Find the answer to your Linux question:
Page 2 of 2 FirstFirst 1 2
Results 11 to 17 of 17
Just so you know Lazydog I really appreciate all your help on this and I'm sorry that it's taking up so much of your time! Ok, so I've been investigating. ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #11
    Just Joined!
    Join Date
    Aug 2010
    Posts
    9

    Just so you know Lazydog I really appreciate all your help on this and I'm sorry that it's taking up so much of your time!

    Ok, so I've been investigating. I have modded my iptables script to now look like this:

    Code:
    #!/bin/sh
    
    PATH=/usr/sbin:/sbin:/bin:/usr/bin
    
    #
    # delete all existing rules.
    #
    iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -X
    
    #---------------#
    iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -s 10.121.10.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -s 10.121.12.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -s 169.254.254.0/30 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -s 169.254.254.4/30 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -s 0.0.0.0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -j LOG --log-prefix ' **DROPPED PACKETS INPUT** ' --log-level 4
    iptables -A INPUT -j DROP
    iptables -A FORWARD -s 10.121.10.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -s 10.121.12.0/24 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -s 169.254.254.0/30 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -s 169.254.254.4/30 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -s 0.0.0.0/0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -t nat -A POSTROUTING -o eth1 -s 10.121.12.0/24 -j MASQUERADE
    iptables -t nat -A POSTROUTING -o eth1 -s 10.121.10.0/24 -j MASQUERADE
    iptables -t nat -A POSTROUTING -o eth1 -s 169.254.254.0/30 -j MASQUERADE
    iptables -t nat -A POSTROUTING -o eth1 -s 169.254.254.4/30 -j MASQUERADE
    iptables -A FORWARD -j LOG --log-prefix ' **DROPPED PACKETS FORWARD** ' --log-level 4
    iptables -A FORWARD -j DROP
    echo 1 > /proc/sys/net/ipv4/ip_forward
    When I added the 0.0.0.0/0 -m state rules for INPUT and FORWARD I'm able to access Windows update from the VPC instance! But nothing else. I can download updates for Windows even, but can't navigate away from it to other parts of the Microsoft site or other sites. Really weird.

    I think there is something screwy going on with the routing on the debian box as all hosts from the office network (10.121.10.0/24) can ping/rdp the VPC instance, however when on the VPC instance I can only ping/rdp certain hosts in the office. For example. My primary office domain controller (10.121.10.20) is inaccessible from the VPC instance yet the secondary domain controller (10.121.10.20) can be accessed no problem. I initially thought this was a Windows problem but when using TCP dump on the gateway I can see that packets destined for the primary DC get lost.

    Pinging secondary domain controller (in office) from VPC instance:
    Code:
    tcpdump -i eth0 host -n 10.121.10.21
    tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
    16:25:40.784530 arp who-has 10.121.10.21 tell 10.121.10.2
    16:25:40.784776 arp reply 10.121.10.21 is-at 00:0c:29:fd:98:04
    16:25:40.784780 IP 10.121.12.4 > 10.121.10.21: ICMP echo request, id 512, seq 15362, length 40
    16:25:40.784952 IP 10.121.10.21 > 10.121.12.4: ICMP echo reply, id 512, seq 15362, length 40
    16:25:41.722043 IP 10.121.12.4 > 10.121.10.21: ICMP echo request, id 512, seq 15618, length 40
    16:25:41.722244 IP 10.121.10.21 > 10.121.12.4: ICMP echo reply, id 512, seq 15618, length 40
    16:25:42.716757 IP 10.121.12.4 > 10.121.10.21: ICMP echo request, id 512, seq 15874, length 40
    16:25:42.716926 IP 10.121.10.21 > 10.121.12.4: ICMP echo reply, id 512, seq 15874, length 40
    16:25:43.696246 IP 10.121.12.4 > 10.121.10.21: ICMP echo request, id 512, seq 16130, length 40
    16:25:43.696427 IP 10.121.10.21 > 10.121.12.4: ICMP echo reply, id 512, seq 16130, length 40
    When you ping the PRIMARY domain controller (10.121.10.20) in the office you get nothing hitting eth0 (office facing interface), yet you can see the requests coming in on eth1. The packets for particular 10.121.10.0/24 addresses seem to get lost.

    I think maybe this might all be tied in with the Internet issue.

    Any ideas?

  2. #12
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Can you draw out a map of your layout so that I might be able to better understand how things are connected?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #13
    Just Joined!
    Join Date
    Aug 2010
    Posts
    9
    Please see the attached file (VPC-Simple.jpg).

    So on the left side of the diagram is a simplified version of the office network and on the right is the VPC network.

    Just to remind, traffic coming from the office to the VPC windows server works fine from all boxes in the office (ping and file sharing). Yet the windows server in the VPC can only access certain shares in the office.

    The instances in the VPC do not have direct Internet access. They have to get their Internet access via the VPN and the debian gateway, but this doesn't work at the moment.

    I hope the diagram makes sense.

    Many thanks

    Paul.
    Attached Images Attached Images

  4. $spacer_open
    $spacer_close
  5. #14
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Let me study this and I'll get back to you.

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  6. #15
    Just Joined!
    Join Date
    Aug 2010
    Posts
    9
    Thanks a lot Lazydog!

  7. #16
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,677
    Quote Originally Posted by rookiepaul View Post
    All URL resolve. The DNS server is one of the office domain controllers. It's able to speak to it with no problems.

    Routing table:

    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    169.254.254.0   0.0.0.0         255.255.255.252 U     0      0        0 eth1
    169.254.254.4   0.0.0.0         255.255.255.252 U     0      0        0 eth1
    213.121.253.120 0.0.0.0         255.255.255.248 U     0      0        0 eth1
    10.121.10.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
    0.0.0.0         213.121.253.125 0.0.0.0         UG    0      0        0 eth1
    The ping packets to google.co.uk hit eth1 on the debian gateway but then seem to go nowhere. Really stumped.

    Thanks

    Paul.
    Where is your route for 10.121.12.0/24 network?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  8. #17
    Just Joined!
    Join Date
    Aug 2010
    Posts
    9
    Sorry that must have been before I ran quagga. Here is the actual routing table:

    Code:
    Kernel IP routing table
    Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
    169.254.254.0   0.0.0.0         255.255.255.252 U     0      0        0 eth1
    169.254.254.4   0.0.0.0         255.255.255.252 U     0      0        0 eth1
    213.121.253.120 0.0.0.0         255.255.255.248 U     0      0        0 eth1
    10.121.10.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
    10.121.12.0     169.254.254.1   255.255.255.0   UG    100    0        0 eth1
    0.0.0.0         213.121.253.125 0.0.0.0         UG    0      0        0 eth1

Page 2 of 2 FirstFirst 1 2

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •