Trouble resolving IP4 route config

[Bufflehead]

Hi all!
I've got a CentOS 7 (7.9.2009) machine I was looking to configure to host nginx and node. The server was used by a colleague and had working nginx setup, but it was recently and I stuck to get IP4 working: I can connect to the server using ssh (IP4), but any outgoing IP4 connection fails. When I run wget with -6 argument it works well, but "wget -4" fails with timeout. I think it is a route issue (ipcfg looks ok for me) or my eyes are just swimming (I'm thinking to make a backup and setup from scratch, but I have to read smth on how to configure multiple IPs).

Any advice would be appreciated.

• firewalld is not running (and no other firewall installed).
• IP4 networking is on: cat /etc/sysconfig/network

  cat /etc/sysconfig/network
  ### Hetzner Online GmbH - installimage
  # general networking
  NETWORKING=yes
  NETWORKING_IPV6=yes

• cat /etc/resolv.conf shows at least one correct NS.

  ### Hetzner Online GmbH installimage
  # nameserver config
  nameserver 8.8.8.8
  nameserver 213.133.99.99
  ...

• cat /etc/sysconfig/network-scripts/ifcfg-eth0 (looks ok, but I never used SCOPE thing)

  # Note for customers who want to create bridged networking for virtualisation:
  
  # Gateway is set in separate file
  # Do not forget to change interface in file route-eth0 and rename this file
  #
  # device: eth0
  DEVICE=eth0
  BOOTPROTO=none
  ONBOOT=yes
  HWADDR=10:10:10:10:10:20
  IPADDR=X.X.X.112 # that's address I ssh in
  NETMASK=255.255.255.0 # was: NETMASK=255.255.255.255, I've changed to 255.255.255.0
  SCOPE="peer X.X.X.193" # ?
  IPV6INIT=yes
  IPV6ADDR=2021:1234:xxxx::2/64
  IPV6_DEFAULTGW=fe80::1
  IPV6_DEFAULTDEV=eth0

• cat /etc/sysconfig/network-scripts/route-eth0 has gateway (unfortunately I don't understand why ADDRESS0=0.0.0.0 here, but I have another working installation and it contains the same lines)

  # routing for eth0
  ADDRESS0=0.0.0.0
  NETMASK0=0.0.0.0
  GATEWAY0=X.X.X.193

• Finally "ip a":

  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
  link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  inet 127.0.0.1/8 scope host lo
  valid_lft forever preferred_lft forever
  inet6 ::1/128 scope host
  valid_lft forever preferred_lft forever
  
  2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
  link/ether 10:10:10:10...:20 brd ff:ff:ff:ff:ff:ff
  inet X.X.X.112 peer X.X.X.193/32 brd X.X.X.112 scope global eth0
  valid_lft forever preferred_lft forever
  inet X.X.X.112/32 scope global eth0
  valid_lft forever preferred_lft forever
  inet X.X.X.114/27 brd X.X.X.223 scope global eth0:1
  valid_lft forever preferred_lft forever
  inet6 ....

Other things that may be (not) relevant:

* IP4 forwarding is off ( cat /proc/sys/net/ipv4/ip_forward shows 0)

* iptables -L OUTPUT is empty:
Chain OUTPUT (policy ACCEPT)
target prot opt source destination

* There are 3 IP4 addresses assigned, that could be another the reason I miss smth wrong in configs.

* "ip ro"

default via X.X.X.193 dev eth0
X.X.X.0/24 dev eth0 proto kernel scope link src X.X.X.212
X.X.X.192/27 dev eth0 proto kernel scope link src X.X.X.214
X.X.X.193 dev eth0 proto kernel scope link src X.X.X.212
169.254.0.0/16 dev eth0 scope link metric 1002

* "cat /etc/sysconfig/network-scripts/ifcfg-eth0:1"

DEVICE=eth0:1
BOOTPROTO=none
ONBOOT=yes
HWADDR=10:10:20:20:20:20
IPADDR=X.X.X.214
NETMASK=255.255.255.224
SCOPE="peer X.X.X.193"
#IPV6INIT=yes
...

[Whoever]

"ip ro" is just a sort form of "ip route", so why are you showing different results for these commands?

[TrevorH]

OVH and possibly Hetzner use a weird and somewhat non-standard method of setting gateways up and the netmask you changed from 255.255.255.255 to 255.255.255.0 was most likely already correct. They add a specific route using route-eth0 that allows it to contact the given gateway even though the netmask is set to 255.255.255.255 and it's that that you should look at.

[Bufflehead]

"ip ro" is just a sort form of "ip route", so why are you showing different results for these commands?

my fault, removed duplicate where I accidentally changed 2->1.

[Bufflehead]

OVH and possibly Hetzner use a weird and somewhat non-standard method of setting gateways up and the netmask you changed from 255.255.255.255 to 255.255.255.0 was most likely already correct. They add a specific route using route-eth0 that allows it to contact the given gateway even though the netmask is set to 255.255.255.255 and it's that that you should look at.

Yes, I've found Hetzner-related questions here, and they had a bit similar config (including the same, except for IP address, route-eth0 config).

Today, I've also checked that default iptables policies are all set to "ACCEPT" (and no rules).
And got a reply from Hetzner support about network data:

IP: X.X.X.212
NM: /27 (255.255.255.224)
GW: X.X.X.193

[Bufflehead]

I still suppose I miss smth simple: I put the netmask as provided by Hetzner (255.255.255.224). As before, nginx responds with default site to port 80, but fails (http 504) with any upstream (that's expectedly as outgoing IP4 are not working).
Also compared "ip addr" to another CentOS instance (my local, with a single IP):

2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 10:20:20:20:20:20 brd ff:ff:ff:ff:ff:ff
inet X.X.X.212 peer X.X.X.193/32 brd X.X.X.223 scope global eth0
valid_lft forever preferred_lft forever
inet X.X.X.212/27 scope global eth0
valid_lft forever preferred_lft forever
inet X.X.X.214/27 brd X.X.X.223 scope global secondary eth0:1
valid_lft forever preferred_lft forever
inet X.X.X.220/27 brd X.X.X.223 scope global secondary eth0:2
valid_lft forever preferred_lft forever
inet6 .....

The only difference looks like a "peer" config.

[jlehtone]

Also compared "ip addr" to another CentOS instance (my local, with a single IP):

Code: Select all

    inet X.X.X.212 peer X.X.X.193/32 brd X.X.X.223 scope global eth0
    inet X.X.X.212/27 scope global eth0
    inet X.X.X.214/27 brd X.X.X.223 scope global secondary eth0:1
    inet X.X.X.220/27 brd X.X.X.223 scope global secondary eth0:2

If that output is from "another, with single IP" ... I would not call "212,214,220" single.

OVH and possibly Hetzner use a weird and somewhat non-standard method ...

Which means that they should explain how to set things up. Isn't that what they are paid for?

More than one IPv4 address on same host on same subnet is non-trivial even with standard methods. One needs policy routing or something. Particularly, initiating outbound connection is most likely to use The Default Route, not some additional source IP.

Note: The eth0:1, eth0:2, IP aliases are an ancient method for adding addresses. You can have in one ifcfg-eth0

Code: Select all

ADDRESS=X.X.X.212
PREFIX=27
ADDRESS1=X.X.X.214
PREFIX1=27
ADDRESS2=X.X.X.220
PREFIX2=27

[Bufflehead]

If that output is from "another, with single IP" ... I would not call "212,214,220" single.

Nope, the output is from the same machine - I meant I have no "peer" param on my personal instances.

[jlehtone]

How does this server function when there are no additional addresses?