centos 7 routing problem

There is a problem with centos routings

symptoms :
we are able  to ping 10.255.255.1
we have added  ip route add 178.20.229.144/29  via 10.255.255.1 dev p1p2
when we get the tcpdump output for p1p1 it shows that traffic coming to this interface
when we get the result of p1p2 for tcpdump it shows nothing pass to this interface

forwarding enabled on sysctl

[root@249 /]# cat /proc/sys/net/ipv4/ip_forward
1

Open in new window



resim
FireBallITAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
Any routing would usually flow through a default gateway, when you implement an Ip routing directive, it must be added along the path.
Servera configured to send request for segment B  via ServerC to get to server D.
Server C has to have the routing rule to pass the traffic on to serverD while at the same time include a routing entry to Servera.
Similarly serverD has to have the route to Servera segment added as well.

Often these types of routes should be setup on a router.

If this is a VPN connection, the VPN should be configured to accept these networks, you can not by adding a routing directive overwrite the VPNs routing rules.....
0
FireBallITAuthor Commented:
Unfortunately this is not a vpn server p3p1 connected to the router with l3 interface and it is accessible
P3p2 is connected to the firewall and it is accessible from firewall too

It was working until today we have reinstalled cent os and couldnot let it work agaon
0
arnoldCommented:
Is the system in question supposed to function as a router?
Double check the firewall, router and the current ip of the centos bi. To make sure all routing directives are matched.

Your centos might be correctly passing traffic, but the others might reference/Royce their side to the wrong (old ip)

U.S. The firewall not connected to the router that you seem to use this centos box to bypass tge firewall for some traffic?
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

SandyCommented:
are you able to ping 178.20.229.144/29  from 10.255.255.1 ?

if yes, then it is definately the issue with p1p2.

-------------

did you enabled IP forwarding from /etc/sysctl.conf ? if not then please enable it and check again.

TY/SA
0
FireBallITAuthor Commented:
dear arnold , tcpdump shows nothing on p1p2
dear sandy answer yes 10.255.255.1 is able to ping 178.20.229.144/29 subnet's ip addresses
0
FireBallITAuthor Commented:
but also p1p2 can ping 10.255.255.1
0
SandyCommented:
did you enabled IP forwarding from /etc/sysctl.conf ? if not then please enable it and check again.

TY/SA
0
FireBallITAuthor Commented:
[root@249 /]# cat /proc/sys/net/ipv4/ip_forward
1

Open in new window



Yes i already have enabled it and applied with systl -p

Also iptables & firewalld disabled

[root@249 /]# iptables -vL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Open in new window

0
SandyCommented:
#service iptables stop

ensutre iptables -vL should report firewall is disabled.

then try

TY/SA
0
FireBallITAuthor Commented:
I have already write it abouve no way :(
0
SandyCommented:
yes, but the output shows firewall chains this means it is still checking the traffic, what is there in your /etc/sysconfig/iptables file ?

TY/SA
0
FireBallITAuthor Commented:
ex working rules is there


[root@249 ~]# cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Wed Aug 26 14:54:09 2015
*filter
:INPUT ACCEPT [44:3507]
:FORWARD ACCEPT [2915:149120]
:OUTPUT ACCEPT [50:6967]
#-A FORWARD -i p3p1 -p udp -m state --state NEW -m recent --set --name DDOS --mask 255.255.255.255 --rsource
-A FORWARD -i p3p1 -p udp -m state --state NEW -m recent --update --seconds 1 --hitcount 20 --name DDOS --mask 255.255.255.255 --rsource -j DROP
-A FORWARD -i p3p1 -o p3p2 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i p3p2 -o p3p1 -j ACCEPT
-A FORWARD -m string --hex-string "|0d9281800001000200020000046370736303676f760000ff0001c00c0002|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|330a81800001000200020000046370736303676f760000ff0001c00c0002|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|330a83800001000000000001046370736303676f760000ff000100002910|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|0d9283800001000000000001046370736303676f760000ff000100002910|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|485454502f312e3120323030204f4b0d0a43616368652d436f6e74726f6c|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|485454502f312e3120323030204f4b0d0a43414348452d434f4e54524f4c|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|485454502f312e3120323030204f4b0d0a43414348452d434f4e54524f4c|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|a01681800001000200020000046370736303676f760000ff0001c00c0002|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|457283800001000000000001046370736303676f760000ff000100002910|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|485454502f312e3120323030204f4b0d0a53543a75726e3a64736c666f72|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|485454502f312e3120323030204f4b0d0a5365727665723a20437573746f|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|485454502f312e3120323030204f4b0d0a4c4f434154494f4e3a20687474|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|ffffffff54536f7572636520456e67696e6520517565727900|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|ffffffff54536f7572636520456e67696e6520517565727900|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|9f00032a30000000|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|9700032a10000000|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|9f00032a30000000|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|9700032a10000000|" --algo kmp --to 65535 -j DROP
#-A FORWARD -m string --string "z" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|000000000000000000000000000000000000000000000000000000000000|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|27032703|" --algo kmp --to 65535 -j DROP
-A FORWARD -m string --hex-string "|27032703|" --algo kmp --to 65535 -j DROP
COMMIT
# Completed on Wed Aug 26 14:54:09 2015
# Generated by iptables-save v1.4.21 on Wed Aug 26 14:54:09 2015
*nat
:PREROUTING ACCEPT [12175:623524]
:INPUT ACCEPT [3:180]
:OUTPUT ACCEPT [3:213]
:POSTROUTING ACCEPT [11666:596269]
COMMIT

