Mark
asked on
After changing gateway, ssh stops working
I have the following /etc/rc.d/rc.inet1.conf:
# Config information for eth0:
IPADDR[0]="xx.yy.zz.95"
NETMASK[0]="xx.yy.zz.192"
USE_DHCP[0]=""
DHCP_HOSTNAME[0]=""
# Config information for eth1:
IPADDR[1]="192.168.0.3"
NETMASK[1]="255.255.255.0"
USE_DHCP[1]=""
DHCP_HOSTNAME[1]=""
# Default gateway IP address:
GATEWAY="xx.yy.zz.65"
I changed the gateway to 192.168.0.1 (the address of the firewall/router) in order to get port forwarding to work to this computer. That is now working, but I can no longer access the eth0 IP properly from outside the LAN. If I ssh to myuser.mydomain.com (which resolves to xx.yy.zz.95) I get not connection and the /var/log/messages file gets an entry, "Apr 2 15:38:50 webserver sshd[10699]: Did not receive identification string from aa.bb.cc.98"
I can, however, telnet to this port and get a connection:
telnet mydomain.com 22
telnet xx.yy.zz.95 22
both of these give me a telnet connection.
Likewise I can telnet to port 80, but I can't actually open a web page via my browser, though I don't see an error entry in any webpage.
Does anyone have an idea about what I can do?
# Config information for eth0:
IPADDR[0]="xx.yy.zz.95"
NETMASK[0]="xx.yy.zz.192"
USE_DHCP[0]=""
DHCP_HOSTNAME[0]=""
# Config information for eth1:
IPADDR[1]="192.168.0.3"
NETMASK[1]="255.255.255.0"
USE_DHCP[1]=""
DHCP_HOSTNAME[1]=""
# Default gateway IP address:
GATEWAY="xx.yy.zz.65"
I changed the gateway to 192.168.0.1 (the address of the firewall/router) in order to get port forwarding to work to this computer. That is now working, but I can no longer access the eth0 IP properly from outside the LAN. If I ssh to myuser.mydomain.com (which resolves to xx.yy.zz.95) I get not connection and the /var/log/messages file gets an entry, "Apr 2 15:38:50 webserver sshd[10699]: Did not receive identification string from aa.bb.cc.98"
I can, however, telnet to this port and get a connection:
telnet mydomain.com 22
telnet xx.yy.zz.95 22
both of these give me a telnet connection.
Likewise I can telnet to port 80, but I can't actually open a web page via my browser, though I don't see an error entry in any webpage.
Does anyone have an idea about what I can do?
Why wouldn't you leave your public gateway as is and create a static route for the traffic that you want port forwarded to the firewall?
ASKER
I believe I have found a solution. It may be what _jesper_ is suggesting, but I would have needed a bit more detail on "how to" create a static route.
I used the link: http://linlog.blogspot.com/2010/02/multiple-gateways-on-same-host.html as a guide, though that fellow was trying to solve a similar problem with one network card. The solution I needed which configures 2 gateways for 2 different network cards can be found in: https://www.experts-exchange.com/questions/28083608/Linux-Slackware-need-to-have-different-NICs-with-different-gateways.html?anchorAnswerId=39042682#a39042682
_jesper_, is that what you were talking about?
I used the link: http://linlog.blogspot.com/2010/02/multiple-gateways-on-same-host.html as a guide, though that fellow was trying to solve a similar problem with one network card. The solution I needed which configures 2 gateways for 2 different network cards can be found in: https://www.experts-exchange.com/questions/28083608/Linux-Slackware-need-to-have-different-NICs-with-different-gateways.html?anchorAnswerId=39042682#a39042682
_jesper_, is that what you were talking about?
