All of lore.kernel.org
 help / color / mirror / Atom feed
From: Steve M Bibayoff <smb23@csufresno.edu>
To: lartc@vger.kernel.org
Subject: Re: [LARTC] GRE tunnel wierdness
Date: Wed, 25 Sep 2002 18:01:44 +0000	[thread overview]
Message-ID: <marc-lartc-103297697305821@msgid-missing> (raw)
In-Reply-To: <marc-lartc-103290623509366@msgid-missing>

David Lamparter <david.lamparter@t-online.de> wrote:

> Do you have NAT / mangling / etc. running somewhere? The connection 
> tracking timeout is 500 s afaik, maybe GRE is NATed on one of your 
> gateways?
> A possible explanation would be that east does SNAT on GRE packets 
> or 
> west does DNAT on GRE ... so when east tries to reach west, the 
> packet 
> is SNAT'ed or DNAT'ed and therefore doesn't reach west, but when 
> west 
> tries to reach east, connection tracking information is set up on 
> both 
> routers so it works ... until the timeout expires.

That's is it. It actually happens when going from west to east, I just
never noticed it before.

Thanks for the clue.

Steve

ps. I know this isn't the appropiate list, but could someone see what
iptable rule needs to be changed to make this not happen(rules generated
from script found at: http://www.asgardsrealm.net/linux/firewall ).

[root@east root]# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     ipv6-auth--  anywhere             anywhere           
ACCEPT     ipv6-crypt--  anywhere             anywhere           
ACCEPT     icmp --  anywhere             anywhere           
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED 
ACCEPT     all  --  east.somenet.com    east.somenet.com  
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http 
ACCEPT     udp  --  anywhere             anywhere           udp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere           tcp
dpt:re-mail-ck 
ACCEPT     udp  --  anywhere             anywhere           udp
dpt:re-mail-ck 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:51 
ACCEPT     udp  --  anywhere             anywhere           udp dpt:51 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:47 
ACCEPT     udp  --  anywhere             anywhere           udp dpt:47 
ACCEPT     udp  --  anywhere             anywhere           udp dpt:isakmp 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:ssh 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:smtp 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:http 
ACCEPT     tcp  --  anywhere             anywhere           tcp dpt:https 
ACCEPT     all  --  anywhere             anywhere           
LOG        all  --  anywhere             anywhere           LOG level
info prefix `FIREWALL: Filter-INPUT ' 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  192.168.1.0/24       192.168.0.0/24     
ACCEPT     all  --  192.168.0.0/24       192.168.1.0/24     
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED 
ACCEPT     all  --  192.168.2.0/24       anywhere           
ACCEPT     all  --  192.168.1.0/24       anywhere           
ACCEPT     all  --  192.168.0.0/24       anywhere           
LOG        all  --  anywhere             anywhere           LOG level
info prefix `FIREWALL: Filter-FORWARD ' 

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere           state
RELATED,ESTABLISHED 
ACCEPT     all  --  192.168.0.0/24       anywhere           
ACCEPT     all  --  192.168.1.0/24       anywhere           
ACCEPT     all  --  192.168.2.0/24       anywhere           
ACCEPT     all  --  east.somenet.com    east.somenet.com  
ACCEPT     all  --  anywhere             anywhere           
ACCEPT     all  --  somenet.com         somenet.com       
LOG        all  --  anywhere             anywhere           LOG level
info prefix `FIREWALL: Filter-OUTPUT ' 

_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/

      parent reply	other threads:[~2002-09-25 18:01 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2002-09-24 22:22 [LARTC] GRE tunnel wierdness Steve M Bibayoff
2002-09-24 22:42 ` David Lamparter
2002-09-25 16:32 ` Steve M Bibayoff
2002-09-25 16:59 ` David Lamparter
2002-09-25 18:01 ` Steve M Bibayoff [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=marc-lartc-103297697305821@msgid-missing \
    --to=smb23@csufresno.edu \
    --cc=lartc@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.