View previous topic :: View next topic |
Author |
Message |
oc666 Guru
Joined: 15 May 2006 Posts: 330 Location: Israel
|
Posted: Mon May 05, 2008 2:59 pm Post subject: Server with 2 network cards |
|
|
Hello
I'm having server with 2 network cards.
I can't reach to one of them via internet when they connected together.
This is my /etc/cond.d/net:
Code: |
config_eth0=( "192.168.16.14 netmask 255.255.255.0 brd 192.168.16.255" )
routes_eth0=( "default via 192.168.16.4" )
config_eth1=( "192.168.0.101 netmask 255.255.255.0 brd 192.168.0.255" )
routes_eth1=( "default via 192.168.0.1" )
|
If I work only with one eth - it's works fine (each one).
What I did wrong?
Thanks _________________ embAD-new way to insert ads to your website |
|
Back to top |
|
|
JoshFed n00b
Joined: 21 Jul 2003 Posts: 44 Location: Tacoma, WA USA
|
Posted: Mon May 05, 2008 3:25 pm Post subject: |
|
|
Simple question but it has to be asked. Are you starting the NIC before you try using it?
Code: | /etc/init.d/net.eth0 start |
and
Code: | /etc/init.d/net.eth1 start |
|
|
Back to top |
|
|
oc666 Guru
Joined: 15 May 2006 Posts: 330 Location: Israel
|
Posted: Mon May 05, 2008 4:15 pm Post subject: |
|
|
Yep, It started. As I say, when one work alone - it's all fine, but when both of them work, I can't reach to one of them.
Both of them behind routers (which make port forwarding). I think it's because the gatways, but I'm not sure.
More info
My route:
Code: | $ /sbin/route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.16.0 * 255.255.255.0 U 0 0 0 eth0
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
loopback * 255.0.0.0 U 0 0 0 lo
default 192.168.0.1 0.0.0.0 UG 0 0 0 eth1
default 192.168.16.4 0.0.0.0 UG 1 0 0 eth0 |
In this current configuration, I can't reach the eth0 (the /etc/conf.d/net is the same like above (my last message)). _________________ embAD-new way to insert ads to your website |
|
Back to top |
|
|
JoshFed n00b
Joined: 21 Jul 2003 Posts: 44 Location: Tacoma, WA USA
|
Posted: Fri May 09, 2008 6:43 pm Post subject: |
|
|
Where are you (your workstation) in relation (network wise) to the server? What's your workstation IP? |
|
Back to top |
|
|
jcat Veteran
Joined: 26 May 2006 Posts: 1337
|
Posted: Sat May 10, 2008 12:18 am Post subject: |
|
|
With 2 default gateways I presume it's always the first one one in the routing table that will be used. Why would the box with two NIC's do anything other than that , routing tables are really that simple.
The host isn't just going to respond on a particular interface because that's where the traffic came in, it will use the routing table.
Cheers,
jcat |
|
Back to top |
|
|
zeek Guru
Joined: 16 Nov 2002 Posts: 480 Location: Bantayan Island
|
Posted: Sat May 10, 2008 5:25 am Post subject: Re: Server with 2 network cards |
|
|
oc666 wrote: | Hello
I'm having server with 2 network cards.
I can't reach to one of them via internet when they connected together.
This is my /etc/cond.d/net:
Code: |
config_eth0=( "192.168.16.14 netmask 255.255.255.0 brd 192.168.16.255" )
routes_eth0=( "default via 192.168.16.4" )
config_eth1=( "192.168.0.101 netmask 255.255.255.0 brd 192.168.0.255" )
routes_eth1=( "default via 192.168.0.1" )
|
If I work only with one eth - it's works fine (each one).
What I did wrong?
Thanks |
To multihome a server and run services from both IPs using source routing requires IP advanced router compiled into the kernel. You need to be using iproute2 and add an entry to /etc/iproute2/rt_tables. In /etc/conf.d/net.example there are some functions that you need to add that will run `ip rule` commands when the interface is brought up.
Google for "source routing" and "ip rule". You will find plenty of tutorials to set this up. Good luck! |
|
Back to top |
|
|
oc666 Guru
Joined: 15 May 2006 Posts: 330 Location: Israel
|
Posted: Sat May 10, 2008 9:09 am Post subject: Re: Server with 2 network cards |
|
|
zeek wrote: |
To multihome a server and run services from both IPs using source routing requires IP advanced router compiled into the kernel. You need to be using iproute2 and add an entry to /etc/iproute2/rt_tables. In /etc/conf.d/net.example there are some functions that you need to add that will run `ip rule` commands when the interface is brought up.
