Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
1-way network communication?
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 769

PostPosted: Sat Dec 08, 2012 5:52 am    Post subject: 1-way network communication? Reply with quote

I have 192.168.1.10 and 192.168.1.11 connected to a wired router. 192.168.1.10 can ping and ssh 192.168.1.11, but 192.168.1.11 can't ping or ssh 192.168.1.10. Both systems can reach the internet. I've disabled the router's firewall and the firewall running on both systems. ifconfig confirms the IP address of both systems. Both systems are composed of identical hardware and both run Gentoo with near-identical configurations.

I'm puzzled. Any ideas why can't 192.168.1.11 can't reach 192.168.1.10?
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 769

PostPosted: Sat Dec 08, 2012 6:08 am    Post subject: Reply with quote

I fixed it by enabling the firewall (shorewall) on 192.168.1.10 and configuring it to let 192.168.1.11 in. Why doesn't it work with the firewall disabled?
Back to top
View user's profile Send private message
Hu
Watchman
Watchman


Joined: 06 Mar 2007
Posts: 9057

PostPosted: Sat Dec 08, 2012 5:29 pm    Post subject: Reply with quote

We would need to see the applicable filter rules to answer that question. Please place it back in a broken state and post the output of iptables-save -c.
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 769

PostPosted: Tue Dec 25, 2012 8:39 pm    Post subject: Reply with quote

I'm sorry for the delay with this. This is what I get after '/etc/init.d/shorewall stop':

# iptables-save -c
# Generated by iptables-save v1.4.16.3 on Tue Dec 25 12:34:58 2012
*raw
:PREROUTING ACCEPT [858:352950]
:OUTPUT ACCEPT [2194:2568714]
COMMIT
# Completed on Tue Dec 25 12:34:58 2012
# Generated by iptables-save v1.4.16.3 on Tue Dec 25 12:34:58 2012
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [2:208]
:POSTROUTING ACCEPT [2:208]
COMMIT
# Completed on Tue Dec 25 12:34:58 2012
# Generated by iptables-save v1.4.16.3 on Tue Dec 25 12:34:58 2012
*mangle
:PREROUTING ACCEPT [858:352950]
:INPUT ACCEPT [858:352950]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2194:2568714]
:POSTROUTING ACCEPT [2194:2568714]
COMMIT
# Completed on Tue Dec 25 12:34:58 2012
# Generated by iptables-save v1.4.16.3 on Tue Dec 25 12:34:58 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2194:2568714]
[858:352950] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Dec 25 12:34:58 2012

I thought the firewall would stop functioning after a '/etc/init.d/shorewall stop', but maybe there is some residual stuff left in iptables?
Back to top
View user's profile Send private message
The Doctor
Veteran
Veteran


Joined: 27 Jul 2010
Posts: 1493

PostPosted: Tue Dec 25, 2012 10:47 pm    Post subject: Reply with quote

grant123 wrote:
I thought the firewall would stop functioning after a '/etc/init.d/shorewall stop', but maybe there is some residual stuff left in iptables?
If it does, you can use
Code:
iptables -F
to flush the rules.
_________________
First things first, but not necessarily in that order.
Back to top
View user's profile Send private message
s_bernstein
Apprentice
Apprentice


Joined: 11 Mar 2006
Posts: 172
Location: Bremen, Germany

PostPosted: Wed Dec 26, 2012 7:13 am    Post subject: Reply with quote

Also, if you use shorewall and issue a shorewall stop command, it will not operate as a system without firewall because shorewall will p. ex. implement the routestopped config file. This might not contain the same routings as you would have without firewall.
Back to top
View user's profile Send private message
truc
Advocate
Advocate


Joined: 25 Jul 2005
Posts: 3199

PostPosted: Wed Dec 26, 2012 8:27 am    Post subject: Reply with quote

grant123 wrote:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2194:2568714]


input policy is still set to DROP, which is which you have this problem. You can set it to ACCEPT with
Code:
iptables -P INPUT ACCEPT
and should probably report that to the shorewall maintainers?
_________________
The End of the Internet!
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 769

PostPosted: Wed Dec 26, 2012 8:53 pm    Post subject: Reply with quote

Quote:
Also, if you use shorewall and issue a shorewall stop command, it will not operate as a system without firewall because shorewall will p. ex. implement the routestopped config file. This might not contain the same routings as you would have without firewall.

Without modifying /etc/init.d/shorewall, can I have the firewall become totally inactive when '/etc/init.d/shorewall stop' is issued?

Quote:
and should probably report that to the shorewall maintainers?

Can anyone confirm that I should file a Gentoo bug for this?
Back to top
View user's profile Send private message
grant123
l33t
l33t


Joined: 23 Mar 2005
Posts: 769

PostPosted: Sat Dec 29, 2012 7:54 pm    Post subject: Reply with quote

Can anyone help me out with this?
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum