Discussion:
[hercules-390] TCPIP setup problem with Ubuntu 17.04
ahngb4nond2fjs4iv3chtuacfjmf4dgzileuxli7@yahoo.com [hercules-390]
2017-07-24 06:49:38 UTC
Permalink
I have Hercules and z/Os running on an Ubuntu 17.04 machine.


I tried to clone the setup after another one that was working fine with Opensuse Leap 42.2


The z/os IP is 192.168.1.225
The TUN ip is 192.168.1.226
The ETH adapter ip is 192.168.1.48
The main router is 192.168.1.254


Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 enp0s31f6
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 enp0s31f6
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 enp0s31f6

192.168.1.225 0.0.0.0 255.255.255.255 UH 0 0 0 tun0


IPCONFIG:


enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.48 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 fe80::98d5:c90a:6bdc:4a25 prefixlen 64 scopeid 0x20<link>
ether 2c:4d:54:d4:94:d7 txqueuelen 1000 (Ethernet)
RX packets 26566490 bytes 36586497357 (36.5 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13511311 bytes 1733326728 (1.7 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0xdf300000-df320000
tun0: flags=81<UP,POINTOPOINT,RUNNING> mtu 1500
inet 192.168.1.226 netmask 255.255.255.255 destination 192.168.1.225
inet6 fe80::7c5a:214d:dbb2:3a60 prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 500 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 8 bytes 496 (496.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0


I added a static route in the main router for target IP 192.168.1.225 (the zos ip) via gateway 192.168.1.48


I can PING from z/os to the main router and any outside world IP address. (for ex. 8.8.8.8)
I can not PING from z/os to any IP on my home network outside the Linux box.
I can PING from the Linux host to the z/os IP address
I can not PING from any other local network machine to the z/os IP address.


The Ubuntu firewall is disabled.


What am I missing ?


Thanks...Dani Kalmar
ahngb4nond2fjs4iv3chtuacfjmf4dgzileuxli7@yahoo.com [hercules-390]
2017-07-24 11:23:31 UTC
Permalink
An update on my problem: I can FTP from z/OS to server running on another local machine if using my domain name and not IP address.
I can FTP from the Linux host into z/OS but not from another PC on the local network.


So seems to me that the main router is the only one who knows to route a packet back to z/Os due to the static IP rule I defined on the router.
None of the other machines on my network are aware of the internal z/os IP address so z/os can't communicate with them and vise versa.
Harold Grovesteen h.grovsteen@tx.rr.com [hercules-390]
2017-07-24 13:33:21 UTC
Permalink
On Mon, 2017-07-24 at 11:23 +0000,
Post by ***@yahoo.com [hercules-390]
I can FTP from z/OS to server running on another local machine if
using my domain name and not IP address.
I can FTP from the Linux host into z/OS but not from another PC on the local network.
So seems to me that the main router is the only one who knows to
route a packet back to z/Os due to the static IP rule  I defined on
the router.
None of the other machines on my network are aware of the internal
z/os IP address so z/os can't communicate with them and vise versa.
You definitely need to enable proxy-arp, but there may be additional
issues for the local LAN.

Please provide your guest (not host) TCP/IP configuration if proxy-arp
does not fix the problem.  The subnet mask may also require adjustment.

Harold Grovesteen
ahngb4nond2fjs4iv3chtuacfjmf4dgzileuxli7@yahoo.com [hercules-390]
2017-07-24 14:55:27 UTC
Permalink
Just to clarify, if I enable proxy-arp on the Linux ETH0 interface, do I still need the static IP route on the main router ?
Harold Grovesteen h.grovsteen@tx.rr.com [hercules-390]
2017-07-24 15:06:10 UTC
Permalink
On Mon, 2017-07-24 at 14:55 +0000,
Post by ***@yahoo.com [hercules-390]
Just to clarify, if I enable proxy-arp on the Linux ETH0 interface,
do I still need the static IP route on the main router ? 
 
Probably not.  But I would get the proxy-arp working for the other
local LAN devices before removing it.

Note, the alternative is to place the same route in each local device
if you would rather not enable proxy-arp.  Proxy-arp is the simplest
solution to the local LAN problem with *NIX like hosts.  

The routing design is different for Windows hosts due to different
underlying network driver technology used by Hercules.

Harold Grovesteen
ahngb4nond2fjs4iv3chtuacfjmf4dgzileuxli7@yahoo.com [hercules-390]
2017-07-24 17:29:03 UTC
Permalink
Ok. Thanks. I will try to setup proxy-arp and report back.
ahngb4nond2fjs4iv3chtuacfjmf4dgzileuxli7@yahoo.com [hercules-390]
2017-07-24 20:05:03 UTC
Permalink
Yes, setting up arp_proxy fixed the connectivity to other local IPs.

One problem still unresolved:
FTP from z/os to local FTP server is blocked unless I disable the Linux firewall.
I opened port 21 but it still blocks the FTP request unless I disable the firewall.
Grant Taylor gtaylor@tnetconsulting.net [hercules-390]
2017-07-24 22:14:17 UTC
Permalink
This post might be inappropriate. Click to display it.
ahngb4nond2fjs4iv3chtuacfjmf4dgzileuxli7@yahoo.com [hercules-390]
2017-07-25 05:59:35 UTC
Permalink
What is " FTP connection tracker helper" ? I have CONNTRACK installed and active.


I also have the following rules in /etc/ufw/before.rules:


# quickly process packets for which we already have a connection
-A ufw-before-input -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-output -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A ufw-before-forward -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT




Still FTP from z/os is blocked.
It is not blocked from the host linux to same FTP server
Grant Taylor gtaylor@tnetconsulting.net [hercules-390]
2017-07-25 20:16:37 UTC
Permalink
This post might be inappropriate. Click to display it.
ahngb4nond2fjs4iv3chtuacfjmf4dgzileuxli7@yahoo.com [hercules-390]
2017-07-26 05:00:41 UTC
Permalink
To answer the previous question, I am trying to FTP fro the guest z/os running under Hercules to an FTP server on another machine on the local network.
'Bill Turner, WB4ALM' wb4alm@arrl.net [hercules-390]
2017-07-25 10:04:19 UTC
Permalink
FTP uses port 20 and port 21.

Also look at the possible use of PASSIVE transfers as opposed to ACTIVE
ones... This will sometimes get around firewall issues.

/The client I use on Windows and Linux is FILEZILLA./

/s/ Bill Turner, wb4alm/



/On 07/24/2017 04:05 PM,
Post by ***@yahoo.com [hercules-390]
Yes, setting up arp_proxy fixed the connectivity to other local IPs.
FTP from z/os to local FTP server is blocked unless I disable the Linux firewall.
I opened port 21 but it still blocks the FTP request unless I disable the firewall.
ahngb4nond2fjs4iv3chtuacfjmf4dgzileuxli7@yahoo.com [hercules-390]
2017-07-25 11:03:20 UTC
Permalink
I only have the problem when doing FTP from inside z/OS. Using the built-in FTP client.
ahngb4nond2fjs4iv3chtuacfjmf4dgzileuxli7@yahoo.com [hercules-390]
2017-07-25 16:31:02 UTC
Permalink
Is it possible to configure the Linux firewall to allow all traffic to/from the z/os guest ?
Grant Taylor gtaylor@tnetconsulting.net [hercules-390]
2017-07-25 20:19:47 UTC
Permalink
On 07/25/2017 10:31 AM,
Post by ***@yahoo.com [hercules-390]
Is it possible to configure the Linux firewall to allow all traffic
to/from the z/os guest ?
This should be quite possible.

If you want to try something, try the following commands to temporarily
allow everything to / from the z/OS guest.

iptables -t filter -I INPUT -d $zOSIP -j ACCEPT
iptables -t filter -I INPUT -s $zOSIP -j ACCEPT

iptables -t filter -I FORWARD -d $zOSIP -j ACCEPT
iptables -t filter -I FORWARD -s $zOSIP -j ACCEPT

iptables -t filter -I OUTPUT -d $zOSIP -j ACCEPT
iptables -t filter -I OUTPUT -s $zOSIP -j ACCEPT

Note: This is somewhat like using a hammer to kill a fly. It also
assumes that all filtering is done in the filter table (which is best
practice.)
--
Grant. . . .
unix || die



[Non-text portions of this message have been removed]
Harold Grovesteen h.grovsteen@tx.rr.com [hercules-390]
2017-07-24 13:27:52 UTC
Permalink
On Mon, 2017-07-24 at 06:49 +0000,
Post by ***@yahoo.com [hercules-390]
I have Hercules and z/Os running on an Ubuntu 17.04 machine.
I tried to clone the setup after another one that was working fine with Opensuse Leap 42.2
The z/os IP is 192.168.1.225
The TUN ip is 192.168.1.226
The ETH adapter ip is 192.168.1.48
The main router is 192.168.1.254
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window
 irtt Iface
0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0        
 0 enp0s31f6
169.254.0.0     0.0.0.0          255.255.0.0     U         0 0      
   0 enp0s31f6
192.168.1.0     0.0.0.0          255.255.255.0   U         0 0      
   0 enp0s31f6
192.168.1.225   0.0.0.0        255.255.255.255 UH        0 0        
 0 tun0
enp0s31f6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.48  netmask 255.255.255.0  broadcast
192.168.1.255
        inet6 fe80::98d5:c90a:6bdc:4a25  prefixlen 64  scopeid
0x20<link>
        ether 2c:4d:54:d4:94:d7  txqueuelen 1000  (Ethernet)
        RX packets 26566490  bytes 36586497357 (36.5 GB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13511311  bytes 1733326728 (1.7 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 16  memory 0xdf300000-df320000  
tun0: flags=81<UP,POINTOPOINT,RUNNING>  mtu 1500
        inet 192.168.1.226  netmask 255.255.255.255  destination
192.168.1.225
        inet6 fe80::7c5a:214d:dbb2:3a60  prefixlen 64  scopeid
0x20<link>
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
 txqueuelen 500  (UNSPEC)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8  bytes 496 (496.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
I added a static route in the main router for target IP 192.168.1.225
(the zos ip) via gateway 192.168.1.48
I can PING from z/os to the main router and any outside world IP
address. (for ex. 8.8.8.8) 
I can not  PING from z/os to any IP on my home network outside the
Linux box.
Enable proxy-arp on the host's ethernet interface.
Post by ***@yahoo.com [hercules-390]
I can PING from the Linux host to the z/os IP address
I can not PING from any other local network machine to the z/os IP address.
Enabling proxy-arp on the host's ethernet interface will fix this too.
 It is the same underlying problem as above.
Post by ***@yahoo.com [hercules-390]
The Ubuntu firewall is disabled.
What am I missing ?
Thanks...Dani Kalmar
 
Harold Grovesteen
Loading...