Google for "source routing" and "ip rule". You will find plenty of tutorials to set this up. Good luck! |
Hey, thanks for the answer.
First of all I need to understand what this is mean and how it's work. Is there any article on how to configure two network cards on one gentoo machine?
Second, I google and I found this:
Quote: | Do not accept source routed packets. Attackers can use source routing to generate traffic pretending to originate from inside your network, but that is actually routed back along the path from which it came, so attackers can compromise your network. Source routing is rarely used for legitimate purposes, so it is safe to disable it. |
Additionally, I enabled "IP advanced router" in my kernel. Here is my /etc/iproute2/rt_tables and ip route:
Quote: | $ cat /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
$ ip route show
192.168.16.0/24 dev eth0 proto kernel scope link src 192.168.16.14
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.101
127.0.0.0/8 dev lo scope link
default via 192.168.0.1 dev eth1
default via 192.168.16.4 dev eth0 metric 1 |
_________________ embAD-new way to insert ads to your website |
|
Back to top |
|
|
oc666 Guru
Joined: 15 May 2006 Posts: 330 Location: Israel
|
Posted: Sat May 10, 2008 9:40 am Post subject: Update |
|
|
I just reboot because the kernel update. I run "ip route show" again: Quote: | # ip route show
192.168.0.0/24 dev eth1 proto kernel scope link src 192.168.0.101
192.168.16.0/24 dev eth0 proto kernel scope link src 192.168.16.14
127.0.0.0/8 dev lo scope link
default via 192.168.16.4 dev eth0
default via 192.168.0.1 dev eth1 metric 1 |
Now, I can't reach the server from the card worked before the reboot and I can reach the card which didn't work before the reboot.
I see the different in the last two lines in the "ip route show" command: Quote: |
Before reboot:
default via 192.168.0.1 dev eth1 <---- I can reach this
default via 192.168.16.4 dev eth0 metric 1 <---- I can't reach this
After reboot
default via 192.168.16.4 dev eth0 <---- I can reach this
default via 192.168.0.1 dev eth1 metric 1 <---- I can't reach this
|
How could I fix this? _________________ embAD-new way to insert ads to your website |
|
Back to top |
|
|
zeek Guru
Joined: 16 Nov 2002 Posts: 480 Location: Bantayan Island
|
Posted: Sun May 11, 2008 4:29 am Post subject: Re: Server with 2 network cards |
|
|
oc666 wrote: | Second, I google and I found this:
Quote: | Do not accept source routed packets. Attackers can use source routing to generate traffic pretending to originate from inside your network, but that is actually routed back along the path from which it came, so attackers can compromise your network. Source routing is rarely used for legitimate purposes, so it is safe to disable it. |
|
Ignore that, its talking about something different.
It looks to me like your setup is almost there, its just missing an ip rule. Here is my setup (mac zero'd):
Code: | linky ~ # ip addr ls
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.44/24 brd 10.0.0.255 scope global eth0
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast qlen 1000
link/ether 00:00:00:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 10.0.0.46/24 brd 10.0.0.255 scope global eth1
linky ~ # ip rule ls
0: from all lookup local
32765: from 10.0.0.46 lookup cable
32766: from all lookup main
32767: from all lookup default
linky ~ # cat /etc/iproute2/rt_tables
#
# reserved values
#
255 local
254 main
253 default
0 unspec
#
# local
#
#1 inr.ruhep
100 cable
|
|
|
Back to top |
|
|
oc666 Guru
Joined: 15 May 2006 Posts: 330 Location: Israel
|
Posted: Sun May 11, 2008 10:03 am Post subject: |
|
|
Thanks on the reply, but I don't understand the ip rules you wrote. Where can I find more info or you can explain this?
Thanks. _________________ embAD-new way to insert ads to your website |
|
Back to top |
|
|
zeek Guru
Joined: 16 Nov 2002 Posts: 480 Location: Bantayan Island
|
Posted: Mon May 12, 2008 1:18 am Post subject: |
|
|
oc666 wrote: | Thanks on the reply, but I don't understand the ip rules you wrote. Where can I find more info or you can explain this?
Thanks. |
I only have one rule:
ip rule add from 10.0.0.46 table stealth
Search for 'ip rule' in /etc/conf.d/net.example and add the post up/down functions. Or be lazy like me and just run the command from /etc/conf.d/local.start.
This net config might be helpful:
Code: | # cat /etc/conf.d/net
modules=( "iproute2" )
config_eth0=( "10.0.0.44/24 brd 10.0.0.255" )
config_eth1=( "10.0.0.46/24 brd 10.0.0.255" )
routes_eth0=( "default via 10.0.0.254" )
routes_eth1=(
"127.0.0.0/8 dev lo table cable"
"default via 10.0.0.253 table cable"
)
|
|
|
Back to top |
|
|
oc666 Guru
Joined: 15 May 2006 Posts: 330 Location: Israel
|
|
Back to top |
|
|
oc666 Guru
Joined: 15 May 2006 Posts: 330 Location: Israel
|
Posted: Fri Nov 07, 2008 2:58 pm Post subject: |
|
|
Sorry to pop up this post, but I have a problem and the sources (from gentoo-wiki) I build the configuration removed.
I reinstall my server on new machine. I add the following configuration:
Quote: |
# cat /etc/conf.d/net
dns_servers=( "212.150.48.169 206.49.94.234 194.90.1.5" )
modules=( "iproute2" )
config_eth0=( "192.168.0.101 netmask 255.255.255.0 brd 192.168.0.255" )
routes_eth0=( "default via 192.168.0.1" )
config_eth1=( "192.168.16.14 netmask 255.255.255.0 brd 192.168.16.255" )
routes_eth1=( "127.0.0.0/8 dev lo table neteth1"
"default via 192.168.16.4 table neteth1"
)
# cat /etc/conf.d/local.start
/sbin/ip route add 192.168.16.0/24 dev eth1 src 192.168.16.14 table neteth1
/sbin/ip route add default via 192.168.16.4 table neteth1
/sbin/ip rule add from 192.168.16.4 table neteth1
# cat /etc/iproute2/rt_tables
255 local
254 main
253 default
0 unspec
100 neteth1
|
I can't connect to the machine via the eth1. After The system reboot I get the next message: Quote: | RTNETLINK answers: File exists |
I try to debug this problem, but I don't know where to start.
Thanks for the help. _________________ embAD-new way to insert ads to your website |
|
Back to top |
|
|
oc666 Guru
Joined: 15 May 2006 Posts: 330 Location: Israel
|
Posted: Sun Nov 09, 2008 10:44 pm Post subject: More info |
|
|
I try to debug it, and got the next interesting info:
1. When I surf to the eth1 I got tcpdump info:
Quote: | # tcpdump port 80 -i eth1
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 96 bytes
00:34:53.228528 IP 85-250-212-217.bb.netvision.net.il.32661 > BCGENTOO.BCLIBRARY.http: S 2900102160:2900102160(0) win 2144 <mss 536,sackOK,timestamp 1165414 0,nop,wscale 6>
00:34:56.228158 IP 85-250-212-217.bb.netvision.net.il.32661 > BCGENTOO.BCLIBRARY.http: S 2900102160:2900102160(0) win 2144 <mss 536,sackOK,timestamp 1166164 0,nop,wscale 6> |
2. I don't have ping outside from the problematic eth:
Quote: | # ping -I eth1 google.com
PING google.com (209.85.171.99) from 192.168.16.14 eth1: 56(84) bytes of data.
From BCGENTOO.BCLIBRARY (192.168.16.14) icmp_seq=2 Destination Host Unreachable
From BCGENTOO.BCLIBRARY (192.168.16.14) icmp_seq=3 Destination Host Unreachable
From BCGENTOO.BCLIBRARY (192.168.16.14) icmp_seq=4 Destination Host Unreachable |
_________________ embAD-new way to insert ads to your website |
|
Back to top |
|
|
oc666 Guru
Joined: 15 May 2006 Posts: 330 Location: Israel
|
Posted: Sun Nov 09, 2008 10:58 pm Post subject: Fixed |
|
|
I just update the local.start line to use the ip instead the gw:
Quote: | /sbin/ip rule add from 192.168.16.14 table neteth1 |
192.168.16.14=IP
192.168.16.4=GW _________________ embAD-new way to insert ads to your website |
|
Back to top |
|
|
|