[ale] iptables issues with dual NIC'd hosts?
Lightner, Jeffrey
JLightner at dsservices.com
Fri Jan 26 15:00:47 EST 2018
When running "iptables -nL" Is your 3306 rule under "Chain INPUT (policy ACCEPT)" and above the end of that chain that reads:
"REJECT all -- 0.0.0.0/0 0.0.0.0/0 reject-with icmp-host-prohibited"?
If you add the line to the INPUT chain but put it beneath the REJECT line it never gets there as the rules are read top to bottom.
-----Original Message-----
From: Ale [mailto:ale-bounces at ale.org] On Behalf Of leam hall via Ale
Sent: Friday, January 26, 2018 2:31 PM
To: Atlanta Linux Enthusiasts
Subject: Re: [ale] iptables issues with dual NIC'd hosts?
The iptables rules were almost the default "wide open" wiht a specific line for port 3306 as 0.0.0.0. accept.
The two machines are on the same vlan, no routing except the host.
On Fri, Jan 26, 2018 at 2:27 PM, Ed Cashin via Ale <ale at ale.org> wrote:
> By "tracing it through" do you mean looking at the counts for the
> iptables rules, and noticing which rules incremented and which did not?
>
> Tracing with tcpdump is great for debugging, but I don't see how that
> would catch things getting stopped between chains inside the
> kernel---that's why I ask.
>
>
> On Fri, Jan 26, 2018 at 2:12 PM, Jim Kinney via Ale <ale at ale.org> wrote:
>>
>> Sounds like a routing problem. ip route will show the defaults. If
>> BOTH are not pointed at each other, nothing happens. Verify with
>> tcpdump on both ends - look for traffic to/from <host>
>>
>> Host A has nics 1 & 2 (A1 & A2)
>> Host B has nics 1 & 2 (B1 & B2)
>>
>> Assumption is A1 and B1 are on network 192.168.0.0 and A2 and B2 are
>> on 10.1.1.0. Assumption default route is 192.168.0.0.
>>
>> To get those machines to talk on the 10.1.1.0 network, you will need
>> to use explicit IP address and adding a custom name in /etc/hosts is
>> a good idea.
>>
>> Also need to verify that the database is listing on the correct IP -
>> ditto for tomcat.
>>
>> I just spent _days_ trying to trace a multi-homed network FSCKUP
>> through iptables. Data in on port A never appears anywhere else.
>> tracing it through just showed where it vanished - between PREROUTING
>> RAW and PREROUTING NAT. I feel your pain.
>>
>> On Fri, 2018-01-26 at 13:01 -0500, leam hall via Ale wrote:
>>
>> Using RHEL 6, two hosts (A, B) each with two NICs, Each host has one
>> NIC on each of two VLANs. Tomcat on Host_A rying to connect to MySQL
>> on Host_B, port 3306. iptables on Host_B looks open (0.0.0.0) for
>> TCP/3306.
>>
>> Host_A_NIC_0 can connect to Host_B_NIC_0 TCP/3306
>> HOST_A_NIC_1 can NOT connect to HOST_B_NIC_1 TCP/3306.
>>
>> They are 1 IP off and NIC_1 can ping NIC_1, but not connect TCP/3306.
>>
>> Thoughts on how to figure out why when iptables looks open?
>>
>> Leam
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>> --
>>
>> James P. Kinney III
>>
>> Every time you stop a school, you will have to build a jail. What you
>> gain at one end you lose at the other. It's like feeding a dog on his
>> own tail. It won't fatten the dog.
>> - Speech 11/23/1900 Mark Twain
>>
>> http://heretothereideas.blogspot.com/
>>
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>
>
> --
> Ed Cashin <ecashin at noserose.net>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
_______________________________________________
Ale mailing list
Ale at ale.org
http://mail.ale.org/mailman/listinfo/ale
See JOBS, ANNOUNCE and SCHOOLS lists at
http://mail.ale.org/mailman/listinfo
More information about the Ale
mailing list