How is this possible??????

[Greg Scott]

Somebody hit me in the head cuz I GOTTA be missing something really obvious!
How is this possible????

This is some output from tcpdump.  Check out the echo reply packets from 
172.16.16.2 to 172.16.0.252.  How come that stuff doesn't route to
172.16.16.3?

When I monitor the traffic on 172.16.16.3, it never sees the echo reply.
Yet this box
is supposed to route over there!  It's trying to do reverse DNS lookups on
172.16.16.3 . . .  
why not also route the packet through that address like I told it to
do?!?!?!?!?!?

Or did I do something dumb?

- Greg


16:25:15.459714 < 172.16.16.2 > 172.16.0.252: icmp: echo reply
16:25:16.459714 < 172.16.16.2 > 172.16.0.252: icmp: echo reply
16:25:17.459714 < 172.16.16.2 > 172.16.0.252: icmp: echo reply
16:25:18.459714 < 172.16.16.2 > 172.16.0.252: icmp: echo reply
16:25:18.879714 > arp who-has 172.16.16.3 tell 172.16.16.1 (0:4:76:1a:f8:1f)
16:25:18.879714 < arp reply 172.16.16.3 is-at 0:50:8b:e7:ed:ff
(0:4:76:1a:f8:1f)
16:25:18.879714 > 172.16.16.1.32770 > 172.16.16.2.domain: 45803+ PTR?
3.16.16.172.in-addr.arpa. (42) (DF)
16:25:18.879714 < 172.16.16.2.domain > ns1.internet-connections.net.domain:
3072+ PTR? 3.16.16.172.in-addr.arpa. (42)
16:25:19.049714 > ns1.internet-connections.net.domain > 172.16.16.2.domain:
3072 NXDomain* 0/1/0 (108) (DF)
16:25:19.049714 < 172.16.16.2.domain > 172.16.16.1.32770: 45803 NXDomain*
0/1/0 (108)
16:25:19.459714 < 172.16.16.2 > 172.16.0.252: icmp: echo reply

40 packets received by filter
[root@csfampls-fw gregs]# route -n
bash: route: command not found
[root@csfampls-fw gregs]# /sbin/route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
aaa.bbb.228.32  0.0.0.0         255.255.255.224 U     0      0        0 eth0
xxx.yyy.200.64  aaa.bbb.228.34  255.255.255.224 UG    0      0        0 eth0
172.16.16.0     0.0.0.0         255.255.240.0   U     0      0        0 eth1
172.16.0.0      172.16.16.3     255.255.240.0   UG    0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         aaa.bbb.228.62  0.0.0.0         UG    0      0        0 eth0
[root@csfampls-fw gregs]# 



>  -----Original Message-----
> From: 	Greg Scott  
> Sent:	Tuesday, October 23, 2001 1:20 PM
> To:	netfilter@lists.samba.org
> Cc:	Patsy Rossow (E-mail)
> Subject:	Here we go again . . .
> 
> I must be a glutton for punishment.  I'm working on setting up another
> VPN.  This time, I have two locations with Win2K VPN servers set up in
> parallel with the Linux firewalls - not behind them like I tried last
> time!
> 
> I put in routes in both firewalls to "bounce back" packets bound for the
> other end of the tunnel to the local VPN server.  
> Here are the networks:
> 
> St. Peter -	172.16.0.0 / 20
> Minneapolis	172.16.16.0 / 20
> 
> The idea is, every host has its default gateway being the local firewall.
> So the Minneapolis firewall has a route that looks like this;  Destination
> 172.16.0.0/20 routes through 172.16.16.2.  The St Peter firewall has a
> route that looks like this:  Destination 172.16.16.0/20 routes through
> 172.16.0.251.  
> 
> St. Peter has a perimeter network with two ipchains firewalls (Red Hat
> Linux 7.0, 2.2 kernel). 
> Minneapolis has a single iptables firewall based on Red Hat Linux V7.1
> (2.4 kernel). 
> The VPN servers on both ends are Win2K systems using Microsoft RRAS.  The
> VPN servers have connections to both the public and private LANs.
> Here's what's going on.  From hosts inside St. Peter, I cannot ping hosts
> inside Minneapolis unless I set up a specific route on that Minneapolis
> host to go via the VPN server back to St. Peter.  traceroute from St.
> Peter to Minneapolis also dies at the St. Peter VPN server.  From
> Minneapolis, I can ping anywhere I want.  And  everyone from both LANs can
> ping either VPN server.
> 
> What's really weird is, from a host inside St. Peter, I  ***can*** telnet
> to a Win NT host inside Minneapolis using TCP port 53!  (This host happens
> to be an internal DNS server so it listens to port 53).  But I can't ping
> from the same St. Peter host to the same Minneapolis host.
> 
> So it looks like I have a problem with ICMP packets.
> 
> I've done all kinds of logging and looking at counters on the firewalls -
> no way are the packets routing through the firewalls - I would see them if
> they did.  But could something be going on with my "bounce-back" routes
> and replies to ICMP packets?  Is there another modprobe module I should be
> putting in?  
> 
> And how do you find out what modprobe modules are available and what they
> do?
> 
> thanks (again!)
> 
> - Greg Scott
>   GregScott@InfraSupportEtc.com