[Wlug] Routing problem -can I believe the ISP tech? #2

[George Metz]

Reply's interspersed:

> I just brought up my fourth RH7.3 server Friday afternoon (one of two
> RH7.0 servers that had been hacked-new hard drive and software). I
> then went home and spent a couple of hours connected to it with ssh
> on a workstation connected to my home RH7.3 server.
>
> When I went to rerun a slightly modified (open ports for ftp and
> internal dhcp twiddling) ipchains firewall I lost the connection,
> and, more than 16 hours later, don't have it back.

Smells like a typo referencing - specifically - Home's IP address or block,
based on this. Double and triple check your firewall configs as a first
step. If those are clean:

> Home and EFO are on the same ISP and each has a block of 4 static
> IPs. The blocks share the first 18 bits of their IP#s.

Above tidbit might be important later. And actually, they're listing in your
config as blocks of 8, with 6 useable.

> Home now cannot connect to EFO via ssh, or access its web site. Pings
> are disabled on all my servers - so I can't do that test.

I STRONGLY recommend that you re-enable ping on both Home and EFO servers in
order to perform this test. Firstly, it's really difficult to pingflood a
box these days, second, it's a pretty darned useful indicator. This can be
gotten around though, so if you're leery - say, you've been pingflooded
recently - then skip it. Run a traceroute to Home from EFO and to EFO from
Home. That will tell you, at the very least, where the traffic is dying.

> EFO network workstations can browse the web; I can ping out from the
> EFO linux box or workstations, and can ping EFO's Cisco 678 router
> from its Linux box

All good here.

> EFO workstations cannot access Home websites (but I had not tried
> this before since rebuilding EFO Linux box

Most likely a symptom of the overall problem, but don't forget to test
again.

> Home Cisco 678 cannot be pinged from Home Linux box (!) or EFO (Linux
> or workstation), but can be pinged from my office (Linux box on other
> ISP).

Uh... Houston, we have a problem. If the tech IS being straight with you,
then the issue has to be on both sites, but one site is severely impairing
the other.

> >From my office workstation I can also ssh to EFO and access
> EFO website (which in fact I uploaded to the new server from my
> office today). Does this discount the possibility of a firewall issue?

Not even remotely. All it proves out is that there's no rule in the firewall
to block access from your office's IP addresses. There still might be a rule
in place to block access to and/or from one site to the other. Note also
that this is really easy to do accidentally, because one word change can
totally break the intended rule. I'll let someone with more
IPChains/IPTables experience help with that one.

> I spent countless hours talking to the ISP (Qwest) tech support, and
> over an hour with a senior tech who had some Linux knowledge, and he
> claims that it must be a configuration issue on one or both of my
> Home and EFO Linux boxes, since:
>
>    He can login to both my Cisco routers and ping the other router -
> he claims this proves its not a Qwest routing problem.

Provisionally, this is correct. The provision has to do with whether or not
the tech just ran "ping -c 100 ip.for.efo.site" or if he actually did the
CORRECT thing and sourced it off of your Ethernet interface on the router.
If Qwest is misrouting your allocation, all sorts of things can go wonky.
The only way to test that would be to source off the ethernet IP address
from both routers to the same. A straight ping will simply do the WAN IP,
which (of course) is routed correctly on Qwest's network. I'm not sure about
the Cisco 678s, since I never crawled around in one, but if it's running a
standard flavor of Cisco IOS, he should be able to source it off of just
about anything he wants to. If he's a senior tech with a clue, it's entirely
possible that he did source off the ethernet interface, in which case it's
back to config issue.

> If he's right I'm still puzzled by two things:
> a) Why could I connect from Home to EFO for two hours last night,
> no problems?
> b) Why can't the Home Linux box ping the Cisco 678 directly
> connected to it?

The former is simple; most likely the error causing the issue was introduced
when you made whatever changes you did. The latter has all sorts of
interesting possibilities, but there's no way of knowing without having
access to both the 678 and the linux box and about an hour to monkey around.
I note that you don't mention whether or not Home can access The World At
Large, though you do mention it with the EFO site.

Also, as I mentioned above, you're showing as having an assigned block of 8
IPs, of which 6 are normally useable. Knock out one for the router, and that
leaves 5 assignable. Since 4 IPs is a little wierd, are you sure that you
don't have either more and Qwest is just being stubborn, or perhaps they've
routed them differently?

Others will probably have an idea or two as well, but this to me just
screams config error. Which might be why the tech was convinced of it. =)