LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 03-19-2007, 03:04 PM   #16
ejan
Member
 
Registered: Mar 2007
Location: Rochester Hills, MI, USA
Distribution: Mandriva 2007, CentOS 5, Debian 4.0
Posts: 38

Original Poster
Rep: Reputation: 15

Here's the output of iptables -L command:

Quote:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Ifw all -- anywhere anywhere
eth0_in all -- anywhere anywhere
vmnet1_in all -- anywhere anywhere
vmnet8_in all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:INPUT:REJECT:'
reject all -- anywhere anywhere

Chain FORWARD (policy DROP)
target prot opt source destination
eth0_fwd all -- anywhere anywhere
vmnet1_fwd all -- anywhere anywhere
vmnet8_fwd all -- anywhere anywhere
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:FORWARD:REJECT:'
reject all -- anywhere anywhere

Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
fw2net all -- anywhere anywhere policy match dir out pol none
fw2loc all -- anywhere anywhere policy match dir out pol none
fw2loc all -- anywhere anywhere policy match dir out pol none
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:OUTPUT:REJECT:'
reject all -- anywhere anywhere

Chain Drop (1 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
dropInvalid all -- anywhere anywhere
DROP udp -- anywhere anywhere multiport dports 135,microsoft-ds
DROP udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
DROP udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535
DROP tcp -- anywhere anywhere multiport dports 135,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain

Chain Ifw (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere set ifw_wl src
DROP all -- anywhere anywhere set ifw_bl src
IFWLOG all -- anywhere anywhere state INVALID,NEW psd weight-threshold: 10 delay-threshold: 10000 lo-ports-weight: 2 hi-ports-weight: 1 IFWLOG prefix 'SCAN'
IFWLOG udp -- anywhere anywhere state NEW udp dpt:netbios-ns IFWLOG prefix 'NEW'
IFWLOG udp -- anywhere anywhere state NEW udp dpt:netbios-dgm IFWLOG prefix 'NEW'
IFWLOG udp -- anywhere anywhere state NEW udp dpt:netbios-ssn IFWLOG prefix 'NEW'
IFWLOG udp -- anywhere anywhere state NEW udp dpt:microsoft-ds IFWLOG prefix 'NEW'
IFWLOG udp -- anywhere anywhere state NEW multiport dports 1024:1100 IFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere state NEW tcp dpt:netbios-ns IFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere state NEW tcp dpt:netbios-dgm IFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere state NEW tcp dpt:netbios-ssn IFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere state NEW tcp dpt:microsoft-ds IFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere state NEW multiport dports 1024:1100 IFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere state NEW multiport dports torrent:6999 IFWLOG prefix 'NEW'
IFWLOG tcp -- anywhere anywhere state NEW tcp dpt:135 IFWLOG prefix 'NEW'

Chain Reject (4 references)
target prot opt source destination
reject tcp -- anywhere anywhere tcp dpt:auth
dropBcast all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp fragmentation-needed
ACCEPT icmp -- anywhere anywhere icmp time-exceeded
dropInvalid all -- anywhere anywhere
reject udp -- anywhere anywhere multiport dports 135,microsoft-ds
reject udp -- anywhere anywhere udp dpts:netbios-ns:netbios-ssn
reject udp -- anywhere anywhere udp spt:netbios-ns dpts:1024:65535
reject tcp -- anywhere anywhere multiport dports 135,netbios-ssn,microsoft-ds
DROP udp -- anywhere anywhere udp dpt:1900
dropNotSyn tcp -- anywhere anywhere
DROP udp -- anywhere anywhere udp spt:domain

Chain all2all (0 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Reject all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:all2all:REJECT:'
reject all -- anywhere anywhere

Chain dropBcast (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast

Chain dropInvalid (2 references)
target prot opt source destination
DROP all -- anywhere anywhere state INVALID

Chain dropNotSyn (2 references)
target prot opt source destination
DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN

Chain dynamic (6 references)
target prot opt source destination

Chain eth0_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
net2all all -- anywhere anywhere policy match dir out pol none
net2all all -- anywhere anywhere policy match dir out pol none

Chain eth0_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
net2fw all -- anywhere anywhere policy match dir in pol none

Chain fw2loc (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain fw2net (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain loc2fw (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain loc2net (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Chain logdrop (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:logdropROP:'
DROP all -- anywhere anywhere

Chain logreject (0 references)
target prot opt source destination
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:logreject:REJECT:'
reject all -- anywhere anywhere

Chain net2all (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
Drop all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level info prefix `Shorewall:net2allROP:'
DROP all -- anywhere anywhere

Chain net2fw (1 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere multiport dports netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds,1024:1100
ACCEPT tcp -- anywhere anywhere multiport dports netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds,1024:1100,torrent:6999,135
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-request
net2all all -- anywhere anywhere

Chain reject (11 references)
target prot opt source destination
DROP all -- 255.255.255.255 anywhere
DROP all -- base-address.mcast.net/4 anywhere
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- anywhere anywhere PKTTYPE = multicast
DROP all -- 255.255.255.255 anywhere
DROP all -- base-address.mcast.net/4 anywhere
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT udp -- anywhere anywhere reject-with icmp-port-unreachable
REJECT icmp -- anywhere anywhere reject-with icmp-host-unreachable
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited

Chain shorewall (0 references)
target prot opt source destination

Chain smurfs (0 references)
target prot opt source destination
LOG all -- 192.168.0.255 anywhere LOG level info prefix `Shorewall:smurfsROP:'
DROP all -- 192.168.0.255 anywhere
LOG all -- 172.16.176.255 anywhere LOG level info prefix `Shorewall:smurfsROP:'
DROP all -- 172.16.176.255 anywhere
LOG all -- 172.16.252.255 anywhere LOG level info prefix `Shorewall:smurfsROP:'
DROP all -- 172.16.252.255 anywhere
LOG all -- 255.255.255.255 anywhere LOG level info prefix `Shorewall:smurfsROP:'
DROP all -- 255.255.255.255 anywhere
LOG all -- base-address.mcast.net/4 anywhere LOG level info prefix `Shorewall:smurfsROP:'
DROP all -- base-address.mcast.net/4 anywhere

Chain vmnet1_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2net all -- anywhere anywhere policy match dir out pol none
ACCEPT all -- anywhere anywhere policy match dir out pol none

Chain vmnet1_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2fw all -- anywhere anywhere policy match dir in pol none

Chain vmnet8_fwd (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2net all -- anywhere anywhere policy match dir out pol none
ACCEPT all -- anywhere anywhere policy match dir out pol none

Chain vmnet8_in (1 references)
target prot opt source destination
dynamic all -- anywhere anywhere state INVALID,NEW
loc2fw all -- anywhere anywhere policy match dir in pol none
 
Old 03-19-2007, 03:13 PM   #17
ejan
Member
 
Registered: Mar 2007
Location: Rochester Hills, MI, USA
Distribution: Mandriva 2007, CentOS 5, Debian 4.0
Posts: 38

Original Poster
Rep: Reputation: 15
Mandriva Free Uses Shorewall

Quote:
Originally Posted by cgjones
Do you know how Mandriva is setting up the firewall? It looks like they use Shorewall, but they also mention the new Invictus firewall. Although I don't think Invictus would come with the free version, unless you installed it later.
Mandriva Free uses the Shorewall firewall. This is the firewall that is bundled with the free version -- the version I am running.

All configuration related to the firewall is stored @ /etc/shorewall/.
 
Old 03-19-2007, 04:45 PM   #18
cgjones
Member
 
Registered: Nov 2005
Location: Central New York
Distribution: Ubuntu
Posts: 405

Rep: Reputation: 30
Here is something we can try. Enable the firewall with whatever the default settings might be, or whatever they are when you are getting this error. It shouldn't really matter which. Now open a terminal and run the following command as root.
Code:
tail -n 0 -f /var/log/messages
While that is running, try browsing the network. Once you get the error, post the output of the previous command here.
 
Old 03-23-2007, 01:39 PM   #19
ejan
Member
 
Registered: Mar 2007
Location: Rochester Hills, MI, USA
Distribution: Mandriva 2007, CentOS 5, Debian 4.0
Posts: 38

Original Poster
Rep: Reputation: 15
I ran the command you specified and let it continue running while I tried to browse the LAN using Konqueror. As usual, Konqueror threw the same, old message that it couldn't browse the LAN. But the tail command didn't reveal anything.

However, I was able to manually find several messages similiar to the following one in the /var/log/messages:

Quote:
Mar 23 22:15:23 ejan kernel: Shorewall:net2allROP:IN=eth0 OUT= MAC=00:50:8b:fb:f7:fd:00:02:b3:cd:d7:95:08:00 SRC=192.168.0.77 DST=192.168.0.81 LEN=68 TOS=0x00 PREC=0x00 TTL=128 ID=531 PROTO=UDP SPT=1112 DPT=161 LEN=48
Currently I am reading the Shorewall documentation from http://www.shorewall.net/. But so far I've not been able to find anything useful regarding this issue.

I guess if we can somehow figure out the processing cycle of Konqueror for fetching the list of hosts from LAN, we might be able to configure the firewall accordingly. I think Konqueror not only sends packets to the n/w to query list of available hosts but also relies on the n/w hosts to send it acknowledgement/response packets. And most probably it is these response packets that are blocked by the firewall. And, thus, Konquror fails to browse the LAN.

What do you say?
 
Old 03-23-2007, 05:41 PM   #20
ejan
Member
 
Registered: Mar 2007
Location: Rochester Hills, MI, USA
Distribution: Mandriva 2007, CentOS 5, Debian 4.0
Posts: 38

Original Poster
Rep: Reputation: 15
I tried several configurations suggested at http://www.shorewall.net/ but they didn't work. Honestly, from what I see in the shorewall configuration files on my system (/etc/shorewall/zones,interfaces,hosts,and rules) I am sure that I should be able to browse the LAN. I don't however.

Today I decided to give LISA a chance too. So I configured it using the KDE Control Center by specifying values for various IP addresses that it requires. And it enabled me to browse the LAN, through the LISA interface though.

So what happens now is that if I try to browse the LAN using smb:/ in the Konqueror location bar, I see the error message "Unable to find any workgroups in your local network. This might be caused by an enabled firewall." as before. However, when I try to browse the LAN using lan:/ in the Konqueror location bar, it shows a list of IP addresses representing available hosts on the LAN. This way I am able to browse the LAN, finally. So far so good.

There is a bit of confusion though which is as follows. Typing lan:/ in the Konqueror bar lists IPs of available hosts and value of lan:/ changes to lan:/localhost (this is because in the current config my system is a LISA server). Double-clicking any of the IPs opens a folder named SMB (this indicates that this specific host has Windows File Sharing available). Konqueror location bar now reads lan://localhost/192.168.0.3. Double-clicking the SMB folder reveals all of the folders that are being shared by the host. Here's the interesting thing: at this point the Konqueror location bar reads smb://192.168.0.3/!

To summarize:
* Trying smb:/ fails with an error message.
* Trying lan:/ lists available hosts on the LAN.
* Following hosts from the lan:/ folder opens shares with lacation bar reading smb://<host-ip>
* Trying smb://<host-ip> directly works as well.

So now my questions are these:
? Why can't I browse using smb:/
? Why do I see only the IP addresses instead of host names when I browse using lan:/
 
Old 03-23-2007, 09:05 PM   #21
cgjones
Member
 
Registered: Nov 2005
Location: Central New York
Distribution: Ubuntu
Posts: 405

Rep: Reputation: 30
The fact that no errors were logged makes me think it isn't firewall related, but that certainly doesn't help to explain why it works when the firewall is off but not when it is on.
 
Old 03-24-2007, 01:16 PM   #22
ejan
Member
 
Registered: Mar 2007
Location: Rochester Hills, MI, USA
Distribution: Mandriva 2007, CentOS 5, Debian 4.0
Posts: 38

Original Poster
Rep: Reputation: 15
By the way, the same issue exists in SUSE 10.2 as well. Actually I've a small lab with four computers at my home. I configured one of my PCs running SUSE 10.2 with the built-in firewall and it experienced the same issue as my Mandriva 2007 box.

Anyways, at least now I can browse the LAN using lan:/ ioslave. Thank you very much for your help on the issue.

Can you please tell me how can I get Konqueror to display host names rather than their IP addresses when browsing the LAN using the lan:/ ioslave? By the way my LAN server doesn't appear to be running a DNS server and I cannot manually populate the /etc/hosts file with host names and their IPs, of course. Is there any other solution to this problem. After all, Konqueror is able to display host names when I browse the LAN using smb:/ (though this doesn't work when the firewall is enabled).
 
Old 03-24-2007, 01:43 PM   #23
cgjones
Member
 
Registered: Nov 2005
Location: Central New York
Distribution: Ubuntu
Posts: 405

Rep: Reputation: 30
Quote:
Originally Posted by ejan
I cannot manually populate the /etc/hosts file with host names and their IPs, of course.
Why not?

How is your network set up? What OS's, how are they connected, etc.
 
Old 03-24-2007, 02:05 PM   #24
ejan
Member
 
Registered: Mar 2007
Location: Rochester Hills, MI, USA
Distribution: Mandriva 2007, CentOS 5, Debian 4.0
Posts: 38

Original Poster
Rep: Reputation: 15
I am connected to a Windows-based network with a little more than a hundred hosts. The server is running Windows 2000 server OS. My ISP (the person who owns the n/w) has provided me a LAN cable which I've plugged into my own switch. I then connect all of my PCs to the same switch. This is how my n/w is setup, briefly.

Here are some points of interest:
1) The n/w is not under my control.
2) I control only the four PCs in my own lab not any on the n/w.
3) IPs of hosts may change over time (this is why populating the /etc/hosts file would become fruitless over time).
4) When browsing the n/w using smb:/ host names are displayed not IPs (In this case I must disable the builtin firewall or it won't work).
5) When browsing the n/w using lan:/ IPs are displayed not host names.
6) When browsing the n/w from Windows XP, host names are displayed not IPs.

So this is how things are on my n/w.

Last edited by ejan; 03-24-2007 at 02:09 PM.
 
Old 03-24-2007, 02:17 PM   #25
cgjones
Member
 
Registered: Nov 2005
Location: Central New York
Distribution: Ubuntu
Posts: 405

Rep: Reputation: 30
If I remember correctly, you are not running Samba?

If that is the case, you might want to try running Samba, but not share anything unless you want to. Running Samba (smbd) should take care of the name/IP issue. Specifically Sambas nmbd daemon, which handles netbios name resolution. I actually have never run a system on a predominantly Windows network without running Samba. Running Samba might also take care of your original issue, as long as the correct ports are opened through the firewall.
 
Old 03-24-2007, 02:31 PM   #26
ejan
Member
 
Registered: Mar 2007
Location: Rochester Hills, MI, USA
Distribution: Mandriva 2007, CentOS 5, Debian 4.0
Posts: 38

Original Poster
Rep: Reputation: 15
Even though I don't have Samba installed, I've all the ports used by it (Windows File Sharing ports) opened. But even with this configuration, Konqueror was not able to browse the LAN while the firewall was running.

Although I don't know how to configure Samba yet, I will install it with default configuration and see if this can resolve the issue. Frankly, I don't think it will do me any good. Because using smb:/ with firewall enabled won't let Konqueror browse the LAN and using lan:/ will always translate into something like smb://192.168.0.94 in the end. Neverthless, I am gonna try things as you've suggested and come back with results.
 
