LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 05-21-2003, 01:18 AM   #1
tiduck
LQ Newbie
 
Registered: May 2003
Posts: 3

Rep: Reputation: 0
Can't ping/ssh my box, Shorewall seems to block all traffic except http / ftp


I'm running Mandrake 9.1 on security level Higher which seems to bring with it a whole bunch of config headaches. Never had to deal with this cos my previous setup was with Mandrake 8.1.

I can access webpages served off my box, as well as FTP in. But I can't SSH in or even get a reply when I ping it! Turning shorewall off doesn't seem to make a difference (maybe I'm missing a step there).

I'm very new to this and after spending many days unsuccessfully Googling for any related info, I would really appreciate it if someone would give me a step-by-step guide on how I should work out what's wrong.

/etc/shorewall/rules currently contains:
ACCEPT net fw tcp for 80, 22, 21

I don't understand why SSH wouldn't work if HTTP and FTP work fine. What other config files should I be looking at?
 
Old 05-21-2003, 04:46 PM   #2
PhilD
Member
 
Registered: Mar 2003
Location: Iowa, US
Distribution: Gentoo!!, Mandrake 9.1
Posts: 170

Rep: Reputation: 30
Arrow

If it helps, I am having the same problem. Everything seems to work except ssh and ping. I am hoping to spend some time playing with it this evening. I will let you know what I find out.

One thing to note, I uninstalled the mdk9.1 rpms and installed shorewall from their tar ball. I did this so I could use their documentation to set up a two interface firewall/router.

If you find the solution before I do please post it.

Thanks,

PhilD

 
Old 05-21-2003, 04:53 PM   #3
Proud
Senior Member
 
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794

Rep: Reputation: 116Reputation: 116
Maybe try another iptables frontend, like Guarddog
 
Old 05-21-2003, 10:46 PM   #4
PhilD
Member
 
Registered: Mar 2003
Location: Iowa, US
Distribution: Gentoo!!, Mandrake 9.1
Posts: 170

Rep: Reputation: 30
okay tiduck,

I figured out the ssh problem. It is because of the higher security setting. By default, the /etc/hosts.deny includes everyone but the local host. To allow ssh into the box do the following:

Add to /etc/hosts.allow:
sshd : all : allow

This should allow you ssh into the box. If you want, you can allow only a given IP the ability to ssh. For me this is all I needed to do. I found this by tail -f the /var/log/messages file and noticing that shorewall was accepting the ssh, but sshd was rejecting the connection.

As far as the ping goes, I have had no luck. I can ping local from the firewall, and I can ping the net from local, but I can not ping the firewall from local. I will have to work on that some more.

Also, if there are those more knowledgeable on the subject, if I have the policy file as such:
loc net ACCEPT
loc fw ACCEPT

Is there any reason for me to have rules for loc2net or loc2fw? Shouldn't everything be accepted as it is? Or would it be better to deny everything and add rules for every connection I want to allow? Just looking for ideas from those more knowledgeable than I.

Thanks,

PhilD
 
Old 05-21-2003, 11:08 PM   #5
tiduck
LQ Newbie
 
Registered: May 2003
Posts: 3

Original Poster
Rep: Reputation: 0
PhilD: Awesome!!! Although I actually had to add "sshd:all allow". Did you add an extra colon by mistake?

Thanks for your help!
 
Old 05-22-2003, 09:08 AM   #6
PhilD
Member
 
Registered: Mar 2003
Location: Iowa, US
Distribution: Gentoo!!, Mandrake 9.1
Posts: 170

Rep: Reputation: 30
I may have. I thought I double checked it but that doesn't mean much. Either way, I assume it worked for you too. Now if we could just get the ping to work. Granted, I don't really need it, but it would be nice as a way to do a quick "are you alive" to the firewall.
 
Old 05-22-2003, 11:25 AM   #7
tiduck
LQ Newbie
 
Registered: May 2003
Posts: 3

Original Poster
Rep: Reputation: 0
I noticed that shorewall/rules doesn't include any entries for ICMP. Wouldn't that block all pings? I'll have to check it out later.
 
Old 05-22-2003, 12:22 PM   #8
PhilD
Member
 
Registered: Mar 2003
Location: Iowa, US
Distribution: Gentoo!!, Mandrake 9.1
Posts: 170

Rep: Reputation: 30
So far, this is my history with the PING!

I have tried all variations with no success. These being:

ACCEPT loc fw icmp 8
ACCEPT loc fw icmp echo-request

I have tried each one alone and both together. The behavior I have seen is as follows.

With neither rule, I see the message rejected - icmp - 8 (summary) by tail -f 'ing the /var/log/messages file. If I add either or both this message is not generated. The client side correctly identifies the fw and its IP and sets there. When I ^c it shows 100% failure. As I mentioned before, I can ping from the fw to loc and from loc to net with the following rules.

ACCEPT loc net icmp 8
ACCEPT fw loc icmp 8

Actually, the loc2net may be a echo-request. I am still looking for the correct way to set this up. Let me know what you find.

Thanks,

PhilD
 
Old 05-22-2003, 12:38 PM   #9
PhilD
Member
 
Registered: Mar 2003
Location: Iowa, US
Distribution: Gentoo!!, Mandrake 9.1
Posts: 170

Rep: Reputation: 30
Proud,

Thanks for the point to Guarddog. It looks like a very useful firewall configure tool. The only problem is I don't have KDE on this box, and I doubt I have room for it. One of the joys of linux is seting up minimal hardware for network tasks. Thanks for the hint. I may very well try it if/when I upgrade this box.

PhilD
 
Old 05-22-2003, 01:06 PM   #10
Proud
Senior Member
 
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794

Rep: Reputation: 116Reputation: 116
Well I see your problem, but if it helps, you should only need Qt and a few other things, not all of KDE. Guarddog does make creating a detailed firewall much easier for beginners
 
Old 05-22-2003, 10:21 PM   #11
PhilD
Member
 
Registered: Mar 2003
Location: Iowa, US
Distribution: Gentoo!!, Mandrake 9.1
Posts: 170

Rep: Reputation: 30
tiduck,

I found the Ping culprit, well, I found it on another non related post and thought I should check it out. Here is what I did:

in file: /etc/sysctl.conf
change line: net.ipv4.icmp_echo_ignore_all=1
to: net.ipv4.icmp_echo_ignore_all=0

Then restart the network and shorewall. This, with the icmp 8 rules in shorewall worked. Now to complete the rule set for the firewall.

I still have the question about the rules vs. policies. Why do I need a rule to accept www from loc to net if the policy for loc2net is accept? I know this shouldn't be that difficult, but.... I am sure I will get it sometime.

Thanks for the help!

PhilD
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Traffic shaping (limiting outgoing bandwidth of all TCP-traffic except FTP/HTTP) ffkodd Linux - Networking 3 10-25-2008 01:09 AM
block ping and ssh varun_saa Mandriva 1 02-08-2005 07:08 AM
routing http traffic to the correct box on subnet nodine Linux - Security 1 07-15-2004 10:51 AM
Can ping but can not telnet/ftp/ssh my box fbarre Linux - Networking 10 04-20-2004 01:11 AM
http+ftp+ssh +quota katmai90210 Linux - Security 2 02-04-2004 05:52 PM


All times are GMT -5. The time now is 01:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration