LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 10-04-2005, 01:04 PM   #1
kwc5811
LQ Newbie
 
Registered: Oct 2005
Location: College Station, TX
Distribution: Mandrake
Posts: 7

Rep: Reputation: 0
Phantom firewall blocking packets


New to the forum, hello.

I tried looking around but to no avail, my problem seems complicated.

I am not as much a newbie, but after the following, more so than I thought.

I had a server up and running on a local network to serve http, https, ftp and ssh. The server was firewalled behind an external router with access only to the ssh service on port 22. All other services are inaccessible to the outside world. When the server was setup, I was new to Mandriva 10.1 and initally set it up on DHCP just to get things rolling. After installing all of my services the machine sat for about 2 months. I tested all of the services periodically during this time. After a recent power outage reset the router the inevitable happened and the server got a new IP address breaking access from the outside world. So the plan was to set the server to a static IP outside the range of adresses of the DHCP server. This is where things go downhill.

I started by using ifconfig through a remote ssh session (on the local lan) to change the IP, submask, and broadcast. Then tried to reconnect on the new IP. The machine disappeared from both addresses. I hooked up a monitor and keyboard and found that the machine was set to the new address but would not pass any traffic in or out. I then proceeded to use the control center to "edit an existing interface" and set all values at which point it restarted the network and same thing, no connection in or out. I restarted and used the control center to "setup a new connection" entered all of the same values and voila I have connection.

Here is my problem. I have full outbound traffic (web browse, ssh to other machines, etc.), but am only accepting traffic to the http, https and ftp ports now. The server serves webpages, secure webpages and ftp connections with no problem. No response to pings or to ssh. No remote access at all.

What have I done so far? Checked the network for problems by trying to ping localhost, no response. Tried sshing to localhost, connection refused. I checked the sshd service. It is running, however I restarted it just to be sure. It shutdown ok and started up ok. My best guess is a firewall issue. The firewall settings in the control panel are set to allow eveything, which has been set, the machine restarted and reverified. I checked iptables -L which shows no rules and was further verified by using iptables --flush. I also checked the running services in the control center and it says that the shorewall service is stopped. Running nmap on localhost shows ports 21, 80, and 443 as the only open ports.

What in the world else could be blocking access to my ssh and ping response? And what in the world would have changed so much by me changing my IP address?
 
Old 10-04-2005, 02:05 PM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Is SSH indeed running?

As for changing your IP: were you trying to change it to another from the same netblock? (i.e., 10.0.0.0 or 192.168.0.0)

Is the router port forwarding the proper ports?
 
Old 10-04-2005, 03:58 PM   #3
kwc5811
LQ Newbie
 
Registered: Oct 2005
Location: College Station, TX
Distribution: Mandrake
Posts: 7

Original Poster
Rep: Reputation: 0
Yes, the sshd is running. Well that is what the graphical services and daemons says. When I run #ps -aux | grep sshd I only get the grep process returned. Which would mean that the service is not running. Any ideas?

The IP address was within the same subnet, from DHCP to 192.168.0.5

I am trying to access the server from within the local subnet from 192.168.0.16 to take the router out of the equation. Both machines hang from the same switch. Even trying to ssh to localhost on the server is returning connection refused.
 
Old 10-04-2005, 04:01 PM   #4
kwc5811
LQ Newbie
 
Registered: Oct 2005
Location: College Station, TX
Distribution: Mandrake
Posts: 7

Original Poster
Rep: Reputation: 0
*I am also able to access webpages from port 443 securely. Doesn't https ride over ssl? Isn't that a service provided by the sshd? Would that also indicate the the sshd is running?
 
Old 10-04-2005, 04:07 PM   #5
kwc5811
LQ Newbie
 
Registered: Oct 2005
Location: College Station, TX
Distribution: Mandrake
Posts: 7

Original Poster
Rep: Reputation: 0
*Also as a matter of being complete I edited the /etc/ssh/sshd_config and changed the ListenAddress to 192.168.0.5
 
Old 10-04-2005, 04:53 PM   #6
kwc5811
LQ Newbie
 
Registered: Oct 2005
Location: College Station, TX
Distribution: Mandrake
Posts: 7

Original Poster
Rep: Reputation: 0
Well as is usual with my linux experience the problem has corrected itself with out any clear definition as to why. I changed the conf file and restarted the server. The auth.log file confimed that the server was running and was listening on 192.168.0.5 on port 22 and even gave me the pid to check. It was definetly running. However I still could not ssh to localhost (connection refused) same as before. Thinking I might be a little more general about my listen address I changed it back to the default of :: (this was the default that came with the source of openssl) Restarted the server and voila it works I can ssh again. Thinking it had something to do with the address I changed it back to see if it would stop working and restarted the server. It still works. So I have no idea what changed that made it start working. I had restarted the sshd a few times before, but maybe it just needed to be done a couple of times.

The only weird thing is now I can't ssh or telnet to localhost or 127.0.0.1. I can access them from all machines on the subnet and even from the server when I ssh to the server's IP address. It may have to do further with the conf file listening adress. I don't know really. Also nmap shows different ports being open when give the server's IP and just localhost. Hope maybe this thread will end up helping someone else down the line. The community here seems pretty nice so I guess I will stick around and see if I can help anyone else.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to see packets at firewall and beyond gnomey4321 Linux - Networking 3 05-06-2005 05:37 AM
What process sent packets dropped by firewall? cherylchase Linux - Security 4 03-18-2005 10:36 AM
firewall blocking internet k4zau Linux - Networking 1 09-24-2004 03:18 PM
Problem of blocking ICMP packets while calculating Path MTU myself_rajat Linux - Networking 3 05-11-2004 01:47 AM
firewall traffic blocking help jaylee Linux - Security 8 06-30-2003 11:44 AM


All times are GMT -5. The time now is 07:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration