View previous topic :: View next topic |
Author |
Message |
Netdale n00b
Joined: 25 May 2002 Posts: 67 Location: Lancaster, Pa
|
Posted: Mon Sep 23, 2002 1:19 pm Post subject: Gentoo!!--Cannot ping my machine. Yet inside the network.... |
|
|
Ok, I have a newly updated system. Ran emerge -e world, and everything went w/o a hitch. The system is now running fine, except I cannot ping into it. I started up the default iptable stuff yet the machine will not allow pings or website outbound stuff. Yet inside my network I can do all these things. One more note, I cannot ping the machine inside the network, my windows based app reports "timed out". (microsofts ping command times out as well). Any suggestions would be of help. I'm just out of ideas, could it be that the kernel was compiled w/ GCC3.2?
Dale |
|
Back to top |
|
|
de4d Apprentice
Joined: 12 Sep 2002 Posts: 181 Location: fr. i. br. (ger)
|
Posted: Mon Sep 23, 2002 1:37 pm Post subject: |
|
|
why do u all 'use the default iptable stuff' w/o ne idea what u are doing?
read manpages, try again, and if u dont understand come back 2 ask more specific questions and/or post ur iptable list. _________________ void main(){fork();main();} |
|
Back to top |
|
|
klieber Bodhisattva
Joined: 17 Apr 2002 Posts: 3657 Location: San Francisco, CA
|
Posted: Mon Sep 23, 2002 2:40 pm Post subject: Re: Gentoo!!--Cannot ping my machine. Yet inside the network |
|
|
Netdale wrote: | I started up the default iptable stuff yet the machine will not allow pings or website outbound stuff. |
This is almost assuredly the problem. Get rid of the iptables ruleset and see if that solves your problem. If it does, read the IPTables Tutorial to get more familiar with what it is and how it works. Then, start adding iptables rules back in one by one until you get your machine to a state where you're comfortable with it.
--kurt _________________ The problem with political jokes is that they get elected |
|
Back to top |
|
|
Netdale n00b
Joined: 25 May 2002 Posts: 67 Location: Lancaster, Pa
|
Posted: Tue Sep 24, 2002 3:01 am Post subject: Give me a break |
|
|
Haha, sry guys.....I was at school and didnt have the scritps.
Here it is.......
Code: | #!/bin/sh
echo -e "\n\nLoading IpTables....\n"
#Setting the EXTERNAL and INTERNAL interfaces for the network
EXTIF="eth0"
INTIF="eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
# The location of the 'iptables' program
IPTABLES=/sbin/iptables
#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
# The default for FORWARD is DROP
#
echo " - Setting default policies"
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
# "masq" everything before it goes out the external side
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo " - Defining IPCHAINS rules"
# let everything on loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Load base rules
IPTABLES=/sbin/iptables
# Base firewall rules which will apply in every scheme
echo "1" > /proc/sys/net/ipv4/ip_forward
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
/bin/echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# let everything on loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# let everyting INPUT and OUTPUT from the safe side, regardless of defaults
$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A OUTPUT -o eth1 -j ACCEPT
# Drop RPC type ports all the time, regardless of defaults
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 3306 -j DROP # MySql
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 139 -j DROP # NetBios
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 135 -j DROP # Windows RPC
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 111 -j DROP # UNIX RPC
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 5000 -j DROP # PlugnPlay
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 111 -j DROP # UNIX RPC
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 5000 -j DROP # PlugnPlay
$IPTABLES -A PREROUTING -t nat -i eth0 -p udp --dport 139 -j DROP
$IPTABLES -A PREROUTING -t nat -i eth0 -p udp --dport 135 -j DROP
$IPTABLES -A PREROUTING -t nat -i eth0 -p udp --dport 111 -j DROP
$IPTABLES -A PREROUTING -t nat -i eth0 -p udp --dport 5000 -j DROP
# A little hole for AIM file transfers..
$IPTABLES -A POSTROUTING -t nat -o eth0 -p tcp --sport 5191 -j SNAT --to-source 10.0.0.100:5191
$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 5191 -j DNAT --to-destination 10.0.0.100:5191
# MOSTLY-CLOSED FIREWALL FOR CONNECTION REQUESTS (MOSTLY-OPEN AS A CLIENT)
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP
echo -e "\nDone.\n" |
|
|
Back to top |
|
|
Emperor n00b
Joined: 09 Jul 2002 Posts: 54 Location: Enschede, The Netherlands
|
Posted: Tue Sep 24, 2002 3:04 am Post subject: |
|
|
Code: | /bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all |
Maybe that has something to do with it? _________________ What is this "signature" thing you are talking about? |
|
Back to top |
|
|
Netdale n00b
Joined: 25 May 2002 Posts: 67 Location: Lancaster, Pa
|
Posted: Tue Sep 24, 2002 3:09 am Post subject: |
|
|
I commented all the /bin/echo "1" > ***** except for the ip_forward.
So I eliminated that problem
Dale |
|
Back to top |
|
|
Netdale n00b
Joined: 25 May 2002 Posts: 67 Location: Lancaster, Pa
|
Posted: Tue Sep 24, 2002 3:26 am Post subject: |
|
|
Ok, I made these adjustments
/bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
/bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects
/bin/echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
I now can ping the server from within the server which I counldnt do b4. (in SSH 'ping localhost'). Yet I still cannot ping cnn.com, or what have u, fom inside the network. At all...........server nor workstation can ping anything outside. Ideas?
Dale |
|
Back to top |
|
|
Netdale n00b
Joined: 25 May 2002 Posts: 67 Location: Lancaster, Pa
|
Posted: Tue Sep 24, 2002 1:34 pm Post subject: |
|
|
Anyone??
Something weird is happening thought? I've read it may be ACPI? Any ideas?? try www.mtcrew.net (68.82.225.203)
Thats the ip, as u can its kinda working. So i dont know whats going on. Kernel? Iptables? I just dont know
Dale |
|
Back to top |
|
|
Naan Yaar Bodhisattva
Joined: 27 Jun 2002 Posts: 1549
|
Posted: Tue Sep 24, 2002 1:38 pm Post subject: |
|
|
Sites don't necessarily answer pings. cnn.com doesn't. Try pinging something friendlier, like www.gentoo.org or www.yahoo.com.
Netdale wrote: | ...
I now can ping the server from within the server which I counldnt do b4. (in SSH 'ping localhost'). Yet I still cannot ping cnn.com, or what have u, fom inside the network. At all...........server nor workstation can ping anything outside. Ideas?
Dale |
|
|
Back to top |
|
|
pilla Bodhisattva
Joined: 07 Aug 2002 Posts: 7729 Location: Underworld
|
Posted: Tue Sep 24, 2002 1:41 pm Post subject: |
|
|
iptables is a complex tool. If you want to use it, you should take some time to read the manuals and tutorials about it. |
|
Back to top |
|
|
Netdale n00b
Joined: 25 May 2002 Posts: 67 Location: Lancaster, Pa
|
Posted: Wed Sep 25, 2002 12:05 am Post subject: |
|
|
Ok, thanks Yaar---pinging gentoo.org works now. Ok, yet people still cannot access my site.......
Anyone want to portscan against this (internel scan from my windows machine):
TCP: 10.0.0.1 [21-ftp]
TCP: 10.0.0.1 [22-ssh]
TCP: 10.0.0.1 [25-smtp]
TCP: 10.0.0.1 [80-www-http]
TCP: 10.0.0.1 [110-pop3]
TCP: 10.0.0.1 [443-https]
TCP: 10.0.0.1 [2222-rockwell-csp2]
TCP: 10.0.0.1 [3306-mysql]
Thanks
Dale |
|
Back to top |
|
|
rac Bodhisattva
Joined: 30 May 2002 Posts: 6553 Location: Japanifornia
|
Posted: Wed Sep 25, 2002 4:21 am Post subject: |
|
|
Netdale wrote: | Anyone want to portscan against this |
External portscan results emailed. _________________ For every higher wall, there is a taller ladder |
|
Back to top |
|
|
Netdale n00b
Joined: 25 May 2002 Posts: 67 Location: Lancaster, Pa
|
Posted: Wed Sep 25, 2002 10:24 am Post subject: |
|
|
Thanks RAC.....
I believe the problem lied in this line....
Code: | # MOSTLY-CLOSED FIREWALL FOR CONNECTION REQUESTS (MOSTLY-OPEN AS A CLIENT)
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP
|
So yea, thanks, according to ur email, everything is closed except filtered ones, which arent show....i.e. 80, 21, 22?
Thanks Dale |
|
Back to top |
|
|
|