LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 01-17-2014, 05:10 PM   #1
RileyTheWiley
Member
 
Registered: Dec 2007
Posts: 59

Rep: Reputation: 15
Networking problems, how to turn off firewall?


I have been having a number of mysterious networking problems all revolving around my Fedora 20 virtual machine. I have resolved some of them to file permissions issues but some still persist. Basically they are failures to connect (NFS, tftp, snmp) with symptoms that make me think a firewall is involved.

Problem is, I have pretty much disabled every firewall I can find between the systems. One system is a ucLinux embedded system without a firewall at all, the other is my Fedora 20 VM, and I have an Ubuntu VM also. All of them ping each other; all are on the same router; all have addresses like 192.168.*.*. So does the router.

I disabled the firewall on the router by going into it from the browser.
I disabled the firewall on the Fedora VM by opening ports in the GUI, then finally:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables-save

This produces an iptables file that looks like I would expect, ACCEPT pretty much everywhere.

I disabled the firewall on the Ubuntu VM by way of ufw:
root@instant-contiki:/home/user# ufw status
Status: inactive

But many net ops into that Fedora VM are still failing.

Is there something I have overlooked? Is it possible to have two firewalls running? I have disabled SELinux because that was causing problems also.

This is a pretty vanilla setup and this should be easy. Process dump from Fedora box follows (I noticed firewalld is still running ... hmm...).

[root@localhost eric]# ps -e
PID TTY TIME CMD
1 ? 00:00:01 systemd
2 ? 00:00:00 kthreadd
3 ? 00:00:00 ksoftirqd/0
5 ? 00:00:00 kworker/0:0H
6 ? 00:00:00 kworker/u128:0
7 ? 00:00:00 migration/0
8 ? 00:00:00 rcu_bh
9 ? 00:00:00 rcu_sched
10 ? 00:00:00 khelper
11 ? 00:00:00 kdevtmpfs
12 ? 00:00:00 netns
13 ? 00:00:00 writeback
14 ? 00:00:00 kintegrityd
15 ? 00:00:00 bioset
16 ? 00:00:00 kblockd
17 ? 00:00:00 ata_sff
18 ? 00:00:00 khubd
19 ? 00:00:00 md
44 ? 00:00:00 kswapd0
45 ? 00:00:00 ksmd
46 ? 00:00:00 khugepaged
47 ? 00:00:00 fsnotify_mark
48 ? 00:00:00 crypto
57 ? 00:00:00 kthrotld
58 ? 00:00:00 scsi_eh_0
59 ? 00:00:00 scsi_eh_1
61 ? 00:00:00 kpsmoused
62 ? 00:00:01 kworker/0:2
63 ? 00:00:00 deferwq
69 ? 00:00:00 kauditd
220 ? 00:00:00 mpt_poll_0
221 ? 00:00:00 mpt/0
222 ? 00:00:00 scsi_eh_2
223 ? 00:00:00 ttm_swap
225 ? 00:00:00 kworker/0:1H
294 ? 00:00:00 kdmflush
295 ? 00:00:00 bioset
297 ? 00:00:00 kdmflush
299 ? 00:00:00 bioset
321 ? 00:00:00 jbd2/dm-1-8
322 ? 00:00:00 ext4-rsv-conver
323 ? 00:00:00 ext4-unrsv-conv
394 ? 00:00:00 systemd-journal
414 ? 00:00:00 rpciod
416 ? 00:00:00 lvmetad
424 ? 00:00:00 systemd-udevd
463 ? 00:00:00 jbd2/sda1-8
464 ? 00:00:00 ext4-rsv-conver
465 ? 00:00:00 ext4-unrsv-conv
470 ? 00:00:00 auditd
495 ? 00:00:00 audispd
499 ? 00:00:00 sedispatch
509 ? 00:00:00 alsactl
510 ? 00:00:00 firewalld
512 ? 00:00:00 accounts-daemon
513 ? 00:00:00 rtkit-daemon
518 ? 00:00:02 vmtoolsd
519 ? 00:00:00 ModemManager
521 ? 00:00:00 avahi-daemon
524 ? 00:00:00 systemd-logind
527 ? 00:00:00 dbus-daemon
531 ? 00:00:00 atd
532 ? 00:00:00 crond
535 ? 00:00:00 abrtd
537 ? 00:00:00 abrt-watch-log
541 ? 00:00:00 abrt-watch-log
545 ? 00:00:00 gdm
547 ? 00:00:00 chronyd
562 ? 00:00:00 rpcbind
563 ? 00:00:00 avahi-daemon
576 ? 00:00:00 gdm-simple-slav
582 tty1 00:00:05 Xorg
583 ? 00:00:01 polkitd
646 ? 00:00:00 NetworkManager
720 ? 00:00:00 cfg80211
741 ? 00:00:00 systemd
748 ? 00:00:00 (sd-pam)
858 ? 00:00:00 xinetd
875 ? 00:00:00 rpc.statd
922 ? 00:00:00 bluetoothd
1152 ? 00:00:00 upowerd
1298 ? 00:00:00 colord
1302 ? 00:00:00 dhclient
1415 ? 00:00:00 gdm-session-wor
1419 ? 00:00:00 systemd
1420 ? 00:00:00 (sd-pam)
1423 ? 00:00:00 gnome-keyring-d
1425 ? 00:00:00 gnome-session
1433 ? 00:00:00 dbus-launch
1434 ? 00:00:00 dbus-daemon
1451 ? 00:00:00 at-spi-bus-laun
1455 ? 00:00:00 dbus-daemon
1458 ? 00:00:00 at-spi2-registr
1465 ? 00:00:00 gvfsd
1469 ? 00:00:00 gvfsd-fuse
1480 ? 00:00:00 gnome-settings-
1501 ? 00:00:00 pulseaudio
1517 ? 00:00:00 gvfs-udisks2-vo
1519 ? 00:00:00 udisksd
1528 ? 00:00:00 gvfs-goa-volume
1531 ? 00:00:00 goa-daemon
1539 ? 00:00:00 mission-control
1540 ? 00:00:00 gvfs-afc-volume
1547 ? 00:00:00 gvfs-mtp-volume
1552 ? 00:00:00 gvfs-gphoto2-vo
1559 ? 00:00:11 gnome-shell
1564 ? 00:00:00 dconf-service
1575 ? 00:00:00 cupsd
1587 ? 00:00:00 gsd-printer
1607 ? 00:00:00 ibus-daemon
1611 ? 00:00:00 ibus-dconf
1613 ? 00:00:00 ibus-x11
1630 ? 00:00:00 gnome-shell-cal
1636 ? 00:00:00 evolution-sourc
1678 ? 00:00:00 ibus-engine-sim
1682 ? 00:00:00 tracker-store
1706 ? 00:00:01 vmtoolsd
1709 ? 00:00:00 abrt-applet
1712 ? 00:00:00 tracker-miner-f
1715 ? 00:00:00 evolution-calen
1720 ? 00:00:00 evolution-alarm
1810 ? 00:00:00 obexd
1893 ? 00:00:02 gnome-terminal-
1896 ? 00:00:00 gnome-pty-helpe
1897 pts/0 00:00:00 bash
1990 ? 00:00:00 nfsiod
2085 ? 00:00:00 nfsd4
2086 ? 00:00:00 nfsd4_callbacks
2087 ? 00:00:00 lockd
2090 ? 00:00:00 nfsd
2091 ? 00:00:00 nfsd
2092 ? 00:00:00 nfsd
2093 ? 00:00:00 nfsd
2094 ? 00:00:00 nfsd
2095 ? 00:00:00 nfsd
2096 ? 00:00:00 nfsd
2097 ? 00:00:00 nfsd
2106 ? 00:00:00 rpc.rquotad
2107 ? 00:00:00 rpc.idmapd
2108 ? 00:00:00 rpc.mountd
2132 ? 00:00:00 kworker/u128:2
2239 pts/0 00:00:00 su
2244 pts/0 00:00:00 bash
2268 pts/0 00:00:00 su
2271 pts/0 00:00:00 bash
2592 ? 00:00:00 kworker/0:1
2594 ? 00:00:00 systemd
2605 ? 00:00:00 (sd-pam)
2719 ? 00:00:00 kworker/0:0
2740 pts/0 00:00:00 ps
[root@localhost eric]#
 
Old 01-17-2014, 10:08 PM   #2
MensaWater
Guru
 
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 5,995
Blog Entries: 5

Rep: Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782Reputation: 782
If you want to disable the firewall on Fedora why not just type "service iptables stop"?

Have you checked to see if ip6tables is running and stopped it?

Have you checked to see if SELinux is enabled and enforcing? SELinux is another level of security.
 
Old 01-17-2014, 11:00 PM   #3
SAbhi
Member
 
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 516

Rep: Reputation: 58
@OP: I must say your approach was wrong enough to frustate you:

if you have networking issues accessing snmp, nfs etc allow them in firewall for your network and see if that gets resolved, and before anything you didnt even tried to fetch the logs to see whats actually could be a problem. As said in above post it could be selinux too!!

and it is not only this could allow everything comes in or going out:
Quote:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables-save
better stop firewall by stopping the services and then try connections --> fetch logs see whats there!!
 
Old 01-17-2014, 11:20 PM   #4
Ser Olmy
Senior Member
 
Registered: Jan 2012
Distribution: Slackware
Posts: 1,956

Rep: Reputation: Disabled
Quote:
Originally Posted by RileyTheWiley View Post
I disabled the firewall on the Fedora VM by opening ports in the GUI, then finally:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables-save

This produces an iptables file that looks like I would expect, ACCEPT pretty much everywhere.
Setting the policies to ACCEPT simply means that the catch-all rule at the bottom of the chain(s) is "ACCEPT" instead of "DROP". Any blocking rules will still be in effect.

To completely disable the firewall, you'll have to flush the chains as well:
Code:
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
Some distributions have a "firewall service" that manages the ruleset. Stopping such a process may or may not empty the ruleset and may or may not change the policies to "ACCEPT".

The iptables firewall itself is a kernel feature, not a process or daemon. If iptables -L or iptables-save shows no blocking rules and an ACCEPT policy, then there's no firewall.

What makes you suspect the communication issues are caused by firewall settings? Can you connect to the VM at all with, say, ping? Do such connection attempts leave an entry in the ARP table on the connecting system?
 
Old 01-20-2014, 04:28 PM   #5
RileyTheWiley
Member
 
Registered: Dec 2007
Posts: 59

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by MensaWater View Post
If you want to disable the firewall on Fedora why not just type "service iptables stop"?

Have you checked to see if ip6tables is running and stopped it?

Have you checked to see if SELinux is enabled and enforcing? SELinux is another level of security.
iptables/ip6tables both not running

selinux is disabled
 
Old 01-20-2014, 04:33 PM   #6
RileyTheWiley
Member
 
Registered: Dec 2007
Posts: 59

Original Poster
Rep: Reputation: 15
That helped ....

Quote:
Originally Posted by Ser Olmy View Post
Setting the policies to ACCEPT simply means that the catch-all rule at the bottom of the chain(s) is "ACCEPT" instead of "DROP". Any blocking rules will still be in effect.

To completely disable the firewall, you'll have to flush the chains as well:
Code:
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
Some distributions have a "firewall service" that manages the ruleset. Stopping such a process may or may not empty the ruleset and may or may not change the policies to "ACCEPT".

The iptables firewall itself is a kernel feature, not a process or daemon. If iptables -L or iptables-save shows no blocking rules and an ACCEPT policy, then there's no firewall.

What makes you suspect the communication issues are caused by firewall settings? Can you connect to the VM at all with, say, ping? Do such connection attempts leave an entry in the ARP table on the connecting system?
Now *that* was helpful; I got from 'no route to host' to 'connection refused'. One roadblock out of the way, now to work on the permissions issue. Good!

I can ping the VM, yes.

The server's arp table contains the client's ip address, not sure how it got there. But addresses and firewalls are not the problem any more.
 
Old 01-28-2014, 07:50 AM   #7
wstewart90
Member
 
Registered: May 2013
Distribution: Arch Linux
Posts: 79

Rep: Reputation: Disabled
You're using fedora 20. The iptables service isn't enabled. Try
Code:
systemctl stop firewalld.service
or
Code:
service firewalld stop
getenforce should return the status of selinux. Outside of that we need actual error message to troubleshoot anything. Try systemctl status <service name> for the service your trying to run.

Last edited by wstewart90; 01-28-2014 at 07:52 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to turn firewall siawash Ubuntu 11 07-20-2009 05:52 PM
How to turn off firewall Eileen Linux - Networking 4 10-24-2005 02:40 AM
Networking problems with firewall/gateway Doctor Doom Slackware 1 10-03-2005 11:12 AM
My Networking/Firewall Problems Swot Linux - Newbie 1 12-07-2004 06:45 PM
How do you turn off my firewall? phoenix07 Linux - Networking 3 04-11-2004 03:20 AM


All times are GMT -5. The time now is 07:22 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration