and preventing these from<br>
triggering. I would also try adding NEW to the ESTABLISHED,RELATED<br>
state clause and see if that opens up anything.<br></blockquote><div><br></div><div>No change :-( <br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
On one of my firewalls, I have a blanket --state RELATED,ESTABLISHED (no<br>
NEW) for the entire ruleset and then I add a separate --state<br>
NEW,RELATED,ESTABLISHED onto the more specific rules:<br>
<br>
-A INPUT -m state --state INVALID -j DROP<br>
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT<br>
-A INPUT -s <source IP> --dport <port> -m state --state<br>
NEW,RELATED,ESTABLISHED<br>
<br>
(replace INPUT as needed of course)<br>
<br>
How did you insert your SNAT/DNAT entries (They look correct, just<br>
double checking).<br></blockquote><div><br></div><div>My usual way - manual edit of the /etc/sysconfig/iptables file :-)<br><br></div><div>I'm beginning to suspect that Comcast may have the route broken. <br><br></div><div>If I turn off the pre/post routing rules for the bad IP and let the gateway just have 2 IPs on the same NIC, I _STILL_ can't ping the IP from outside. Earlier testing had tcpdump with the nat route in place showing traffic going out _from_ the bad IP but nothing returning.<br><br></div><div><sigh> I think it's time to call Comcast tech support.<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb"><div class="h5"><br>
On 2015-02-17 14:34, Jim Kinney wrote:<br>
> I reworked the network setup to use the new IPADDR0, IPADDR1, IPADDR2<br>
> format for vip's. I even let NetworkManager run things. No changes. The<br>
> internal 192.168.1.12 address is not reachable from the outside over it's<br>
> external IP nor can it reach the outside. Everything else is<br>
> SNAT'ed/DNAT'ed just fine.<br>
><br>
> iptables -L -n -t nat<br>
> Chain PREROUTING (policy ACCEPT)<br>
> target prot opt source destination<br>
> DNAT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> 13.160.95.6 to:192.168.1.12<br>
><br>
><br>
> Chain INPUT (policy ACCEPT)<br>
> target prot opt source destination<br>
><br>
> Chain OUTPUT (policy ACCEPT)<br>
> target prot opt source destination<br>
><br>
> Chain POSTROUTING (policy ACCEPT)<br>
> target prot opt source destination<br>
> SNAT all -- 192.168.1.12 <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> to:13.160.95.6<br>
><br>
> iptables -L -n<br>
> Chain INPUT (policy DROP)<br>
> target prot opt source destination<br>
> ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://127.0.0.0/24" target="_blank">127.0.0.0/24</a><br>
> ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state<br>
> RELATED,ESTABLISHED<br>
> ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> ACCEPT udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:500<br>
> ACCEPT tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:22<br>
> ACCEPT udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> udp dpt:4500<br>
> ACCEPT esp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> ACCEPT ah -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> ACCEPT udp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> policy match<br>
> dir in pol ipsec udp dpt:1701<br>
> ACCEPT tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> tcp dpt:80<br>
><br>
> Chain FORWARD (policy DROP)<br>
> target prot opt source destination<br>
> ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
> ACCEPT all -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> state<br>
> RELATED,ESTABLISHED<br>
> ACCEPT tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> 192.168.1.12 tcp dpt:22<br>
> ACCEPT tcp -- <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a> 192.168.1.12 tcp dpt:80<br>
> ACCEPT all -- <a href="http://192.168.1.0/24" target="_blank">192.168.1.0/24</a> <a href="http://0.0.0.0/0" target="_blank">0.0.0.0/0</a><br>
><br>
> Chain OUTPUT (policy ACCEPT)<br>
> target prot opt source destination<br>
><br>
><br>
> On Mon, Feb 16, 2015 at 8:51 AM, Jim Kinney <<a href="mailto:jim.kinney@gmail.com">jim.kinney@gmail.com</a>> wrote:<br>
><br>
>> I'm on my phone at the moment. I'll get on a keyboard and pull data<br>
>> shortly.<br>
>><br>
>> It does show rules so its running. I'll include the setup rules for<br>
>> clarity.<br>
>><br>
>> Oh. NetworkManager is not controlling the process at all. In RHEL7 it's<br>
>> supposed to be able to do many, many things that could only be done with<br>
>> manual tricks. But the new process is far more complicated than doing it<br>
>> manually for the simple setup I have.<br>
>> On Feb 16, 2015 8:42 AM, "Alex Carver" <<a href="mailto:agcarver%2Bale@acarver.net">agcarver+ale@acarver.net</a>> wrote:<br>
>><br>
>>> What are the current rules as listed by iptables -n -L and iptables -n<br>
>>> -L -t nat?<br>
>>><br>
>>> On 2015-02-16 05:35, Jim Kinney wrote:<br>
>>>> I've got a firewall/router running centos 7. I've disabled firewalld and<br>
>>>> enabled iptables instead while I learn the new firewalld.<br>
>>>><br>
>>>> The box has a WAN nic with 3 IPs. One for itself and the other 2 for<br>
>>> other<br>
>>>> systems. I'm using nat and have pre and post routing rules to do the<br>
>>>> translation.<br>
>>>><br>
>>>> Now for the weirdness.<br>
>>>><br>
>>>> One works and the other doesn't.<br>
>>>><br>
>>>> The rules are identical except for IPs. The rest of the LAN is simply<br>
>>> nat<br>
>>>> translated outbound. They all work. One server, the :2 on the nic can't<br>
>>> get<br>
>>>> outside at all if one the static translate. The :1 machine is fine.<br>
>>>><br>
>>>> Doing a tcpdump shows ping to WAN gateway going out and returning to<br>
>>>> outside nic but it then gets lost in the redirect.<br>
>>>><br>
>>>> There are explicit forward rules for needed ports but I opened it to all<br>
>>>> ports for the troubled machine.<br>
>>>><br>
>>>> It's a new machine that passed a full memtest+ run.<br>
>>>><br>
>>>> I'm stumped.<br>
>>>><br>
>>>><br>
>>>><br>
>>>> _______________________________________________<br>
>>>> Ale mailing list<br>
>>>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>>>> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>>>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>>>> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>>>><br>
>>><br>
>>> _______________________________________________<br>
>>> Ale mailing list<br>
>>> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
>>> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
>>> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
>>> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>>><br>
>><br>
><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr">-- <br>James P. Kinney III<br><i><i><i><i><br></i></i></i></i>Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.<br>
- Speech 11/23/1900 Mark Twain<br><i><i><i><i><br><a href="http://heretothereideas.blogspot.com/" target="_blank">http://heretothereideas.blogspot.com/</a><br></i></i></i></i></div></div>
</div></div>