View previous topic :: View next topic |
Author |
Message |
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Sat Dec 08, 2012 5:52 am Post subject: 1-way network communication? |
|
|
I have 192.168.1.10 and 192.168.1.11 connected to a wired router. 192.168.1.10 can ping and ssh 192.168.1.11, but 192.168.1.11 can't ping or ssh 192.168.1.10. Both systems can reach the internet. I've disabled the router's firewall and the firewall running on both systems. ifconfig confirms the IP address of both systems. Both systems are composed of identical hardware and both run Gentoo with near-identical configurations.
I'm puzzled. Any ideas why can't 192.168.1.11 can't reach 192.168.1.10? |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Sat Dec 08, 2012 6:08 am Post subject: |
|
|
I fixed it by enabling the firewall (shorewall) on 192.168.1.10 and configuring it to let 192.168.1.11 in. Why doesn't it work with the firewall disabled? |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21624
|
Posted: Sat Dec 08, 2012 5:29 pm Post subject: |
|
|
We would need to see the applicable filter rules to answer that question. Please place it back in a broken state and post the output of iptables-save -c. |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Tue Dec 25, 2012 8:39 pm Post subject: |
|
|
I'm sorry for the delay with this. This is what I get after '/etc/init.d/shorewall stop':
# iptables-save -c
# Generated by iptables-save v1.4.16.3 on Tue Dec 25 12:34:58 2012
*raw
:PREROUTING ACCEPT [858:352950]
:OUTPUT ACCEPT [2194:2568714]
COMMIT
# Completed on Tue Dec 25 12:34:58 2012
# Generated by iptables-save v1.4.16.3 on Tue Dec 25 12:34:58 2012
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [2:208]
:POSTROUTING ACCEPT [2:208]
COMMIT
# Completed on Tue Dec 25 12:34:58 2012
# Generated by iptables-save v1.4.16.3 on Tue Dec 25 12:34:58 2012
*mangle
:PREROUTING ACCEPT [858:352950]
:INPUT ACCEPT [858:352950]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2194:2568714]
:POSTROUTING ACCEPT [2194:2568714]
COMMIT
# Completed on Tue Dec 25 12:34:58 2012
# Generated by iptables-save v1.4.16.3 on Tue Dec 25 12:34:58 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2194:2568714]
[858:352950] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Tue Dec 25 12:34:58 2012
I thought the firewall would stop functioning after a '/etc/init.d/shorewall stop', but maybe there is some residual stuff left in iptables? |
|
Back to top |
|
|
The Doctor Moderator
Joined: 27 Jul 2010 Posts: 2678
|
Posted: Tue Dec 25, 2012 10:47 pm Post subject: |
|
|
grant123 wrote: | I thought the firewall would stop functioning after a '/etc/init.d/shorewall stop', but maybe there is some residual stuff left in iptables? | If it does, you can use to flush the rules. _________________ First things first, but not necessarily in that order.
Apologies if I take a while to respond. I'm currently working on the dematerialization circuit for my blue box. |
|
Back to top |
|
|
s_bernstein Apprentice
Joined: 11 Mar 2006 Posts: 172 Location: Bremen, Germany
|
Posted: Wed Dec 26, 2012 7:13 am Post subject: |
|
|
Also, if you use shorewall and issue a shorewall stop command, it will not operate as a system without firewall because shorewall will p. ex. implement the routestopped config file. This might not contain the same routings as you would have without firewall. |
|
Back to top |
|
|
truc Advocate
Joined: 25 Jul 2005 Posts: 3199
|
Posted: Wed Dec 26, 2012 8:27 am Post subject: |
|
|
grant123 wrote: | *filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2194:2568714]
|
input policy is still set to DROP, which is which you have this problem. You can set it to ACCEPT with Code: | iptables -P INPUT ACCEPT | and should probably report that to the shorewall maintainers? _________________ The End of the Internet! |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Wed Dec 26, 2012 8:53 pm Post subject: |
|
|
Quote: | Also, if you use shorewall and issue a shorewall stop command, it will not operate as a system without firewall because shorewall will p. ex. implement the routestopped config file. This might not contain the same routings as you would have without firewall. |
Without modifying /etc/init.d/shorewall, can I have the firewall become totally inactive when '/etc/init.d/shorewall stop' is issued?
Quote: | and should probably report that to the shorewall maintainers? |
Can anyone confirm that I should file a Gentoo bug for this? |
|
Back to top |
|
|
grant123 Veteran
Joined: 23 Mar 2005 Posts: 1080
|
Posted: Sat Dec 29, 2012 7:54 pm Post subject: |
|
|
Can anyone help me out with this? |
|
Back to top |
|
|
|