suseadmin
asked on
CentOS Routing Problem
I am having a problem where I am unable to communicate with a CentOS box from any subnet other than its own. I have verified connectivity across the subnets with different machines and my firewalls are allowing all traffic between subnets. This machine has an internal interface and a global interface. Any traffic originating on the 192.168.100.0 subnet communicates just fine but if I try to ping or ssh from a 192.168.140.0 subnet I get nothing. Here is the routing table below.
[root@webserv ~]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
xxx.xxx.xxx.xxx * 255.255.255.224 U 0 0 0 eth0
192.168.100.0 * 255.255.255.0 U 0 0 0 eth1
169.254.0.0 * 255.255.0.0 U 0 0 0 eth1
default xxxxxxxxxx.ine 0.0.0.0 UG 0 0 0 eth0
This sounds like an iptables issue where it's blocking all the other subnets. What does iptables --list say?
ASKER
Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:scientia-ssdb
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:rockwell-csp2
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:qencp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:rockwell-csp1
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:6472
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:6464
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
target prot opt source destination
fail2ban-SSH tcp -- anywhere anywhere tcp dpt:ssh
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:scientia-ssdb
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:rockwell-csp2
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:qencp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:rockwell-csp1
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:6472
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:6464
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain fail2ban-SSH (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
HAve you enabled ip forward ??
cat /proc/sys/net/ipv4/ip_forw
if result = 0 then will have to On it by this command :
echo "1" > /proc/sys/net/ipv4/ip_forw
also, if you are tring to internet sharing then you will have to add this rule
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
here eth0 ( is connectd to isp)
so how many ethernet card do you have in this pc ??
cat /proc/sys/net/ipv4/ip_forw
if result = 0 then will have to On it by this command :
echo "1" > /proc/sys/net/ipv4/ip_forw
also, if you are tring to internet sharing then you will have to add this rule
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
here eth0 ( is connectd to isp)
so how many ethernet card do you have in this pc ??
You need to add your GW IP to the routing table as follow:
route add default gw GW_IP eth0
if eth0 is the ethernet card connected to the public network...
route add default gw GW_IP eth0
if eth0 is the ethernet card connected to the public network...
Yes, looks like you have not default gateway.
Check /etc/sysconfig/network
See if you have a
GATEWAY=IPADDR
Where IPDDR is your gateway IP.
If it is not there, then add your gateway IP and restart the network.
Check /etc/sysconfig/network
See if you have a
GATEWAY=IPADDR
Where IPDDR is your gateway IP.
If it is not there, then add your gateway IP and restart the network.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes that did the trick. Thank you very much.
Remember that this rule is not presistent - after reboot it will be gone. You must add the command to some startup script like /etc/rc.local or similar.