ciao a tutti!<br><br>ho un problema col policy routing, una delle regole non fa funzioanre internet sui nodi inspiegabilmente :|<br><br>questa e' la tabella di regole del server che fa il masquerading prima di far uscire i pacchetti su internet<br>
<br>coppermine ~ # ip rule show<br>0: from all lookup local <br>32762: from all to <a href="http://10.0.1.0/24">10.0.1.0/24</a> lookup ninux <br>32763: from all fwmark 0x5 lookup main <br>32764: from <a href="http://10.180.0.0/27">10.180.0.0/27</a> lookup main <br>
32765: from <a href="http://10.180.0.0/15">10.180.0.0/15</a> lookup ninux <-- REGOLA CHE FA MORIRE INTERNET<br>32766: from all lookup main <br>32767: from all lookup default<br><br><br>TABELLA MAIN<br><br>coppermine ~ # ip route show<br>
<a href="http://10.10.10.0/30">10.10.10.0/30</a> dev eth0 proto kernel scope link src 10.10.10.2 <br><a href="http://10.180.0.0/27">10.180.0.0/27</a> dev eth0 proto kernel scope link src 10.180.0.1 <br><a href="http://10.0.1.0/24">10.0.1.0/24</a> dev ninux proto kernel scope link src 10.0.1.120 <br>
<a href="http://10.180.0.0/15">10.180.0.0/15</a> via 10.180.0.2 dev eth0 src 10.180.0.1 <br><a href="http://127.0.0.0/8">127.0.0.0/8</a> dev lo scope link <br>default via 10.10.10.1 dev eth0 src 10.10.10.2<br><br>TABELLA NINUX<br>
<br>coppermine ~ # ip route sho table ninux<br>192.168.193.1 via 10.0.1.6 dev ninux metric 2 <br>192.168.69.1 via 10.0.1.3 dev ninux metric 2 <br>192.168.69.9 via 10.0.1.3 dev ninux metric 2 <br>172.16.177.1 via 10.0.1.3 dev ninux metric 2 <br>
172.16.177.2 via 10.0.1.3 dev ninux metric 2 <br>192.168.69.22 via 10.0.1.3 dev ninux metric 2 <br>172.16.177.6 via 10.0.1.3 dev ninux metric 2 <br>172.16.177.7 via 10.0.1.3 dev ninux metric 2 <br>172.16.177.8 via 10.0.1.3 dev ninux metric 2 <br>
172.16.177.9 via 10.0.1.3 dev ninux metric 2 <br>192.168.0.34 via 10.0.1.10 dev ninux metric 2 <br>192.168.3.2 via 10.0.1.10 dev ninux metric 2 <br>192.168.66.115 via 10.0.1.22 dev ninux metric 2 <br>172.16.185.1 via 10.0.1.22 dev ninux metric 2 <br>
192.168.66.110 via 10.0.1.22 dev ninux metric 2 <br>172.16.184.2 via 10.0.1.22 dev ninux metric 2 <br>172.16.184.1 via 10.0.1.22 dev ninux metric 2 <br>10.162.0.6 via 10.0.1.6 dev ninux metric 2 <br>10.162.0.224 via 10.0.1.6 dev ninux metric 2 <br>
192.168.86.1 via 10.0.1.22 dev ninux metric 2 <br>10.0.1.51 dev ninux scope link metric 2 <br>192.168.86.60 via 10.0.1.22 dev ninux metric 2 <br>10.0.1.10 dev ninux scope link metric 2 <br>10.0.1.6 dev ninux scope link metric 2 <br>
10.0.1.1 dev ninux scope link metric 2 <br>10.0.1.3 dev ninux scope link metric 2 <br>10.0.1.22 dev ninux scope link metric 2 <br>10.0.1.101 dev ninux scope link metric 2 <br>172.16.200.34 via 10.0.1.6 dev ninux metric 2 <br>
172.16.200.33 via 10.0.1.6 dev ninux metric 2 <br>172.16.40.18 via 10.0.1.10 dev ninux metric 2 <br>192.168.3.214 via 10.0.1.10 dev ninux metric 2 <br>172.16.40.14 via 10.0.1.10 dev ninux metric 2 <br>172.16.40.5 via 10.0.1.10 dev ninux metric 2 <br>
172.16.40.3 via 10.0.1.10 dev ninux metric 2 <br><a href="http://192.168.5.48/28">192.168.5.48/28</a> via 10.0.1.10 dev ninux metric 2 <br><a href="http://192.168.5.176/28">192.168.5.176/28</a> via 10.0.1.10 dev ninux metric 2 <br>
<a href="http://192.168.193.0/24">192.168.193.0/24</a> via 10.0.1.6 dev ninux metric 2 <br><a href="http://192.168.69.0/24">192.168.69.0/24</a> via 10.0.1.3 dev ninux metric 2 <br><a href="http://192.168.86.0/24">192.168.86.0/24</a> via 10.0.1.22 dev ninux metric 2 <br>
<a href="http://192.168.70.0/24">192.168.70.0/24</a> via 10.0.1.3 dev ninux metric 2 <br><a href="http://192.168.3.0/24">192.168.3.0/24</a> via 10.0.1.10 dev ninux metric 2 <br><a href="http://192.168.180.0/24">192.168.180.0/24</a> via 10.0.1.51 dev ninux metric 2 <br>
<a href="http://192.168.0.0/24">192.168.0.0/24</a> via 10.0.1.10 dev ninux metric 2 <br><a href="http://10.177.6.0/24">10.177.6.0/24</a> via 10.0.1.3 dev ninux metric 2 <br><a href="http://10.177.9.0/24">10.177.9.0/24</a> via 10.0.1.3 dev ninux metric 2 <br>
<a href="http://10.180.0.0/24">10.180.0.0/24</a> dev eth0 scope link <br><a href="http://10.184.0.0/24">10.184.0.0/24</a> via 10.0.1.22 dev ninux metric 2 <br><a href="http://10.162.0.0/24">10.162.0.0/24</a> via 10.0.1.6 dev ninux metric 2 <br>
<a href="http://10.180.0.0/15">10.180.0.0/15</a> via 10.180.0.2 dev eth0 src 10.180.0.1 <br><a href="http://10.174.0.0/15">10.174.0.0/15</a> via 10.0.1.101 dev ninux metric 2 <br>default via 10.0.1.101 dev ninux <br>default via 10.0.1.3 dev ninux metric 2<br>
<br>quello che succede attivando la regola che fa morire tutto am che e' necessaria e' questo,<br>quando qualcuno dalla rete <a href="http://10.180.0.0/15">10.180.0.0/15</a> ( escluso <a href="http://10.180.0.0/27">10.180.0.0/27</a> che continua ovviamente a funzionare ) cerca di andare in internet i suoi pacchetti arrivano a coppermine che li maschera e li inoltra, i pacchetti di risposta arrivano a coppermine, e spariscono... vi attacco un pezzo di tcpdump e l'output di ip addr show<br>
<br>coppermine ~ # tcpdump -n -i eth0 port 80<br>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes<br>13:02:26.436066 IP 66.220.151.78.80 > 10.10.10.2.58804: P 1247830349:1247830373(24) ack 2131839083 win 15<br>
13:02:26.436101 IP 66.220.151.78.80 > 10.180.0.9.58804: P 1247830349:1247830373(24) ack 2131839083 win 15<br>13:02:26.436203 IP 10.180.0.9.58804 > 66.220.151.78.80: . ack 24 win 152<br>13:02:26.436259 IP 10.10.10.2.58804 > 66.220.151.78.80: . ack 24 win 152<br>
13:02:37.458571 IP 10.180.0.50.39356 > 92.122.212.17.80: S 600551577:600551577(0) win 64240 <mss 1460,sackOK,timestamp 2006263 0,nop,wscale 1><br>13:02:49.445509 IP 10.180.0.50.39356 > 92.122.212.17.80: S 600551577:600551577(0) win 64240 <mss 1460,sackOK,timestamp 2007463 0,nop,wscale 1><br>
<br>come vedete i pacchetti arrivano a 10.10.10.2 ma non escono con la nuova destinazione :|<br><br>coppermine ~ # ip a s<br>1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN <br> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00<br>
inet <a href="http://127.0.0.1/8">127.0.0.1/8</a> brd 127.255.255.255 scope host lo<br> inet6 ::1/128 scope host <br> valid_lft forever preferred_lft forever<br>2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000<br>
link/ether 00:e0:7d:e8:ac:4a brd ff:ff:ff:ff:ff:ff<br> inet <a href="http://10.10.10.2/30">10.10.10.2/30</a> brd 10.10.10.3 scope global eth0<br> inet <a href="http://10.180.0.1/27">10.180.0.1/27</a> brd 10.180.0.31 scope global eth0<br>
inet6 2001:470:c8f7::1/64 scope global <br> valid_lft forever preferred_lft forever<br> inet6 2001:470:1f12:32d::120/64 scope global <br> valid_lft forever preferred_lft forever<br> inet6 fe80::2e0:7dff:fee8:ac4a/64 scope link <br>
valid_lft forever preferred_lft forever<br>3: tunl0: <NOARP> mtu 1480 qdisc noop state DOWN <br> link/ipip 0.0.0.0 brd 0.0.0.0<br>4: sit0: <NOARP> mtu 1480 qdisc noop state DOWN <br> link/sit 0.0.0.0 brd 0.0.0.0<br>
5: ip6tnl0: <NOARP> mtu 1460 qdisc noop state DOWN <br> link/tunnel6 :: brd ::<br>6: he0: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1400 qdisc noqueue state UNKNOWN <br> link/sit 10.10.10.2 peer 216.66.84.42<br>
inet6 2001:470:1f12:32d::2/64 scope global <br> valid_lft forever preferred_lft forever<br> inet6 fe80::a0a:a02/128 scope link <br> valid_lft forever preferred_lft forever<br>7: ninux: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1280 qdisc pfifo_fast state UNKNOWN qlen 500<br>
link/ether 62:2b:2e:1c:35:37 brd ff:ff:ff:ff:ff:ff<br> inet <a href="http://10.0.1.120/24">10.0.1.120/24</a> brd 10.0.1.255 scope global ninux<br> inet6 fe80::602b:2eff:fe1c:3537/64 scope link <br> valid_lft forever preferred_lft forever<br>
<br>any hint?<br>