Troubleshooting Connectivity

Issues related to configuring your network
Post Reply
ASTONE
Posts: 14
Joined: 2020/05/25 04:08:41

Troubleshooting Connectivity

Post by ASTONE » 2020/11/18 15:11:25

To anyone who can help, I have the following problem:

I'm connected to my corporate network via VPN.
I have a CentOS 7.8 Linux Server running KVM with an internal interface (virbr0) configured as 192.168.124.1.
I'm using iptables as my routing/firewalling mechanism

iptables printout is:

*******************************************************************************************************************************
>#iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:bootps
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp multiport dports 5901:5903,6001: 6003
ACCEPT tcp -- anywhere anywhere state NEW tcp multiport dports ms-wbt-server
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ms-sql-s
ACCEPT tcp -- anywhere anywhere state NEW tcp multiport dports 5901:5903,6001: 6003
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- [my subnet] 192.168.124.0/24 state NEW,RELATED,ESTABLISHED
ACCEPT all -- 192.168.124.0/24 [my subnet] state NEW,RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

># iptables -L -t nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE tcp -- 192.168.124.0/24 !192.168.124.0/24 masq ports: 1024-65535
MASQUERADE udp -- 192.168.124.0/24 !192.168.124.0/24 masq ports: 1024-65535
MASQUERADE all -- 192.168.124.0/24 !192.168.71.0/24


*******************************************************************************************************************************

What works:

1. I am able ping the external interface of the server.
2. I am able PuTTy into the server using the external interface.
3. I am able open a remote desktop session into the server using the external interface and rdp.
4. I am able to log into my guest windows server using the console of virtual machine manager in gnome.
5. I am able to ping the internal interface of a second kvm server (192.168.123.1) and rdp to its guests without problem.
6. I am able to ping the external interface of the kvm server from a Windows guest vm hosted on that server (from within the VMM Console).
7. I am able to browse the Internet from from a Windows guest vm hosted on that server (from within the VMM Console).


Work doesn't work

1. I cannot ping the internal interface (192.168.124.1/virbr0) of my kvm hypervisor
2. I cannot rdp into any guests of my kvm server
3. I cannot ping my workstation (at home) from the cli of the kvm server, even though I can connect into that server.

I feel an important piece of information is that my other server (the one with the 192.168.123.1 internal interface (virbr0) and the exact same iptables configuration) works perfectly, without a hitch.

Any ideas would be greatly appreciated.

Of note, I build my iptables file by copying the working one from the .123.0/24 server and simply changing all the "123s" to "124s". No other changes were made. One works perfectly. The other blocks all connection attempts to its internal interface. Or at least (and this is my other thought), my .124.1 pings are not being routed to the new server. I'm investigating that possibility even as I post this on the forum.

ASTONE
Posts: 14
Joined: 2020/05/25 04:08:41

Re: Troubleshooting Connectivity

Post by ASTONE » 2020/11/18 16:18:27

Problem solved. My final suspicion was correct. The admin for my corporate vpn router had deleted my route. Once it was re-added in, everything came back up. I'll leave this post up so anyone who has the same issue can see the troubleshooting methodology and not waste three days like I did. Also, have good comms with your ISP counterparts and encourage them to not make unscheduled or unauthorized (at least unadvertised) changes.

Post Reply

Return to “CentOS 7 - Networking Support”