Or just create persistent routes:
http://www.itsyourip.com/Linux/howto-add-a-persistent-static-route-in-redhat-enterprise-linux/
http://www.itsyourip.com/Linux/howto-add-a-persistent-static-route-in-redhat-enterprise-linux/
ASKER
OK, that link describes what I need to do, but the link is for RedHat and I have Slackware. Apparently, one does not set up permanent routes the same in these distros. Slackware has no /etc/sysconfig/network-scr
Can someone give me the slackware command(s) to do this? I'm not familiar with this level of network setup. I basically monkey-typed the 'ip route add table' and 'ip rule add' commands from the link http://linlog.blogspot.com/2010/02/multiple-gateways-on-same-host.html, but the instructions on that link for making the route persistent (Fedora) were like the RedHat ones using /etc/sysconfig.
What I did to make the changes was:
$ echo "1 test" >> /etc/iproute2/rt_tables
$ ip route flush table test
$ ip route show table main | egrep -Ev "^default" | while read route
do
ip route add table test $route
done
$ ip route add table test default via 192.168.0.1
# Listing the 2ndary table/gives:
$ ip route show table test
64.129.23.64/26 dev eth0 proto kernel scope link src 64.129.23.95
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.3
127.0.0.0/8 dev lo scope link
default via 192.168.0.1 dev eth1
$ ip rule add from 192.168.0.3 lookup test
$ ip rule add to 192.168.0.3 lookup test
Here is my /etc/iproute2/rt_tables before I made the changes:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
And here is it after I made the changes:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
1 test
I suppose these tables and routes get deleted upon reboot? So, how to I do the above permanently in Slackware?
Can someone give me the slackware command(s) to do this? I'm not familiar with this level of network setup. I basically monkey-typed the 'ip route add table' and 'ip rule add' commands from the link http://linlog.blogspot.com/2010/02/multiple-gateways-on-same-host.html, but the instructions on that link for making the route persistent (Fedora) were like the RedHat ones using /etc/sysconfig.
What I did to make the changes was:
$ echo "1 test" >> /etc/iproute2/rt_tables
$ ip route flush table test
$ ip route show table main | egrep -Ev "^default" | while read route
do
ip route add table test $route
done
$ ip route add table test default via 192.168.0.1
# Listing the 2ndary table/gives:
$ ip route show table test
64.129.23.64/26 dev eth0 proto kernel scope link src 64.129.23.95
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.3
127.0.0.0/8 dev lo scope link
default via 192.168.0.1 dev eth1
$ ip rule add from 192.168.0.3 lookup test
$ ip rule add to 192.168.0.3 lookup test
Here is my /etc/iproute2/rt_tables before I made the changes:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
And here is it after I made the changes:
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
1 test
I suppose these tables and routes get deleted upon reboot? So, how to I do the above permanently in Slackware?
According to this thread, via the firewall rules:
http://www.linuxquestions.org/questions/slackware-14/persistent-static-routes-870591/
http://www.linuxquestions.org/questions/slackware-14/persistent-static-routes-870591/
ASKER
_jesper_, thanks for the link. That link suggested *where* to define the routes (either in rc.local or rc.firewall), but not *how* to define the routes. Do you know how I would do this? Would I put all the commands I used in my post 39058850 in one of the rc. scripts? The whole while/do loop and everything? I can do that, but it seems like a bit of overkill to define a route.
ASKER
here's my guess:
route add -net 192.168.0.0/24 gw 192.168.0.1
would that all by itself do the trick? I'd like some feedback before I try it -- this is a production machine.
Since this is getting to be a rather long question, let's review:
I have 2 NICs, one at IP xx.129.23.95 and the other at IP 192.168.0.3. The default gateway is set to xx.129.23.65.
An up-stream router/firewall wants to forward all port 25 requests to 192.168.0.3, but that doesn't work with the xx.128.23.65 gateway. Setting the default gateway to 192.168.0.1 got the port 25 requests working, but no traffic on xx.127.23.95. I put the gateway back to xx.128.23.65 and to get port 25 traffic routing to 192.168.0.3 working, I went through elaborate procedure posted earlier.
Now, I just want to make a permanent static route so that all traffic for 192.168.0.3 will use 192.168.0.1 as the gateway. Will the 'route add' command at the top of this message do what I want?
route add -net 192.168.0.0/24 gw 192.168.0.1
would that all by itself do the trick? I'd like some feedback before I try it -- this is a production machine.
Since this is getting to be a rather long question, let's review:
I have 2 NICs, one at IP xx.129.23.95 and the other at IP 192.168.0.3. The default gateway is set to xx.129.23.65.
An up-stream router/firewall wants to forward all port 25 requests to 192.168.0.3, but that doesn't work with the xx.128.23.65 gateway. Setting the default gateway to 192.168.0.1 got the port 25 requests working, but no traffic on xx.127.23.95. I put the gateway back to xx.128.23.65 and to get port 25 traffic routing to 192.168.0.3 working, I went through elaborate procedure posted earlier.
Now, I just want to make a permanent static route so that all traffic for 192.168.0.3 will use 192.168.0.1 as the gateway. Will the 'route add' command at the top of this message do what I want?
ASKER
No ideas on this? I would think such a setup would be common. To simplify:
I have a linux/slackware host we'll call MAIL. It has 2 NICs:
xx.128.23.95 - connected to Internet on eth0
192.168.0.3 - connected to LAN on eth1
xx.129.23.65 - default gateway configured in /etc/rc.d/rc.inet1.conf
192.168.0.1 - is the LAN firewall/router, connected to Internet on xx.129.23.80. It forwards port 25 to 192.168.0.3
I need all traffic for 192.168.0.xx to use the 192.168.0.1 as a gateway.
These don't work:
route add -net 192.56.76.0 netmask 255.255.255.0 dev eth1
route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1 dev eth1
route add default gw 192.168.0.1 eth1
Various experiments, including at least the last example above, will permit me to connect to MAIL via xx.129.23.80:25, but I lose ability to connect to any port via xx.128.23.95:[22,80,...]
It seems I can connect to MAIL from the Internet either to xx.128.23.95:anyport, or xx.129.23.80:25, but not both unless I go through that rather elaborate route table creating process.
Is there not a simple 'route' or 'ip' command or two I can run to do what I want?
I have a linux/slackware host we'll call MAIL. It has 2 NICs:
xx.128.23.95 - connected to Internet on eth0
192.168.0.3 - connected to LAN on eth1
xx.129.23.65 - default gateway configured in /etc/rc.d/rc.inet1.conf
192.168.0.1 - is the LAN firewall/router, connected to Internet on xx.129.23.80. It forwards port 25 to 192.168.0.3
I need all traffic for 192.168.0.xx to use the 192.168.0.1 as a gateway.
These don't work:
route add -net 192.56.76.0 netmask 255.255.255.0 dev eth1
route add -net 192.168.0.0 netmask 255.255.255.0 gw 192.168.0.1 dev eth1
route add default gw 192.168.0.1 eth1
Various experiments, including at least the last example above, will permit me to connect to MAIL via xx.129.23.80:25, but I lose ability to connect to any port via xx.128.23.95:[22,80,...]
It seems I can connect to MAIL from the Internet either to xx.128.23.95:anyport, or xx.129.23.80:25, but not both unless I go through that rather elaborate route table creating process.
Is there not a simple 'route' or 'ip' command or two I can run to do what I want?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> Did not receive identification string from
you get this error message when you use connections not using SSL, as you did with telnet
but if you get that message, your client can connect the server which then does not sound like a routing problem
you get this error message when you use connections not using SSL, as you did with telnet
but if you get that message, your client can connect the server which then does not sound like a routing problem
To do this edit your sshd_config file:
$ sudo nano /etc/ssh/sshd_config
Change
LogLevel INFO
To
LogLevel DEBUG
Higher levels include DEBUG2 and DEBUG3 if needed.
On the client side to get more verbosity, try this:
$ ssh -vvv user@host
http://scottlinux.com/2012/01/04/troubleshoot-ssh-authentication-failure/