Discussion:
[hercules-390] TCPIP setup for Linux
kalda0912@gmail.com [hercules-390]
2017-02-09 23:21:34 UTC
Permalink
I have Hercules running under OPENSUSE linux and I followed the install guide for setting
up TCPIP connectivity.
When Hercules is started the following errors are issued:


00:49:57 HHCIF005E hercifc: ioctl error doing TUNSETIFF on ?: 1 Operation not permitted
00:50:02 HHCTU001E hercifc timeout, possible older version?
00:50:02 HHCTU003E Error setting TUN/TAP mode: /dev/net/tun: Operation not permitted

00:50:02 HHCCF044E Initialization failed for device 0E21


Looks like an authorization issue.
What have I missed ?


Thanks....Dani
pade@trifox.com [hercules-390]
2017-02-10 04:42:38 UTC
Permalink
Start it as root.
kalda0912@gmail.com [hercules-390]
2017-02-10 05:13:05 UTC
Permalink
You mean start Hercules as root ? I'll try that. Thanks.
Ivan Warren ivan@vmfacility.fr [hercules-390]
2017-02-10 08:43:19 UTC
Permalink
Post by ***@trifox.com [hercules-390]
Start it as root.
Or ensure hercifc is setuid root.

--Ivan


[Non-text portions of this message have been removed]
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-10 08:33:58 UTC
Permalink
When I start Hercules as ROOT there is a different error issued now:

HHCIF005E hercifc: ioctl error doing SIOCDIFADDR on tun0: 25 Inappropriate
ioctl for device

In the CNF file I have the following line:

0E20.2 CTCI 192.168.1.123 192.168.1.124

Is this correct ?
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-10 11:38:51 UTC
Permalink
I noticed the following messages in the Hercules log file:

13:23:57 HHCCT073I 0E20: TUN device tun0 opened

13:23:57 HHCIF005E hercifc: ioctl error doing SIOCDIFADDR on tun0: 25
Inappropriate ioctl for device

other than that, TCPIP starts up without errors but I am unable to connect
to z/Os from other machines on the network.

I followed all the instructions in http://www.hercules-390.eu/herctcp.html
so not sure what to do next.

Thanks....Dani
jln@stben.net [hercules-390]
2017-02-10 11:55:28 UTC
Permalink
Hi Dany,
other than that, TCPIP starts up without errors but I am unable to connect to z/Os
from other machines on the network.
Can you ping the host from z/OS?


JLN
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-10 12:24:41 UTC
Permalink
I can only ping the internal CTC address 192.168.1.123 from z/os.

Unable to ping the real ethernet adapter address which is 192.168.1.23

IFCONFIG output:

inux-thii:~ # ifconfig
eth0 Link encap:Ethernet HWaddr 74:D4:35:92:91:5E
inet addr:192.168.1.23 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:115763 errors:0 dropped:0 overruns:0 frame:0
TX packets:67297 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:25001710 (23.8 Mb) TX bytes:9107410 (8.6 Mb)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:131438 errors:0 dropped:0 overruns:0 frame:0
TX packets:131438 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:26633722 (25.3 Mb) TX bytes:26633722 (25.3 Mb)

tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.1.124 P-t-P:192.168.1.123 Mask:255.255.255.255
UP POINTOPOINT RUNNING MTU:1500 Metric:1
RX packets:6 errors:0 dropped:0 overruns:0 frame:0
TX packets:180 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:792 (792.0 b) TX bytes:31048 (30.3 Kb)
jln@stben.net [hercules-390]
2017-02-10 13:04:53 UTC
Permalink
Hi Dany,
Post by Dan Kalmar ***@gmail.com [hercules-390]
I can only ping the internal CTC address 192.168.1.123 from z/os.
Is z/OS's TCP/IP properly configured?
Rahim Azizarab rahimazizarab@yahoo.com [hercules-390]
2017-02-10 12:55:02 UTC
Permalink
I have to add a default route on my S390 Linux to access the outside world.
 
regards;

Rahim Azizarab
   

  
Rahim Azizarab rahimazizarab@yahoo.com [hercules-390]
2017-02-10 12:59:07 UTC
Permalink
It is questionable or at least that is not what mine looked like.  I followed the example on Hercules web page, and just had to add a default route to get things working. 
regards;

Rahim Azizarab
 

  
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-10 14:02:17 UTC
Permalink
I tried to follow the instructions:

DEVICE CTCDEV1 CTC E20
LINK CTCLINK1 CTC 0 CTCDEV1
HOME 192.168.1.123 CTCLINK1
GATEWAY
192.168.1.124 = CTCLINK1 1500 HOST
DEFAULTNET 192.168.1.124 CTCLINK1 1500 0
START CTCDEV1
jln@stben.net [hercules-390]
2017-02-10 14:41:37 UTC
Permalink
Hi Dan,


OK.
From the Linux side, same machine, could you try to ping:
192.168.1.124 and then 192.168.1.123
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-10 17:15:09 UTC
Permalink
From Linux I can ping 192.168.1.124 but not 192.168.1.123
jln@stben.net [hercules-390]
2017-02-10 18:50:45 UTC
Permalink
Hi Dan,


Did you run hlq=tcpip?
jln@stben.net [hercules-390]
2017-02-10 18:52:51 UTC
Permalink
If you didn't run it, don't!
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-10 19:01:47 UTC
Permalink
HLQ of what?
jln@stben.net [hercules-390]
2017-02-10 19:13:01 UTC
Permalink
makesite hlq=tcpip
as command into z/OS to generate a binary file of the configurations.
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-10 19:47:09 UTC
Permalink
No I didn't do that. Not familiar.
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-10 20:15:48 UTC
Permalink
I'm not running S390-Linux so not sure the setup is the same.
jln@stben.net [hercules-390]
2017-02-10 20:43:34 UTC
Permalink
But, you are running z/OS under hercules,
and the host machine is running Linux aren't you?
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-10 21:05:33 UTC
Permalink
Yes, running z/os under Hercules under Linux (opensuse).
What I was saying is that the MAKESITE command wasn't mentioned as a
requirement in the TCPIP setup instructions in this doc:
http://www.hercules-390.eu/herctcp.html
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-10 21:21:26 UTC
Permalink
The Kernel IP routing table looks like this:

Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0
eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
192.168.1.123 192.168.1.23 255.255.255.255 UGH 0 0 0
eth0
192.168.1.123 0.0.0.0 255.255.255.255 UH 0 0 0
tun0

It does not look exactly as the sample routing table shown in the doc.
jln@stben.net [hercules-390]
2017-02-10 21:37:48 UTC
Permalink
Mine looks like:


[***@ns prt]# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default host-109-88-34- 0.0.0.0 UG 100 0 0 enp8s0
10.149.85.0 0.0.0.0 255.255.255.0 U 100 0 0 enp5s0
10.149.86.1 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
109.88.34.48 0.0.0.0 255.255.255.240 U 100 0 0 enp8s0


Could you kill this line:
192.168.1.123 192.168.1.23 255.255.255.255 UGH 0 0 0 eth0
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-10 20:39:54 UTC
Permalink
What would the MAKESITE command accomplish ? It wasn't mentioned in the
Linux TCPIP install guide.
It appears as if the tunnel between the guest OS and Hercules is not
connected.
jln@stben.net [hercules-390]
2017-02-10 21:50:51 UTC
Permalink
It compiles two TCPIP files to make a binary file of them.
Could you try to remove the line asked from your routing table
and then try to ping z/OS from the Linux side.
Rahim Azizarab rahimazizarab@yahoo.com [hercules-390]
2017-02-10 23:57:17 UTC
Permalink
This is how my Config file looks like for CTCI; and as I mentioned earlier a route add default coand is necessary.
# network                               s390     realbox
0A00,0A01  CTCI -n /dev/net/tun -t 1500 192.168.122.4 192.168.122.3
 
regards;

Rahim Azizarab
   

  
jln@stben.net [hercules-390]
2017-02-11 01:18:25 UTC
Permalink
Hi Rahim,
Post by Rahim Azizarab ***@yahoo.com [hercules-390]
and as I mentioned earlier a route add default coand is necessary.
Could you explain to me why you wish to route the IP of the z/OS through
the NIC like that:
192.168.1.123 192.168.1.23 255.255.255.255 UGH 0 0 0 eth0

The IP 192.168.1.123 is local accros the bridge 124 -> 123.
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-11 07:05:43 UTC
Permalink
I removed the entry from the routing table as requested.

Now I can ping from 192.168.1.123 to both 192.168.1.124 & 192.168.1.23 but
not to other IPs on my network.

Btw, that entry in the routing table was added due to the following
instructions in the doc:

Defining a route to Hercules TCP/IP

Client systems which connect to TCP/IP applications running in the Hercules
machine need to have a routing entry which defines the driving system as
the gateway into the Hercules system. An example route definition for a
Unix client system is shown below:

route add 192.168.200.1 gw 10.1.2.1


The entry on the left is the Hercules internal IP and the one on the
right is the NIC IP.

So I guess the above refers to setting up the routing table on remote
machines, which I tried to do

but still can't ping the Hercules IP from the outside.
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-11 07:16:01 UTC
Permalink
Here's the current routing table:

ernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0
eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
192.168.1.123 0.0.0.0 255.255.255.255 UH 0 0 0
tun0


192.168.1.254 is the router in my home network.
jln@stben.net [hercules-390]
2017-02-11 10:19:26 UTC
Permalink
Hi Dan,


Now, if you can ping 192.168.1.123 from the Linux part
AND ping 192.168.1.23 from the z/OS everything is fine.


To let know eth1 it posses 192.168.1.123 too issue this command from Linux:
arp -Ds 192.168.1.123 eth1 pub
Joe Monk joemonk64@gmail.com [hercules-390]
2017-02-11 10:43:16 UTC
Permalink
You will probably also need this:

sysctl -w net.ipv4.ip_forward=1

And to make it permanent:

/etc/sysctl.conf:
net.ipv4.ip_forward = 1

Joe
Post by ***@stben.net [hercules-390]
Hi Dan,
Now, if you can ping 192.168.1.123 from the Linux part
AND ping 192.168.1.23 from the z/OS everything is fine.
arp -Ds 192.168.1.123 eth1 pub
jln@stben.net [hercules-390]
2017-02-11 10:51:59 UTC
Permalink
Hi Joe,


Perhaps he has already authorized the forwarding.
We will see.
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-11 10:58:14 UTC
Permalink
I think I have the IP forwarding setup already:

The command: cat /proc/sys/net/ipv4/ip_forward shows "1"

I think I have the IP forwarding setup already
As I have mentioned earlier. I can now ping both ways from 192.168.1.123
(Hercules) to 192.168.1.23 (host linux)
I can also ping from the host Linux to external IPs on my network and vise
versa, but can't ping from Hercules to external IPs and not from external
machines into Hercules.
jln@stben.net [hercules-390]
2017-02-11 11:02:52 UTC
Permalink
Hi Dan,


I don't understand. Hercules isn't able to ping.
From z/OS ispf can you try to ping 192.168.1.23 and 192.168.1.254
Did you issue the arp command?
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-11 11:04:36 UTC
Permalink
I will try the ARP command later when I return home. Thanks.
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-11 11:07:12 UTC
Permalink
As I just said I will try to issue the ARP later when I return home. I'l
update with the results.
jln@stben.net [hercules-390]
2017-02-11 12:15:46 UTC
Permalink
Hi Dan,


I will try to explain what happen without the arp command.


When z/OS (I will use it's IP because it's an IP problem).
So, when 123 tries to ping 23 the packets reach 23 and are
routed to Linux. Linux responds and the pile TCP/IP
routes the packets back to 123 accross the tunnel because
it knows it.
When 123 tries to ping 254 the request reach the pile TCP/IP
accross the tunnel and are routed to the 23's NIC (Network Interface Card).
The 23's NIC sends a request on the LAN to know if someone knows about 254.
The 254's NIC responds with it's MAC address and the 23's NIC sends
the packets to the 254's NIC.
The packets are routed to Linux? on that machine and it responds.
The response packets are send to the 254's NIC accross the 254's TCP/IP pile.
The 254's NIC sends a request on the LAN to know if someone knows about 123.
And nobody responds because the 23's NIC knows Nothing about 123
and all return packets are dropped.


The arp command will tell 23's NIC that 123 is on it's reach and so
next time a message asks about 123 on the LAN the 23's NIC will responds HERE.
And when the packets will reach the 23's TCP/IP pile they will be routed properly
accross the tunnel because the routing is now OK Inside the 23 machine.
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-11 12:21:08 UTC
Permalink
It all makes sense. but how did this ever work with the setup documented in
the install guide where the ARP command was never mentioned ?
dave.g4ugm@gmail.com [hercules-390]
2017-02-11 12:34:43 UTC
Permalink
I think the guide puts the zOS and Tunnel on a separate sub-net. If you do that you may need to add route statements on many other hosts. I can’t be sure because I read this on e-mail, and you don’t put any context in the message.



The issue is that in IP each packet is routed independently. So when you “ping” a remote host it needs to know where to send the reply. If it is on the same subnet, it needs to get a response to an ARP command. If its on a different subnet it needs an extra entry in its route table.



Dave

G4UGM





From: hercules-***@yahoogroups.com [mailto:hercules-***@yahoogroups.com]
Sent: 11 February 2017 12:21
To: hercules-***@yahoogroups.com
Subject: Re: [hercules-390] Re: TCPIP setup for Linux








It all makes sense. but how did this ever work with the setup documented in the install guide where the ARP command was never mentioned ?
jln@stben.net [hercules-390]
2017-02-11 12:49:03 UTC
Permalink
Hi Dave,


No, the guide assume that you have only one machine
or install it on the router.
Whit LAN you can't include all possibilities.


ON4OO
jln@stben.net [hercules-390]
2017-02-11 13:12:37 UTC
Permalink
Sorry OO1J or ON4JLN
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-11 13:27:26 UTC
Permalink
I issued the ARP command and it made no difference.
still can't ping from 123 to 254.
jln@stben.net [hercules-390]
2017-02-11 13:40:35 UTC
Permalink
On which machine did you enter that command?
jln@stben.net [hercules-390]
2017-02-11 14:22:00 UTC
Permalink
Hi Dan,


Could you, please, post the result of "arp -a" issued on Linux of the 23 machine?
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-11 15:25:29 UTC
Permalink
On the Linux where Hercules is running.
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-11 15:37:10 UTC
Permalink
How does the ARP command tell the eth0 interface that 123 is on the tun0
interface ?
jln@stben.net [hercules-390]
2017-02-11 15:48:12 UTC
Permalink
Hi Dan,


The ARP command doesn't tell eth1 where is 123.
The ARP command just tells eth1 to respond here when someone
asks for 123 on the net.
It's your TCP/IP stack who knows what to do with the packets received.


Could you please, post the result of "arp -a" issued on Linux where run Hercules.
Ivan Warren ivan@vmfacility.fr [hercules-390]
2017-02-11 15:54:08 UTC
Permalink
Post by ***@stben.net [hercules-390]
Hi Dan,
The ARP command doesn't tell eth1 where is 123.
The ARP command just tells eth1 to respond here when someone
asks for 123 on the net.
It's your TCP/IP stack who knows what to do with the packets received.
Could you please, post the result of "arp -a" issued on Linux where run Hercules.
arp -a won't tell much.

tun0 is a point to point interface, and doesn't use arp to resolve
anything.

--Ivan


[Non-text portions of this message have been removed]
jln@stben.net [hercules-390]
2017-02-11 16:05:24 UTC
Permalink
Hi Yvan,


We have already tested that the host linux machine can
ping z/OS and that z/OS can ping the host machine.
But, other machines on the net can't find z/OS because
it doesn't have a direct access to the net.


I asked him to issue an "arp -Ds 192.168.1.123 eth1 pub"
He said he had and that doesn't work better.
I didn't believe him and I asked the result of: "arp -a"
to see if really he had issued the previous command.
Ivan Warren ivan@vmfacility.fr [hercules-390]
2017-02-11 16:12:42 UTC
Permalink
I think it needs to be "arp -Ds ....pub perm"

--Ivan
Post by ***@stben.net [hercules-390]
Hi Yvan,
We have already tested that the host linux machine can
ping z/OS and that z/OS can ping the host machine.
But, other machines on the net can't find z/OS because
it doesn't have a direct access to the net.
I asked him to issue an "arp -Ds 192.168.1.123 eth1 pub"
He said he had and that doesn't work better.
I didn't believe him and I asked the result of: "arp -a"
to see if really he had issued the previous command.
[Non-text portions of this message have been removed]
jln@stben.net [hercules-390]
2017-02-11 16:19:35 UTC
Permalink
I tried it here and was rejected, but I guess it depend on the Linux's flavor.
Ivan Warren ivan@vmfacility.fr [hercules-390]
2017-02-11 16:23:50 UTC
Permalink
Post by ***@stben.net [hercules-390]
I tried it here and was rejected, but I guess it depend on the Linux's flavor.
May I ask..

rejected ? What was the error message ?

--Ivan


[Non-text portions of this message have been removed]
jln@stben.net [hercules-390]
2017-02-11 16:32:21 UTC
Permalink
Hi Ivan,
Post by Ivan Warren ***@vmfacility.fr [hercules-390]
rejected ? What was the error message ?
[***@ns conf]# arp -Ds 10.149.86.1 enp5s0 pub perm
Usage:
arp [-vn] [<HW>] [-i <if>] [-a] [<hostname>] <-Display ARP cache
arp [-v] [-i <if>] -d <host> [pub] <-Delete ARP entry
arp [-vnD] [<HW>] [-i <if>] -f [<filename>] <-Add entry from file
arp [-v] [<HW>] [-i <if>] -s <host> <hwaddr> [temp] <-Add entry
arp [-v] [<HW>] [-i <if>] -Ds <host> <if> [netmask <nm>] pub <-''-

-a display (all) hosts in alternative (BSD) style
-e display (all) hosts in default (Linux) style
-s, --set set a new ARP entry
-d, --delete delete a specified entry
-v, --verbose be verbose
-n, --numeric don't resolve names
-i, --device specify network interface (e.g. eth0)
-D, --use-device read <hwaddr> from given device
-A, -p, --protocol specify protocol family
-f, --file read new entries from file or from /etc/ethers

<HW>=Use '-H <hw>' to specify hardware address type. Default: ether
List of possible hardware types (which support ARP):
ash (Ash) ether (Ethernet) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) rose (AMPR ROSE) arcnet (ARCnet)
dlci (Frame Relay DLCI) fddi (Fiber Distributed Data Interface) hippi (HIPPI
)
irda (IrLAP) x25 (generic X.25) infiniband (InfiniBand)
eui64 (Generic EUI-64)
Ivan Warren ivan@vmfacility.fr [hercules-390]
2017-02-11 16:43:01 UTC
Permalink
Ok, good enough !

Now what does a 'tcpdump -i enp5s0 arp' give following that and when a
ping is attempted from an external station ?

--Ivan
Post by ***@stben.net [hercules-390]
Hi Ivan,
Post by Ivan Warren ***@vmfacility.fr [hercules-390]
rejected ? What was the error message ?
arp [-vn] [<HW>] [-i <if>] [-a] [<hostname>] <-Display ARP cache
arp [-v] [-i <if>] -d <host> [pub] <-Delete ARP entry
arp [-vnD] [<HW>] [-i <if>] -f [<filename>] <-Add entry
from file
arp [-v] [<HW>] [-i <if>] -s <host> <hwaddr> [temp]
<-Add entry
arp [-v] [<HW>] [-i <if>] -Ds <host> <if> [netmask <nm>]
pub <-''-
-a display (all) hosts in alternative (BSD) style
-e display (all) hosts in default (Linux) style
-s, --set set a new ARP entry
-d, --delete & nbsp; delete a specified entry
-v, --verbose be verbose
-n, --numeric don't resolve names
-i, --device specify network interface (e.g. eth0)
-D, --use-device read <hwaddr> from given device
-A, -p, --protocol specify protocol family
-f, --file read new entries from file or from /etc/ethers
<HW>=Use '-H <h w>' to specify hardware address type. Default: ether
ash (Ash) ether (Ethernet) ax25 (AMPR AX.25)
netrom (AMPR NET/ROM) rose (AMPR ROSE) arcnet (ARCnet)
dlci (Frame Relay DLCI) fddi (Fiber Distributed Data Interface) hippi (HIPPI
)
irda (IrLAP) x25 (generic X.25) infiniband (InfiniBand)
eui64 (Generic EUI-64)
[Non-text portions of this message have been removed]
jln@stben.net [hercules-390]
2017-02-11 17:05:59 UTC
Permalink
Ivan, my system is working properly!
It's the system of Dan that have an issue!


We were just speaking about the syntax of the arp command remember.
Harold Grovesteen h.grovsteen@tx.rr.com [hercules-390]
2017-02-11 16:08:57 UTC
Permalink
The arp command helps manage the Local ARP cache.

What is needed is to enable proxy arp on the eth1 interface.

http://www.linuxproblem.org/art_8.html

Harold Grovesteen
Post by ***@stben.net [hercules-390]
Hi Yvan,
We have already tested that the host linux machine can
ping z/OS and that z/OS can ping the host machine.
But, other machines on the net can't find z/OS because
it doesn't have a direct access to the net.
I asked him to issue an "arp -Ds 192.168.1.123 eth1 pub"
He said he had and that doesn't work better.
I didn't believe him and I asked the result of: "arp -a"
to see if really he had issued the previous command.
Ivan Warren ivan@vmfacility.fr [hercules-390]
2017-02-11 15:52:01 UTC
Permalink
Post by Dan Kalmar ***@gmail.com [hercules-390]
How does the ARP command tell the eth0 interface that 123 is on the
tun0 interface ?
Maybe...

arp -Ds 192.168.1.123 eth0 -perm -pub

That won't solve the fact that you cannot reach the IP layer of the OS
running under hercules from within the host running hercules, but it
will indicate to the host to reply to ARP requests originating from
hosts reachable from the eth0 interface to reply that it is handling
that IP address.

