Cannot connect from "lan" nic to "internet" nic

[madodama]

Hi all,

after given it a try since weeks I really need help with the setup. I hope you guys could help me on this issue.

Hardware setup:
Server A (CentOS 7.3):
- enp3s0: Internel LAN, directly attached to server B
- enp4s0: Connected to internet

Server B (CentOS 7.3):
- Not important for the time beeing as I want to install oVirt as hosted-engine on server B

I would like to setup an oVirt host but got stuck with the network configuration. I want to install the ovirt vm management system (oVirt hosted engine) on server a as a vm instance and would like to create further vms via oVirt within my internal subnet. As oVirt will bridge my nic enp3so to handle this accordingly.

I've created the following configuration files (all for server a):

Nic for lan:

Code: Select all

#/etc/sysconfig/network-scripts/ifcfg-enp3s0
DEVICE=enp3s0
BOOTPROTO=none
ONBOOT=yes
BROADCAST=192.168.1.255
NETWORK=192.168.1.0
NETMASK=255.255.255.0
IPADDR=192.168.1.100
USERCTL=no

Nic for internet:

Code: Select all

#/etc/sysconfig/network-scripts/ifcfg-enp4s0
DEVICE=enp4s0
ONBOOT=yes
BOOTPROTO=none
IPADDR=a.a.a.a # public ip adress
NETMASK=255.255.255.255
SCOPE="peer b.b.b.b" # gateway ip adress, given by datacenter

Route for internet nic:

Code: Select all

# /etc/sysconfig/network-scripts/route-enp4s0
ADDRESS0=0.0.0.0
NETMASK0=0.0.0.0
GATEWAY0=b.b.b.b

host file:

Code: Select all

# /etc/hosts
192.168.1.100 dc1-h1.lan dc1-h1 # server a
192.168.1.101 dc1-h2.lan dc1-h2 # server b
192.168.0.102 dc1-vm1.lan dc1-vm1 # upcoming vm (hosted engine) by oVirt

sysctl settings:

Code: Select all

# /etc/sysctl.conf
net.ipv4.ip_forward = 1

I assume, that the struggle goes with my missing iptables configuration (firewalld is uninstalled)

iptables configuration (fails to apply)

Code: Select all

#/etc/sysconfig/iptables
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# masquerade for internet nic
-t nat -A POSTROUTING -o enp4s0 -j MASQUERAD

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Code: Select all

systemctl restart iptables
Job for iptables.service failed because the control process exited with error code. See "systemctl status iptables.service" and "journalctl -xe" for details.

systemctl status iptables.service
● iptables.service - IPv4 firewall with iptables
Loaded: loaded (/usr/lib/systemd/system/iptables.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2017-04-14 16:30:31 CEST; 26s ago
Process: 9598 ExecStart=/usr/libexec/iptables/iptables.init start (code=exited, status=1/FAILURE)
Main PID: 9598 (code=exited, status=1/FAILURE)

Apr 14 16:30:31 dc1-h1 systemd[1]: Starting IPv4 firewall with iptables...
Apr 14 16:30:31 dc1-h1 iptables.init[9598]: iptables: Applying firewall rules: iptables-restore v1.4.21: The -t option (seen in line 10) cannot b...-restore.
Apr 14 16:30:31 dc1-h1 iptables.init[9598]: Error occurred at line: 10
Apr 14 16:30:31 dc1-h1 iptables.init[9598]: Try `iptables-restore -h' or 'iptables-restore --help' for more information.
Apr 14 16:30:31 dc1-h1 iptables.init[9598]: [FAILED]
Apr 14 16:30:31 dc1-h1 systemd[1]: iptables.service: main process exited, code=exited, status=1/FAILURE
Apr 14 16:30:31 dc1-h1 systemd[1]: Failed to start IPv4 firewall with iptables.
Apr 14 16:30:31 dc1-h1 systemd[1]: Unit iptables.service entered failed state.
Apr 14 16:30:31 dc1-h1 systemd[1]: iptables.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

Pinging an public ip isn't possible at all:

Code: Select all

[root@dc1-h1 ~]# ping -I enp3s0 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.1.100 enp3s0: 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
27 packets transmitted, 0 received, 100% packet loss, time 25999ms

So my questions:
* Am I handling the setup correctly in general?
* Why can I not apply the iptables rule in order to reach the public internet via enp3s0?

Best regards and thanks in advance,
Marcel

[TrevorH]

Apr 14 16:30:31 dc1-h1 iptables.init[9598]: iptables: Applying firewall rules: iptables-restore v1.4.21: The -t option (seen in line 10) cannot b...-restore.

The syntax you've manually added to /etc/sysconfig/iptables is not supported. Remove the additions from that file until iptables-restore works, then add the rules manually using the iptables command and then run service iptables save which will write the running rules to that file in the correct syntax.

[madodama]

Thanks a lot - that worked so far and re-generated the file accordingly:

iptables configuration file:

Code: Select all

# /etc/sysconfig/iptables
# Generated by iptables-save v1.4.21 on Fri Apr 14 17:06:32 2017
*filter
:INPUT ACCEPT [302:24267]
:FORWARD ACCEPT [18:1290]
:OUTPUT ACCEPT [279:28039]
COMMIT
# Completed on Fri Apr 14 17:06:32 2017
# Generated by iptables-save v1.4.21 on Fri Apr 14 17:06:32 2017
*nat
:PREROUTING ACCEPT [25:1356]
:INPUT ACCEPT [2:100]
:OUTPUT ACCEPT [6:593]
:POSTROUTING ACCEPT [3:309]
-A POSTROUTING -o enp4s0 -j MASQUERADE
COMMIT
# Completed on Fri Apr 14 17:06:32 2017

However, connecting via enp3s0 to the public internet is still not possible

Code: Select all

[root@dc1-h1 ~]# ping -I enp3s0 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.1.100 enp3s0: 56(84) bytes of data.
^C
--- 8.8.8.8 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 4999ms

[TrevorH]

If you run sysctl net.ipv4.ip_forward does it say it's correctly 1?

[madodama]

"Unfortunately" yes:

Code: Select all

[root@dc1-h1 ~]# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1