Old 03-30-2007, 07:56 AM   #27
ejan
Member
 
Registered: Mar 2007
Location: Rochester Hills, MI, USA
Distribution: Mandriva 2007, CentOS 5, Debian 4.0
Posts: 38

Original Poster
Rep: Reputation: 15
Hi,

I installed Samba and Swat to check if installing Samba will do any of the following:
  • Allow me to browse LAN using smb:/ ioslave while shorewall is enabled
  • Display host names instead of IP addresses when browsing LAN using lan:/ ioslave (shorewall has no effect on this one)

Unfortunately, it didn't solve any of the issues. I don't think it is meant to tackle these issues either. Any ways, after installing Samba and Swat, being able to login to Swat proved to be a tough exercise. You can review my post on this.

And now, suddenly, Gaim won't work! May be you want to check my post on Gaim here if you've Gaim experience.

It seems that I always have at least one issue with my Mandriva box at all times to deal with. But it won't get me down as long as such a useful community is there to help out.

Thanks.
 
Old 03-30-2007, 10:04 PM   #28
cgjones
Member
 
Registered: Nov 2005
Location: Central New York
Distribution: Ubuntu
Posts: 405

Rep: Reputation: 30
I wasn't positive that Samba would help, but at this point, I felt that it would be worth a try. One thing you could try would be to download a live CD, such as KNOPPIX or DSL, and see if you run into the same problems.

I checked your other two posts. If I understand correctly, the SWAT issue is fixed? I don't have much experience with GAIM or proxy servers.
 
Old 03-31-2007, 02:24 PM   #29
ejan
Member
 
Registered: Mar 2007
Location: Rochester Hills, MI, USA
Distribution: Mandriva 2007, CentOS 5, Debian 4.0
Posts: 38

Original Poster
Rep: Reputation: 15
Actually the version of Swat packaged with Mandriva 2007 Free is broken. The problem has solved, however, after modification of the /etc/pam.d/samba file.

I installed Ubuntu 6.06 LTS on one of my systems to check if Gaim would work or not. Well, it didn't. So I can surely say that the new installation on my ISP's server has something that's not allowing Gaim to connect thru SOCKS4 proxy on port 1080 but it is allowing connections from Windows on the same port. Strange, I'd say.

As far as that smb:/ issue is concerned, I checked that on SUSE 10.2 as well. It behaved the same as Mandriva 2007. Konqueror failed to browse the LAN when the SUSE builin firewall was enabled; otherwise it worked. I guess it might be by design. Anyways, using lan:/ is okay although a bit inconvenient.

Thanks cgjones for your continuous help.
 
Old 03-31-2007, 08:30 PM   #30
auxsvr
Member
 
Registered: Dec 2006
Distribution: openSUSE 10.3
Posts: 260

Rep: Reputation: 30
I think the problem might be that konqueror uses nmblookup, which sends broadcast packets to locate the hosts, which are filtered by the firewall. There exists a rule in shorewall to avoid this, although it doesn't work for me (behind routers it doesn't work anyway), so this is what I did on openSUSE 10.2: enable lisa and in Configure Desktop (KDE control center)/Local network browsing check the send pings option and, if possible, add the ip addresses of the hosts there.
 
  


Reply

Tags
linux, networking


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Konqueror and Firefox Cannot Browse linux_2007_ Linux - Networking 3 03-07-2007 06:36 PM
how do i get Konqueror to web browse again? Lleb_KCir Linux - General 5 07-22-2005 06:42 PM
Konqueror Can Browse; Firefox Cannot bluefire Linux - Networking 4 04-26-2005 03:12 AM
can't browse activision.com with firefox/konqueror Linux.tar.gz Linux - General 1 08-07-2004 11:08 AM
browse XP network from Konqueror elite122 Linux - Networking 1 08-06-2004 11:48 AM


All times are GMT -5. The time now is 09:33 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration