Re: [Shorewall-users] Unable to route between VLANs

Tue, 22 May 2018 12:58:22 -0700 

On the router, loc zone

21:46:27.394780 IP 192.168.20.138.49088 > 192.168.2.10.8006: Flags [S], seq
2206450343, win 29200, options [mss 1460,sackOK,TS val 1423015768 ecr
0,nop,wscale 7], length 0
21:46:27.394929 IP 192.168.20.138.49088 > 192.168.2.10.8006: Flags [S], seq
2206450343, win 29200, options [mss 1460,sackOK,TS val 1423015768 ecr
0,nop,wscale 7], length 0
21:46:29.697862 IP 192.168.20.138.49234 > 192.168.2.10.8006: Flags [S], seq
3866520451, win 29200, options [mss 1460,sackOK,TS val 1423018071 ecr
0,nop,wscale 7], length 0
21:46:29.698053 IP 192.168.20.138.49234 > 192.168.2.10.8006: Flags [S], seq
3866520451, win 29200, options [mss 1460,sackOK,TS val 1423018071 ecr
0,nop,wscale 7], length 0
21:46:30.722578 IP 192.168.20.138.49234 > 192.168.2.10.8006: Flags [S], seq
3866520451, win 29200, options [mss 1460,sackOK,TS val 1423019096 ecr
0,nop,wscale 7], length 0
21:46:30.722643 IP 192.168.20.138.49234 > 192.168.2.10.8006: Flags [S], seq
3866520451, win 29200, options [mss 1460,sackOK,TS val 1423019096 ecr
0,nop,wscale 7], length 0

On the server I am seeing the packets now, but the connection is not
working anyway:


21:50:15.746671 IP 192.168.20.138.50266 > 192.168.2.10.8006: Flags [S], seq
1416285729, win 29200, options [mss 1460,sackOK,TS val 1423244122 ecr
0,nop,wscale 7], length 0
21:50:15.746942 IP 192.168.20.138.50266 > 192.168.2.10.8006: Flags [S], seq
1416285729, win 29200, options [mss 1460,sackOK,TS val 1423244122 ecr
0,nop,wscale 7], length 0

I added these two rules on top of my `rules` file
ACCEPT      loc:192.168.2.10 all all
ACCEPT      srv:192.168.2.138 all all

Which also made no difference.

I **think** that what is happening is that I get the packet from
192.168.20.X to 192.168.2.10 (server) and it tries to reply via
192.168.20.10 (server).. my routes are:

root@bigserver:~# ip route
default via 192.168.2.1 dev vmbr0 onlink
192.168.2.0/24 dev vmbr0 proto kernel scope link src 192.168.2.10
192.168.10.0/24 dev vmbr10 proto kernel scope link src 192.168.10.10
192.168.20.0/24 dev vmbr20 proto kernel scope link src 192.168.20.10
192.168.30.0/24 dev vmbr30 proto kernel scope link src 192.168.30.10
192.168.40.0/24 dev vmbr40 proto kernel scope link src 192.168.40.10
192.168.50.0/24 dev vmbr50 proto kernel scope link src 192.168.50.10

Sorry for being a pest but I am really curious as to why this is happening..

David


On 22 May 2018 at 00:46, Tom Eastep <teas...@shorewall.net> wrote:

> On 05/21/2018 08:38 AM, David Ventura wrote:
> > Whoops! You'll find the dump attached.
> >
> > I'll re-state my issue because I feel I was not clear enough on my
> > previous post:
> >
> > 192.168.20.138 (container) -> 192.168.20.10 (host) works OK via the
> > linux virtual bridge, never reaches the router.
> > 192.168.20.138 (container) -> 192.168.2.10 (host, different interface)
> > is 'dropped' (no rejection, just timeout)
> >
> > The rules and tcpdump above are on the "failing" case.
> >
> The firewall is passing the connection request:
>
> Chain srv-loc (1 references)
>  pkts bytes target     prot opt in     out     source
>  destination
> 28571 2214K ACCEPT     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0            ctstate RELATED,ESTABLISHED
>     6   360 ACCEPT     tcp  --  *      *       192.168.20.138
>  192.168.2.10         tcp dpt:8006 <======================================
>     0     0 Reject     all  --  *      *       0.0.0.0/0
> 0.0.0.0/0
>
>
> What does tcpdump show on the 'lan' (loc zone) interface?
>
> -Tom
>
> --
> Tom Eastep        \   Q: What do you get when you cross a mobster with
> Shoreline,         \     an international standard?
> Washington, USA     \ A: Someone who makes you an offer you can't
> http://shorewall.org \   understand
>                       \_______________________________________________
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Shorewall-users mailing list
> Shorewall-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/shorewall-users
>
>


-- 
*Stack* is the new term for "I have no idea what I'm actually using".

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to