On 08/11/2017 01:32 PM, David A. De Graaf wrote:
(The other common suspect, selinux, is disabled.)
That's terrible. Stop turning off SELinux. You don't "find / -exec
chmod 777 {} +" do you?
On the remote gateway. octopus, 'ipsec -L' output was dominated by
DROP lines from 'fail2ban', but no lines included string "192.168".
Remember, autofs and ssh DO WORK between the primary gateways;
Right. Those packets are governed by the INPUT and OUTPUT chains.
Packets between any other hosts will be governed by the FORWARD chain.
Potentially on both of the ipsec hosts, so we can't really proceed
without seeing the rules.
all the needed services are allowed to pass the firewall.
You haven't demonstrated that yet, and I think it's too early to draw
that conclusion.
The other thing you could to is run "tcpdump -nn -i any host octopus" on
datium. Ping octopus from another machine on datium's subnet to make
sure you see those packets in the tcpdump output. If so, then try to
telnet to octopus:22 from the same machine. You should see the TCP SYN
packet, just like you see the ICMP echo requests. If so, the problem is
probably not a routing issue.
I tried to save the above files to
https://paste.fedoraproject.org/, but ordinary UNIX cut & paste
(highlight with B1, paste with B2) didn't seem to work. Sorry.
So use Shift+Ctrl+C to copy the terminal text and paste that as normal...
_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx