Cannot Ping Linux Root Server

mad_mike018 · 03-22-2006, 12:10 PM

Hi all,

First of all, a big hello to you all because I am new to the forums!

I currently have a root server from fasthosts and I cannot seem to ping my IP Address. The server is there and running as I can join the gameserver that is on it. I know this has something to do with IP Tables but I have tried everything I can think of or recommended to do via various tutorials.

I was wondering if you could take a look at my firewall file and tell me where I am going wrong because I am almost going blind by looking at it as I have been looking at it for hours lol.

Below is my firewall file from /etc/sysconfig (thanks so much in advance for any help!)

Regards
Mike

P.S I have tried changing # Drop ICMP echo request messages sent to multicast or broadcast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts from 1 to 0 but this made no difference.

Also when checking /proc/sys/net/ipv4/*.* all files are 0 bytes?

Code:

#!/bin/sh

#fix for passive ftp connection tracking
/sbin/modprobe ip_conntrack_ftp

# Drop ICMP echo request messages sent to multicast or broadcast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYS cookie (DoS) protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don't accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don't send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with crazy source addresses
#echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# Flush all chains
/sbin/iptables --flush

# Allow all loopback traffic
/sbin/iptables -A INPUT  -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT

# Set default policies to drop all traffic
/sbin/iptables --policy INPUT   DROP
#/sbin/iptables --policy OUTPUT  DROP
/sbin/iptables --policy FORWARD DROP

# Allow previously initiated and accepted exchanges to bypass rule checking 
# Allow all outbound traffic
/sbin/iptables -A INPUT  -m state --state ESTABLISHED,RELATED	 -j ACCEPT
/sbin/iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# PING 
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# Allow incoming port 22 (ssh) traffic
/sbin/iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

# Allow incoming port 80 and 443 (http/s) traffic
/sbin/iptables -A INPUT -p tcp --dport 80  -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 443 -m state --state NEW -j ACCEPT

# Allow incoming port 53 (udp/tcp) dns traffic
/sbin/iptables -A INPUT -p udp --dport 53 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -m state --state NEW -j ACCEPT

/sbin/iptables -A INPUT -p udp --dport 69 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 69 -m state --state NEW -j ACCEPT


# Allow incoming port 25 (tcp) SMTP traffic
/sbin/iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT

# Allow incoming port 110 (tcp) POP3 traffic
/sbin/iptables -A INPUT -p tcp --dport 110 -m state --state NEW -j ACCEPT

# Allow incoming port 123 (udp) NTP traffic
/sbin/iptables -A INPUT -p udp --dport 123 -m state --state NEW -j ACCEPT

# Allow incoming ports 20 and 21 (tcp) FTP traffic
/sbin/iptables -A INPUT -p tcp --dport 20 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 21 -m state --state NEW -j ACCEPT

# Allow incoming port 3306 (udp/tcp) MySQL traffic
/sbin/iptables -A INPUT -p tcp --dport 3306 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 3306 -m state --state NEW -j ACCEPT

# Allow incoming port 5555 (tcp) MatrixSA traffic
/sbin/iptables -A INPUT -p tcp --dport 5555 -m state --state NEW -j ACCEPT

# Allow incoming port 8002/9001 (tcp) traffic for initial listeners
/sbin/iptables -A INPUT -p tcp --dport 8002 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 9001 -m state --state NEW -j ACCEPT

# Teamspeak
/sbin/iptables -A INPUT -p tcp --dport 14534 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 51234 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 8767 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 8768 -m state --state NEW -j ACCEPT

# SQL Server
/sbin/iptables -A INPUT -p tcp --dport 1433 -m state --state NEW -j ACCEPT

# COD2
/sbin/iptables -A INPUT -p udp --dport 20500 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 20510 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 28960 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 28960 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 20600 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 20610 -m state --state NEW -j ACCEPT

# GAMESPY
/sbin/iptables -A INPUT -p tcp --dport 13139 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 13139 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 27900 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 27900 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 28900 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 28900 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 29900 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 29900 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 29901 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 29901 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 6500 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 6500 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 6515 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 6515 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 3783 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 3783 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 6667 -m state --state NEW -j ACCEPT
/sbin/iptables -A INPUT -p udp --dport 6667 -m state --state NEW -j ACCEPT

# Drop all other inbound traffic
/sbin/iptables -A INPUT -j DROP

# Save these rules so they are initiated when iptables is started
/sbin/service iptables save

Darin · 03-22-2006, 12:32 PM

Quote:

Originally Posted by mad_mike018

...I currently have a root server from fasthosts and I cannot seem to ping my IP Address....

Are you certain that ICMP isn't being firewalled upstream from your system (by the provider)?

mad_mike018 · 03-22-2006, 12:45 PM

Great, just got this from tech support:-

Thank you for your email.

Unfortunatley it is not possible for anyone to ping our servers. This is because of repeated Denial of Service attacks attempted on our systems. You should however find the hostname will resolve to an IP Address.

If you have any further issues, please email us.

Well thats just great... Im trying to use MySQL administrator from my local PC and it wont connect because it cant ping or see the server :S

Darin · 03-22-2006, 12:53 PM

It's possible that the provider has a default deny policy. If this is the case you would need to specify in a request any ports you need access to, including whatever port SQL administration is done on. There are many production systems that have ICMP (Pings) blocked that are still accessable for whatever services are required (try to ping microsoft.com, doesn't mean their site is down.) If MySQL requires a ping to succeed in order to connect, I'm quite sure it is an option that can be turned off.