--Ivan


[Non-text portions of this message have been removed]
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-11 17:05:17 UTC
Permalink
Here is the requested output:

***@linux-thii:~> sudo arp -a
? (192.168.1.254) at c4:04:15:0f:e7:dd [ether] on eth0
? (192.168.1.108) at 34:02:86:cc:a8:08 [ether] on eth0
? (192.168.1.252) at 00:1f:1f:3f:f8:d0 [ether] on eth0
? (192.168.1.26) at 74:d4:35:a8:d0:cc [ether] on eth0
? (192.168.1.24) at 6c:f0:49:00:da:e3 [ether] on eth0
? (192.168.1.123) at <incomplete> on eth0
? (192.168.1.123) at * PERM PUP on eth0
Ivan Warren ivan@vmfacility.fr [hercules-390]
2017-02-11 17:46:22 UTC
Permalink
Post by Dan Kalmar ***@gmail.com [hercules-390]
? (192.168.1.123) at <incomplete> on eth0
? (192.168.1.123) at * PERM PUP on eth0
What the ????

That's weird !

--Ivan


[Non-text portions of this message have been removed]
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-11 17:09:13 UTC
Permalink
***@linux-thii:~> sudo tcpdump -i enp5s0 arp
tcpdump: enp5s0: No such device exists
(SIOCGIFHWADDR: No such device)
jln@stben.net [hercules-390]
2017-02-11 17:29:06 UTC
Permalink
Hi Dan,


Your NIC is eth1 mines are enp5s0, enp7s0 and enp8s0.
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-11 17:34:15 UTC
Permalink
Ok. got it. Will try with correct NIC name.
jln@stben.net [hercules-390]
2017-02-11 17:47:56 UTC
Permalink
Hi Dan,
Post by Dan Kalmar ***@gmail.com [hercules-390]
? (192.168.1.123) at <incomplete> on eth0
I don't know from where it came.
But the next line is OK
(192.168.1.123) at * PERM PUP on eth0


And Ivan requested:
tcpdump -i eth1 arp
Alex Garcia rocral2@yahoo.es [hercules-390]
2017-02-11 19:22:53 UTC
Permalink
Hi

Last time I did this between z/OS (guest) and linux (host) I used the same sub-network, exactly 192.168.1.7 linux and 192.168.1.9 z/OS.

I was also able to connect a 3270 terminal emulation  on any windows, linux and android, served from the standard services TCPIP to the port 23 (not the supported ones of hercules to port 3270), and after configuring my ADSL router I could connect from any point of internet, outside home.Maybe in the same network will be easier.
 Alejandro Garcia

(+34)656449946
Skype: rocral2
https://es.linkedin.com/in/alejandro-garcia-45339b14
CV site: http://rocral.dyndns.org/cv
jln@stben.net [hercules-390]
2017-02-11 20:09:04 UTC
Permalink
Hi Alejandro,


Being able to connect a 3270 terminal is easy. It doesn't mean
that you are able to ping the z/OS box itself.
It's Hercules that is dealing with the terminals so as far as your
machine is properly set Hercules will be avaible everywhere
Ivan Warren ivan@vmfacility.fr [hercules-390]
2017-02-11 20:42:45 UTC
Permalink
That's what he said... NOT the 3270 server/3174 emulation on hercules,
but the tn3270 server running inside z/OS !

--Ivan
Post by ***@stben.net [hercules-390]
Hi Alejandro,
Being able to connect a 3270 terminal is easy. It doesn't mean
that you are able to ping the z/OS box itself.
It's Hercules that is dealing with the terminals so as far as your
machine is properly set Hercules will be avaible everywhere
[Non-text portions of this message have been removed]
jln@stben.net [hercules-390]
2017-02-11 20:50:47 UTC
Permalink
Hi Ivan,
There isn't a 3270 emulation running Inside of z/OS.
Only a FTP, a HTTP, and a Telnet plus socket for the database.
The 3270 terminals are controlled by an external processor on a real
mainframe. Here it's Hercules that asume the role.
It's not because you can see the screen ispf from z/OS that is z/OS
who deals with the connection.
Laddie Hanus laddiehanus@yahoo.com [hercules-390]
2017-02-11 21:09:04 UTC
Permalink
So what's the TN3270 stc on my z/OS 2.2 system at work? I run a system (at work on a z/13) that has not had a 3274/3174 attached in over 10 years. I also have not used a real 3270 in over 20 years.

Laddie Hanus

Sent from whatever device I am using.
Post by ***@stben.net [hercules-390]
Hi Ivan,
There isn't a 3270 emulation running Inside of z/OS.
Only a FTP, a HTTP, and a Telnet plus socket for the database.
The 3270 terminals are controlled by an external processor on a real
mainframe. Here it's Hercules that asume the role.
It's not because you can see the screen ispf from z/OS that is z/OS
who deals with the connection.
Ivan Warren ivan@vmfacility.fr [hercules-390]
2017-02-11 21:26:12 UTC
Permalink
Post by ***@stben.net [hercules-390]
Hi Ivan,
There isn't a 3270 emulation running Inside of z/OS.
Only a FTP, a HTTP, and a Telnet plus socket for the database.
The 3270 terminals are controlled by an external processor on a real
mainframe. Here it's Hercules that asume the role.
It's not because you can see the screen ispf from z/OS that is z/OS
who deals with the connection.
A remote 3270 telnet client can very well connect to the IP stack of a
an OS running on a mainframe without going through a 3174 Configuration
C or an emulator as provided by an OSA/IOCC,

Example :
https://www.ibm.com/support/knowledgecenter/SSGTSD_10.1.0/com.ibm.debugtool.doc_10.1/eqaacg0234.htm

z/VM TCP/IP (FAL) as well as z/OS communication server (and possibly the
z/VSE IP stack as well) DO provide a Telnet server which allow
connection from a tn3270 client.

z/VM uses DIAG 7C (LDEV) to provide backend/console services for 3270
clients (and uses *CCS IUCV systems services for linemode clients) and
z/OS Communication Server probably creates a Type 2 LUN using VTAM APIs
- and may actually create a Type 6 LUN over a TYPE 2.1 PU to allow APPC
communication between z/OS services and a workstation.

--Ivan


[Non-text portions of this message have been removed]
dave.g4ugm@gmail.com [hercules-390]
2017-02-11 22:40:18 UTC
Permalink
-----Original Message-----
Sent: 11 February 2017 21:26
Subject: Re: [hercules-390] Re: TCPIP setup for Linux
Post by ***@stben.net [hercules-390]
Hi Ivan,
There isn't a 3270 emulation running Inside of z/OS.
Only a FTP, a HTTP, and a Telnet plus socket for the database.
The 3270 terminals are controlled by an external processor on a real
mainframe. Here it's Hercules that asume the role.
It's not because you can see the screen ispf from z/OS that is z/OS
who deals with the connection.
A remote 3270 telnet client can very well connect to the IP stack of a an
OS
running on a mainframe without going through a 3174 Configuration C or an
emulator as provided by an OSA/IOCC,
This has been possible for a long time. This short discussion from 1986 on
VM Share mentions TN3270 and performance overheads...

http://vm.marist.edu/~vmshare/browse?fn=4361TCP&ft=MEMO&args=tn3270#hit

so round about 30 years ago...
https://www.ibm.com/support/knowledgecenter/SSGTSD_10.1.0/com.ibm.
debugtool.doc_10.1/eqaacg0234.htm
z/VM TCP/IP (FAL) as well as z/OS communication server (and possibly the
z/VSE IP stack as well) DO provide a Telnet server which allow connection
from a tn3270 client.
z/VM uses DIAG 7C (LDEV) to provide backend/console services for 3270
clients (and uses *CCS IUCV systems services for linemode clients) and
z/OS
Communication Server probably creates a Type 2 LUN using VTAM APIs
- and may actually create a Type 6 LUN over a TYPE 2.1 PU to allow APPC
communication between z/OS services and a workstation.
--Ivan
[Non-text portions of this message have been removed]
------------------------------------
------------------------------------
http://groups.yahoo.com/group/hercules-390
http://www.hercules-390.org
------------------------------------
Yahoo Groups Links
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-11 21:47:10 UTC
Permalink
In my setup all IPs are on the same 192.168.1.x subnet. Still it does not
work.
z/Os can't ping outside the linux machine and the outside world can't ping
z/os inside hercules.
jln@stben.net [hercules-390]
2017-02-11 22:28:52 UTC
Permalink
Hi Dan,


But, a 3270 terminal running on a machine other than 23
can accesses to the logon z/OS using 192.168.1.23:3270 I hope.
Joe Monk joemonk64@gmail.com [hercules-390]
2017-02-11 23:25:50 UTC
Permalink
IP Tables?

Joe
Post by Dan Kalmar ***@gmail.com [hercules-390]
In my setup all IPs are on the same 192.168.1.x subnet. Still it does not
work.
z/Os can't ping outside the linux machine and the outside world can't ping
z/os inside hercules.
Ivan Warren ivan@vmfacility.fr [hercules-390]
2017-02-11 23:47:56 UTC
Permalink
Post by Joe Monk ***@gmail.com [hercules-390]
IP Tables?
Joe
That's a possibility !
--Ivan


[Non-text portions of this message have been removed]
Alex Garcia rocral2@yahoo.es [hercules-390]
2017-02-12 00:53:31 UTC
Permalink
This post might be inappropriate. Click to display it.
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-12 05:03:27 UTC
Permalink
Thanks in advance Alejandro.
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-12 05:01:02 UTC
Permalink
No, I am unable to get a terminal emulation running from another machine at
23:3270.
Btw, I was able to do that when Hercules & z/Os were running under a
Windows 10 machine.
jln@stben.net [hercules-390]
2017-02-12 09:03:19 UTC
Permalink
Hi Dan,


Do you have other servers running on the 23 machine?
If yes, are you able to reach those servers from the other machines?
Gregg Levine gregg.drwho8@gmail.com [hercules-390]
2017-02-12 20:41:31 UTC
Permalink
Hello!
Dan the port used for both console sessions via Telnet and then via
your favorite TN3270 emulator is 3270. Not 23.
-----
Gregg C Levine ***@gmail.com
"This signature fought the Time Wars, time and again."
Post by Dan Kalmar ***@gmail.com [hercules-390]
No, I am unable to get a terminal emulation running from another machine at
23:3270.
Btw, I was able to do that when Hercules & z/Os were running under a Windows
10 machine.
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-12 10:02:54 UTC
Permalink
Do you mean I should try to FTP or TELNET into the Linux system at 23 from
another computer?
jln@stben.net [hercules-390]
2017-02-12 10:43:53 UTC
Permalink
Hi Dan,
Yes
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-12 11:00:48 UTC
Permalink
I was able to logon to the Linux machine at 23 via WINSCP from another
Windows 10 system.
jln@stben.net [hercules-390]
2017-02-12 13:36:39 UTC
Permalink
Hi Dan,


And not a 3270 23:3270 when almost Hercules is running.
It remains only one issue I can think of is selinux.
Is selinux running on the 23 machine?
To check, display the file /etc/selinux/config and the line:
SELINUX=disabled should be seen.
If not, correct it and restart the machine.
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-12 15:22:51 UTC
Permalink
There is no such file on my machine "/etc/selinux/config"
There is only /etc/selinux/semanage.conf
in there:

module-store = direct
expand-check=0
usepasswd=False
bzip-small=true
bzip-blocksize=5
ignoredirs=/root
jln@stben.net [hercules-390]
2017-02-12 16:08:13 UTC
Permalink
Hi Dan,


Let me resume the problem to solve.


On the 23 machine from another machine on the lan:
1. telnetd is reacheable
2. Hercules, with or without z/OS running, isn't.


Or those two servers don't need anything else (they are running in native on Linux).
So, I can only think of two issues possible:
1. Something is blocking Hercules (see A)
2. The configuration of Hercules is wrong (see B)


A. issue those commands in the Linux box of machine 23:
iptables --flush
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain


B. Check that you have those lines or their equivalent in hercules.conf:
(the hint here is 3270)
0700 3270 CONSOLE 10.149.85.0 255.255.255.0
0701 3270 MTSO 10.149.85.0 255.255.255.0
0702 3270 CICS 10.149.85.0 255.255.255.0
0704.13 3270
jln@stben.net [hercules-390]
2017-02-12 17:01:02 UTC
Permalink
Hi Dan,


It limits who can connect to those devices
0700 here is the console and the two others are masters for TSO et CICS.
So, I limited them to my lan only. If you wish to limit yours it should be:
192.168.1.0 255.255.255.0
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-12 17:04:35 UTC
Permalink
But without limiting by IP shouldn't any IP be allowed to connect?
Joe Monk joemonk64@gmail.com [hercules-390]
2017-02-12 17:42:50 UTC
Permalink
Please post the output of the following:

1. ifconfig
2. netstat -in
3. netstat -rn

Joe
Post by Dan Kalmar ***@gmail.com [hercules-390]
But without limiting by IP shouldn't any IP be allowed to connect?
jln@stben.net [hercules-390]
2017-02-12 17:40:56 UTC
Permalink
Hi Dan,


Sure, and remember Hercules isn't behind a tunnel or something like that.
So, why is telnet reacheable and not hercule?
Did you isued the iptables commands (don't worry they will be forgotten avec a reboot).
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-12 16:24:47 UTC
Permalink
This is what I currently have in the Hercules CNF file:

0700 3270 CONS700
0701 3270
0702.14 3270
0908 3270 CONS908

what is the purpose of adding "10.149.85.0 255.255.255.0" to 700-702 ?
This IP (10.149.85.0) does not exist in my network.
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-12 16:46:24 UTC
Permalink
Also I found out that from another machine I can PING 192.168.1.124 but not
123
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-12 17:59:27 UTC
Permalink
inux-thii:~ # ifconfig
eth0 Link encap:Ethernet HWaddr 74:D4:35:92:91:5E
inet addr:192.168.1.23 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:436383 errors:0 dropped:0 overruns:0 frame:0
TX packets:189588 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:193165978 (184.2 Mb) TX bytes:23678368 (22.5 Mb)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:447930 errors:0 dropped:0 overruns:0 frame:0
TX packets:447930 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:111252518 (106.0 Mb) TX bytes:111252518 (106.0 Mb)

tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.1.124 P-t-P:192.168.1.123 Mask:255.255.255.255
UP POINTOPOINT RUNNING MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:224 (224.0 b) TX bytes:2080 (2.0 Kb)


inux-thii:~ # netstat -in
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP TX-OVR
Flg
eth0 1500 0 437747 0 0 0 189986 0 0 0
BMRU
lo 65536 0 449472 0 0 0 449472 0 0 0
LRU
tun0 1500 0 4 0 0 0 24 0 0 0
PRU


inux-thii:~ # netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0
eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
192.168.1.123 0.0.0.0 255.255.255.255 UH 0 0 0
tun0
Joe Monk joemonk64@gmail.com [hercules-390]
2017-02-12 18:16:00 UTC
Permalink
Not sure but I think your subnet mask is wrong on the tun0 interface...
shouldn't it be 255.255.255.252?

Don't you need the host machine to be the broadcast for proxy arp? So
shouldn't the tun0 interface be on its own network?

Joe
Post by Dan Kalmar ***@gmail.com [hercules-390]
inux-thii:~ # ifconfig
eth0 Link encap:Ethernet HWaddr 74:D4:35:92:91:5E
inet addr:192.168.1.23 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:436383 errors:0 dropped:0 overruns:0 frame:0
TX packets:189588 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:193165978 (184.2 Mb) TX bytes:23678368 (22.5 Mb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:447930 errors:0 dropped:0 overruns:0 frame:0
TX packets:447930 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:111252518 (106.0 Mb) TX bytes:111252518 (106.0 Mb)
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.1.124 P-t-P:192.168.1.123
Mask:255.255.255.255
UP POINTOPOINT RUNNING MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:224 (224.0 b) TX bytes:2080 (2.0 Kb)
inux-thii:~ # netstat -in
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR TX-DRP
TX-OVR Flg
eth0 1500 0 437747 0 0 0 189986 0 0
0 BMRU
lo 65536 0 449472 0 0 0 449472 0 0
0 LRU
tun0 1500 0 4 0 0 0 24 0 0
0 PRU
inux-thii:~ # netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0
eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0
eth0
192.168.1.123 0.0.0.0 255.255.255.255 UH 0 0 0
tun0
jln@stben.net [hercules-390]
2017-02-12 18:26:54 UTC
Permalink
Hi Joe,


Mine, and everything is working properly here:


tun0: flags=81<UP,POINTOPOINT,RUNNING> mtu 1500
inet 10.149.86.2 netmask 255.255.255.255 destination 10.149.86.1
inet6 fe80::c803:7c55:55a8:c526 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500
(UNSPEC)
RX packets 59 bytes 33035 (32.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 99 bytes 14933 (14.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Joe Monk joemonk64@gmail.com [hercules-390]
2017-02-12 18:31:51 UTC
Permalink
Whats your eth0 look like?

Joe
Post by ***@stben.net [hercules-390]
Hi Joe,
tun0: flags=81<UP,POINTOPOINT,RUNNING> mtu 1500
inet 10.149.86.2 netmask 255.255.255.255 destination 10.149.86.1
inet6 fe80::c803:7c55:55a8:c526 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
txqueuelen 500
(UNSPEC)
RX packets 59 bytes 33035 (32.2 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 99 bytes 14933 (14.5 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Ivan Warren ivan@vmfacility.fr [hercules-390]
2017-02-12 19:59:05 UTC
Permalink
Post by Joe Monk ***@gmail.com [hercules-390]
Not sure but I think your subnet mask is wrong on the tun0
interface... shouldn't it be 255.255.255.252?
Don't you need the host machine to be the broadcast for proxy arp? So
shouldn't the tun0 interface be on its own network?
Joe
Nope.

The 255.255.255.255 mask is correct for a Point to Point interface.

If the proper ARP publication is set (via arp -Ds), then any ARP WHOHAS
broadcast request for 192.168.1.123 received on eth0 will be answered,
and a IHAVE ARP response for 192.168.1.123 will be sent with the MAC
address of eth0 to the MAC address of the requester - thus indicating to
any other host on the LAN requesting it on which eth0 is attached that
the MAC address for the host running 192.168.1.123 is the MAC address of
eth0.

When an IP or ICMP datagram is received for 192.168.1.123 over any
interface, it will then be routed to tun0 (if ipv4 forwarding is
enabled) because it has a UH flag and a shorter host mask than any other
route.

When 192.168.1.123 on tun0 emits an IP datagram, it is from a point to
point link, so the IP datagram is just sent to the IP layer (MAC address
is irrelevant on a Point to Point interface), and then routed to the
relevant network interface, the IP routing layer will present the IP
datagram to the relevant network, the MAC address of the output Ethernet
frame (Or whatever link level you are using) will be adjusted to add the
proper source and destination address, the checksum recalculated (unless
the NIC has Checksum offload).

--Ivan
Post by Joe Monk ***@gmail.com [hercules-390]
inux-thii:~ #ifconfig
eth0 Link encap:Ethernet HWaddr 74:D4:35:92:91:5E
inet addr:192.168.1.23 Bcast:192.168.1.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:436383 errors:0 dropped:0 overruns:0 frame:0
TX packets:189588 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:193165978 (184.2 Mb) TX bytes:23678368 (22.5 Mb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:447930 errors:0 dropped:0 overruns:0 frame:0
TX packets:447930 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:111252518 (106.0 Mb) TX bytes:111252518 (106.0 Mb)
tun0 Link encap:UNSPEC HWaddr
00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:192.168.1.124 P-t-P:192.168.1.123
Mask:255.255.255.255
UP POINTOPOINT RUNNING MTU:1500 Metric:1
RX packets:4 errors:0 dropped:0 overruns:0 frame:0
TX packets:16 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:500
RX bytes:224 (224.0 b) TX bytes:2080 (2.0 Kb)
inux-thii:~ #netstat -in
Kernel Interface table
Iface MTU Met RX-OK RX-ERR RX-DRP RX-OVR TX-OK TX-ERR
TX-DRP TX-OVR Flg
eth0 1500 0 437747 0 0 0 189986 0
0 0 BMRU
lo 65536 0 449472 0 0 0 449472 0
0 0 LRU
tun0 1500 0 4 0 0 0 24 0
0 0 PRU
inux-thii:~ #netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window
irtt Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0
0 eth0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0
0 eth0
192.168.1.123 0.0.0.0 255.255.255.255 UH 0 0
0 tun0
[Non-text portions of this message have been removed]
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-12 18:06:59 UTC
Permalink
When I issued the IPTABLES commands my Linux machine lost all network
connectivity. I had to re-boot.
Joe Monk joemonk64@gmail.com [hercules-390]
2017-02-12 18:53:42 UTC
Permalink
Well then test it out:

sudo ipchains stop
sudo iptables stop

Joe
Post by ***@stben.net [hercules-390]
Hi Dan,
Something is wrong with thr firewall, but I can't put my finger on it.
Those commands are issued every time my Linux server is booted
and Nothing wrong happens.
Dan Kalmar kalda0912@gmail.com [hercules-390]
2017-02-12 20:32:36 UTC
Permalink
I tried putting the TUN0 interface on its own subnet using 10.0.0.x and it
made no difference.

According to the doc the mask on TUN0 should be 255.255.255.0
Not sure why it is set to 255.255.255.255 and don't know what is causing
that.
Is there a command to change it ?
Loading...