Open in new window

0
FireBallITAuthor Commented:
also i applied below commands and nothing changed

[root@249 ~]# iptables -F
[root@249 ~]# iptables -X
[root@249 ~]# iptables -t nat -F
[root@249 ~]# iptables -t nat -X
[root@249 ~]# iptables -t mangle -F
[root@249 ~]# iptables -t mangle -X
[root@249 ~]# iptables -P INPUT ACCEPT
[root@249 ~]# iptables -P FORWARD ACCEPT
[root@249 ~]# iptables -P OUTPUT ACCEPT
[root@249 ~]#
[root@249 ~]#
[root@249 ~]# service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[  OK  ]
[root@249 ~]# service iptables restart
Redirecting to /bin/systemctl restart  iptables.service
[root@249 ~]#

Open in new window

0
FireBallITAuthor Commented:
when i send echo requests from one of putty screen


[root@249 ~]# ping 10.255.255.1
PING 10.255.255.1 (10.255.255.1) 56(84) bytes of data.
64 bytes from 10.255.255.1: icmp_seq=1 ttl=64 time=0.600 ms
64 bytes from 10.255.255.1: icmp_seq=2 ttl=64 time=0.550 ms
64 bytes from 10.255.255.1: icmp_seq=3 ttl=64 time=0.538 ms
64 bytes from 10.255.255.1: icmp_seq=4 ttl=64 time=0.659 ms
64 bytes from 10.255.255.1: icmp_seq=5 ttl=64 time=0.597 ms
64 bytes from 10.255.255.1: icmp_seq=6 ttl=64 time=0.594 ms
64 bytes from 10.255.255.1: icmp_seq=7 ttl=64 time=0.648 ms
64 bytes from 10.255.255.1: icmp_seq=8 ttl=64 time=0.576 ms
^C
--- 10.255.255.1 ping statistics ---
8 packets transmitted, 8 received, 0% packet loss, time 6999ms
rtt min/avg/max/mdev = 0.538/0.595/0.659/0.043 ms

Open in new window



other putty screen shows that

[root@249 ~]# tcpdump -i p1p2
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on p1p2, link-type EN10MB (Ethernet), capture size 65535 bytes
10:37:19.046523 IP 249.159.9.185.salay.com.tr > 10.255.255.1: ICMP echo request, id 2720, seq 1, length 64
10:37:19.047103 IP 10.255.255.1 > 249.159.9.185.salay.com.tr: ICMP echo reply, id 2720, seq 1, length 64
10:37:20.046489 IP 249.159.9.185.salay.com.tr > 10.255.255.1: ICMP echo request, id 2720, seq 2, length 64
10:37:20.047020 IP 10.255.255.1 > 249.159.9.185.salay.com.tr: ICMP echo reply, id 2720, seq 2, length 64
10:37:21.046408 IP 249.159.9.185.salay.com.tr > 10.255.255.1: ICMP echo request, id 2720, seq 3, length 64
10:37:21.046930 IP 10.255.255.1 > 249.159.9.185.salay.com.tr: ICMP echo reply, id 2720, seq 3, length 64
10:37:22.046405 IP 249.159.9.185.salay.com.tr > 10.255.255.1: ICMP echo request, id 2720, seq 4, length 64
10:37:22.047048 IP 10.255.255.1 > 249.159.9.185.salay.com.tr: ICMP echo reply, id 2720, seq 4, length 64
10:37:23.046469 IP 249.159.9.185.salay.com.tr > 10.255.255.1: ICMP echo request, id 2720, seq 5, length 64
10:37:23.047049 IP 10.255.255.1 > 249.159.9.185.salay.com.tr: ICMP echo reply, id 2720, seq 5, length 64
10:37:24.046450 IP 249.159.9.185.salay.com.tr > 10.255.255.1: ICMP echo request, id 2720, seq 6, length 64
10:37:24.047027 IP 10.255.255.1 > 249.159.9.185.salay.com.tr: ICMP echo reply, id 2720, seq 6, length 64
10:37:25.046462 IP 249.159.9.185.salay.com.tr > 10.255.255.1: ICMP echo request, id 2720, seq 7, length 64
10:37:25.047093 IP 10.255.255.1 > 249.159.9.185.salay.com.tr: ICMP echo reply, id 2720, seq 7, length 64
10:37:26.046404 IP 249.159.9.185.salay.com.tr > 10.255.255.1: ICMP echo request, id 2720, seq 8, length 64
10:37:26.046964 IP 10.255.255.1 > 249.159.9.185.salay.com.tr: ICMP echo reply, id 2720, seq 8, length 64

Open in new window




but that has been made from 10.255.255.2 server it does not forwarding packets totally
0
arnoldCommented:
using your test, ping the 178.20 while monitoring p1p2 (tcpdump)do you see the packet hit the p1p2 interface or not?
tcpdump -p -i p1p2 dst-ip 178.20.229.145?
Then if you have access to the 10.255.255.1 and can monitor its connection to the 178.20.229.144/29 network do you see that traffic leaving? and at the same time on the 178.20.229.144/29 system that you are trying to reach, do you see the traffic making its way and a response is going back out?
Then on the 10.255.255.1 do you see the response coming backup? on the 178.20.229.144/29 does it have a path to 188.9 via 10.255.255.1?

SiteA =>Siteb => Site C
 ^                             ||
||                             v
 = ====SiteB<====
The circle must be complete for a packet to get from Site A to Site C by way of site B.
If C does not send the response through SiteB it might never reach site A.

In your situation if the packet destined to an IP on the 178.20.229.144/29 segment is seen leaving the p1p2 interface and is seen on the 10.255.255.1 network and reached the 178.20.229.144/24 destined IP, this means the return path does not take the same route and this is your issue.
Do you have the prior system's configuration?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
arnoldCommented:
while we are all focused on the iptables, double check that your firewalld is not running. centos 7 has the option of running iptables or firewalld.
0
FireBallITAuthor Commented:
you are right thank you
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Networking

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.