[LUGOS] SIT tunel, ICMP protocol 41 port 0 unreachable
Rok Potočnik
r at rula.net
Thu Nov 3 13:04:33 CET 2011
On 2.11.2011 17:10, Andraz Sraka wrote:
> er
>
> On Sun, 2011-10-30 at 18:39 +0100, Rok Potočnik wrote:
>> torej... mam ene težave, pa nism prepričan ali so distro/kernel based
>> al težava zarad tagiranih vlanov... ne izključujem možnosti, da sm js
>> kje zamučkal...
>>
>> sit tunel med dvema kištama:
>> A - centos 5.7 eth0 ip 1.1.1.1
>> B - centos 6 eth0.2 ip 2.2.2.2 (vlan tagiran promet)
>
> A lahko posredujes celotni config kako imas interface skonfigurirane na
> masinah.
>
> Pa output {ip addr sh | ip tun sh | ip -6 addr sh | ip -6 ro sh | ip ro
> sh | iptables -L -v | ..} pa seveda katero verzijo kernela imas na eni
> in drugi strani.
>
> lp,
> Andraz
vse po spisku... plus tcpdump ob pinganju :)
mašina A, centos 5.7 x64, eth2 je untrust:
$ uname -r
2.6.18-274.7.1.el5
$ cat /etc/sysconfig/network
NETWORKING=yes
NETWORKING_IPV6=yes
HOSTNAME=A.domena.net
NOZEROCONF=yes
NETWORKING_IPV6=yes
IPV6FORWARDING=yes
GATEWAY=89.89.0.1
$ cat /etc/sysconfig/network-scripts/ifcfg-eth2
DEVICE=eth2
HWADDR=00:1F:D0:90:8D:54
ONBOOT=yes
BOOTPROTO=none
IPADDR=89.89.0.10
NETMASK=255.255.0.0
IPV6INIT=yes
IPV6ADDR=2001:2001:2001::2/126
$ ip a sh dev eth2
5: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
qlen 1000
link/ether 00:1f:d0:90:8d:54 brd ff:ff:ff:ff:ff:ff
inet 89.89.0.10/16 brd 89.89.255.255 scope global eth2
inet6 2001:2001:2001::2/126 scope global
valid_lft forever preferred_lft forever
inet6 fe80::21f:d0ff:fe90:8d54/64 scope link
valid_lft forever preferred_lft forever
$ ip r sh dev eth2
89.89.0.0/16 proto kernel scope link src 89.89.0.10
default via 89.89.0.1
$ ip tu s test6
test6: ipv6/ip remote 89.89.0.22 local 89.89.0.10 dev eth2 ttl inherit
$ ip -6 a s dev test6
15: test6 at eth2: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480
inet6 2001:2001:2001:1001::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::59d4:16d8/128 scope link
valid_lft forever preferred_lft forever
$ ip -6 r s dev test6
2001:2001:2001:1001::/64 via :: metric 256 expires 21010488sec mtu
1480 advmss 1420 hoplimit 4294967295
fe80::/64 via :: metric 256 expires 21010462sec mtu 1480 advmss 1420
hoplimit 4294967295
$ iptables -nvL | head -3
Chain INPUT (policy DROP 4 packets, 274 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 89.89.0.22 0.0.0.0/0
$ ip tu sh test6
test6: ipv6/ip remote 89.89.0.22 local 89.89.0.10 dev eth2 ttl inherit
ip6tables accepta vse
mašina B, centos 6 x64, eth0.500 je untrust:
$ uname -r
2.6.32-71.29.1.el6.x86_64
$ cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=B.domena.net
NOZEROCONF=yes
GATEWAY=89.89.0.1
NETWORKING_IPV6=yes
IPV6FORWARDING=yes
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=none
HWADDR=00:25:22:68:3C:FA
IPV6INIT=yes
IPV6_AUTOCONF=yes
NM_CONTROLLED=no
ONBOOT=yes
IPADDR=192.168.0.1
NETMASK=255.255.255.0
IPV6ADDR=2001:ffff:ffff:1::1/64
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0.2
DEVICE=eth0.2
VLAN=yes
BOOTPROTO=none
IPADDR=193.193.193.59
NETMASK=255.255.255.224
ONBOOT=yes
IPV6INIT=yes
IPV6ADDR=2001:ffff:ffff:2::1/64
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0.3
DEVICE=eth0.3
VLAN=yes
BOOTPROTO=none
IPADDR=178.178.178.2
NETMASK=255.255.255.224
ONBOOT=yes
IPV6INIT=yes
IPV6ADDR=2001:ffff:ffff:3::1/64
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0.100
DEVICE=eth0.100
VLAN=yes
BOOTPROTO=none
