Linux – Centos 7 with 2 network interfaces on same network one of them doesn’t respond to ping from outside

linuxnetworking

I have a centos7 just installed with 2 active interfaces on the same network like this
ip addr show

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 40:a8:f0:1e:50:54 brd ff:ff:ff:ff:ff:ff
    inet 213.78.236.190/26 brd 213.78.236.191 scope global eno1
       valid_lft forever preferred_lft forever
    inet6 fe80::42a8:f0ff:fe1e:5054/64 scope link
       valid_lft forever preferred_lft forever
3: eno2: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 40:a8:f0:1e:50:55 brd ff:ff:ff:ff:ff:ff
4: eno3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
    link/ether 40:a8:f0:1e:50:56 brd ff:ff:ff:ff:ff:ff
    inet 213.78.236.175/26 brd 213.78.236.191 scope global eno3
       valid_lft forever preferred_lft forever
    inet6 fe80::42a8:f0ff:fe1e:5056/64 scope link
       valid_lft forever preferred_lft forever
5: eno4: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 40:a8:f0:1e:50:57 brd ff:ff:ff:ff:ff:ff

routing table looks like this
ip route show

default via 213.78.236.129 dev eno1
213.78.236.128/26 dev eno1  proto kernel  scope link  src 213.78.236.190
213.78.236.128/26 dev eno3  proto kernel  scope link  src 213.78.236.175

the problem is that i have access only to the interface with 213.78.236.190 from the outside world ie another network. I can ping-it, connect to ssh do whatever. But on the 213.78.236.175 i can only connect from local network. It doesn't respond to ping from outside i can see the packets coming on tcpdump but no response.

iptables is clean

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

I know that this should work because this replaces a centos6 with similar configuration and on centos 6 worked from the start just config the ip on both interfaces and the default gw on one interface.
I disabled NetworkManager i suspected he was messing something up. I enabled ip_forwarding in sysctl.conf

cat /proc/sys/net/ipv4/ip_forward
1

even if i don't think i need to.
I can see the icmp packets coming from outside in tcpdump but nothing goes out. Below is what happens if i ping from the machine 213.65.165.84. The ip i am pinging is 213.78.236.175

tcpdump -i eno3 -n -p| grep ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno3, link-type EN10MB (Ethernet), capture size 65535 bytes
10:52:09.531494 IP 213.65.165.84 > 213.78.236.175: ICMP echo request, id 16686, seq 23, length 64
10:52:10.531489 IP 213.65.165.84 > 213.78.236.175: ICMP echo request, id 16686, seq 24, length 64
10:52:11.531492 IP 213.65.165.84 > 213.78.236.175: ICMP echo request, id 16686, seq 25, length 64
10:52:12.531483 IP 213.65.165.84 > 213.78.236.175: ICMP echo request, id 16686, seq 26, length 64

tcpdump -i eno1 -n -p| grep ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno1, link-type EN10MB (Ethernet), capture size 65535 bytes

and this is what happens if i ping the other ip 213.78.236.190 from the same machine

tcpdump -i eno1 -n -p| grep ICMP
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno1, link-type EN10MB (Ethernet), capture size 65535 bytes
10:58:45.973485 IP 213.65.165.84 > 213.78.236.190: ICMP echo request, id 16705, seq 5, length 64
10:58:45.973522 IP 213.78.236.190 > 213.65.165.84: ICMP echo reply, id 16705, seq 5, length 64
10:58:46.973483 IP 213.65.165.84 > 213.78.236.190: ICMP echo request, id 16705, seq 6, length 64
10:58:46.973515 IP 213.78.236.190 > 213.65.165.84: ICMP echo reply, id 16705, seq 6, length 64

After kasperd observed i updated the post with tcpdump with -p option to prevent promiscuous mode and checked in wireshark to see that the ping requests arrive with the correct mac address. So the problem seems to be that the kernel drops the packets for some reason.

Best Answer

Though you mentioned that iptables was clean, you mentioned that you just recently installed CentOS 7, so I was wondering if the default firewall software for CentOS 7, firewalld, is active and, if so, whether it is blocking ICMP echo replies for one of its zones. E.g., if firewalld is active, for its GUI, running firewall-config and checking "ICMP Filter" for each zone would show if there are any filters for "echo-request" and "echo-reply". If it was blocking them, you could still see the echo requests with tcpdump. You could also check using "firewall-cmd --list-all-zones", looking for the "icmp-blocks" line for each zone.

Related Topic