IPADDR=192.168.100.1
NETMASK=255.255.255.0
ONBOOT=yes
IPV6INIT=yes
IPV6ADDR=2001:ffff:ffff:4::1/64
$ cat /etc/sysconfig/network-scripts/ifcfg-eth0.500
DEVICE=eth0.500
VLAN=yes
BOOTPROTO=none
IPADDR=89.89.0.22
NETMASK=255.255.0.0
ONBOOT=yes
IPV6INIT=no
$ ip a sh dev eth0.500
6: eth0.500 at eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
noqueue state UP
link/ether 00:25:22:68:3c:fa brd ff:ff:ff:ff:ff:ff
inet 89.89.0.22/16 brd 89.89.255.255 scope global eth0.500
inet6 fe80::225:22ff:fe68:3cfa/64 scope link
valid_lft forever preferred_lft forever
$ ip r s dev eth0.500
89.89.0.0/16 proto kernel scope link src 89.89.0.22
default via 89.89.0.1
$ ip tu s test6
test6: ipv6/ip remote 89.89.0.10 local 89.89.0.22 dev eth0.500 ttl
inherit
# ip -6 a s dev test6
10: test6: <POINTOPOINT,NOARP,UP,LOWER_UP> mtu 1480
inet6 2001:2001:2001:1001::2/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::59d4:703d/128 scope link
valid_lft forever preferred_lft forever
$ ip -6 r s dev test6
2001:2001:2001:1001::/64 via :: proto kernel metric 256 mtu 1480
advmss 1420 hoplimit 4294967295
fe80::/64 via :: proto kernel metric 256 mtu 1480 advmss 1420
hoplimit 4294967295
$ iptables -nvL | head -3
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
7 508 ACCEPT all -- * * 89.89.0.10 0.0.0.0/0
ip6tables accepta vse
user at B $ ping6 2a01:2001:2001:1001::1
PING 2a01:2001:2001:1001::1(2a01:2001:2001:1001::1) 56 data bytes
^C
--- 2a01:2001:2001:1001::1 ping statistics ---
177 packets transmitted, 0 received, 100% packet loss, time 176015ms
root at B # tcpdump -nvs0 -ieth0.500 not tcp and not udp and not vlan
tcpdump: listening on eth0.500, link-type EN10MB (Ethernet), capture
size 65535 bytes
12:56:09.751481 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
IPv6 (41), length 124)
89.89.0.22 > 89.89.0.10: IP6 (hlim 64, next-header ICMPv6 (58)
payload length: 64) 2a01:2001:2001:1001::2 > 2a01:2001:2001:1001::1:
[icmp6 sum ok] ICMP6, echo request, length 64, seq 58
12:56:09.800444 IP (tos 0xc0, ttl 64, id 62773, offset 0, flags [none],
proto ICMP (1), length 152)
89.89.0.22 > 89.89.0.10: ICMP 89.89.0.22 protocol 41 port 0
unreachable, length 132
IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto IPv6
(41), length 124)
89.89.0.10 > 89.89.0.22: IP6 (hlim 64, next-header ICMPv6 (58)
payload length: 64) 2a01:2001:2001:1001::1 > 2a01:2001:2001:1001::2:
[icmp6 sum ok] ICMP6, echo reply, length 64, seq 58
12:56:10.751462 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto
IPv6 (41), length 124)
89.89.0.22 > 89.89.0.10: IP6 (hlim 64, next-header ICMPv6 (58)
payload length: 64) 2a01:2001:2001:1001::2 > 2a01:2001:2001:1001::1:
[icmp6 sum ok] ICMP6, echo request, length 64, seq 59
12:56:10.800581 IP (tos 0xc0, ttl 64, id 62774, offset 0, flags [none],
proto ICMP (1), length 152)
89.89.0.22 > 89.89.0.10: ICMP 89.89.0.22 protocol 41 port 0
unreachable, length 132
IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto IPv6
(41), length 124)
89.89.0.10 > 89.89.0.22: IP6 (hlim 64, next-header ICMPv6 (58)
payload length: 64) 2a01:2001:2001:1001::1 > 2a01:2001:2001:1001::2:
[icmp6 sum ok] ICMP6, echo reply, length 64, seq 59
--
LP, Rok
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2162 bytes
Desc: S/MIME Cryptographic Signature
Url : http://liste2.lugos.si/pipermail/lugos-list/attachments/20111103/1b583c97/attachment.bin
More information about the lugos-list
mailing list