Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
05-21-2003, 01:18 AM
|
#1
|
LQ Newbie
Registered: May 2003
Posts: 3
Rep:
|
Can't ping/ssh my box, Shorewall seems to block all traffic except http / ftp
I'm running Mandrake 9.1 on security level Higher which seems to bring with it a whole bunch of config headaches. Never had to deal with this cos my previous setup was with Mandrake 8.1.
I can access webpages served off my box, as well as FTP in. But I can't SSH in or even get a reply when I ping it! Turning shorewall off doesn't seem to make a difference (maybe I'm missing a step there).
I'm very new to this and after spending many days unsuccessfully Googling for any related info, I would really appreciate it if someone would give me a step-by-step guide on how I should work out what's wrong.
/etc/shorewall/rules currently contains:
ACCEPT net fw tcp for 80, 22, 21
I don't understand why SSH wouldn't work if HTTP and FTP work fine. What other config files should I be looking at?
|
|
|
05-21-2003, 04:46 PM
|
#2
|
Member
Registered: Mar 2003
Location: Iowa, US
Distribution: Mint
Posts: 174
Rep:
|
If it helps, I am having the same problem. Everything seems to work except ssh and ping. I am hoping to spend some time playing with it this evening. I will let you know what I find out.
One thing to note, I uninstalled the mdk9.1 rpms and installed shorewall from their tar ball. I did this so I could use their documentation to set up a two interface firewall/router.
If you find the solution before I do please post it.
Thanks,
PhilD
|
|
|
05-21-2003, 04:53 PM
|
#3
|
Senior Member
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794
Rep:
|
Maybe try another iptables frontend, like Guarddog
|
|
|
05-21-2003, 10:46 PM
|
#4
|
Member
Registered: Mar 2003
Location: Iowa, US
Distribution: Mint
Posts: 174
Rep:
|
okay tiduck,
I figured out the ssh problem. It is because of the higher security setting. By default, the /etc/hosts.deny includes everyone but the local host. To allow ssh into the box do the following:
Add to /etc/hosts.allow:
sshd : all : allow
This should allow you ssh into the box. If you want, you can allow only a given IP the ability to ssh. For me this is all I needed to do. I found this by tail -f the /var/log/messages file and noticing that shorewall was accepting the ssh, but sshd was rejecting the connection.
As far as the ping goes, I have had no luck. I can ping local from the firewall, and I can ping the net from local, but I can not ping the firewall from local. I will have to work on that some more.
Also, if there are those more knowledgeable on the subject, if I have the policy file as such:
loc net ACCEPT
loc fw ACCEPT
Is there any reason for me to have rules for loc2net or loc2fw? Shouldn't everything be accepted as it is? Or would it be better to deny everything and add rules for every connection I want to allow? Just looking for ideas from those more knowledgeable than I.
Thanks,
PhilD
|
|
|
05-21-2003, 11:08 PM
|
#5
|
LQ Newbie
Registered: May 2003
Posts: 3
Original Poster
Rep:
|
PhilD: Awesome!!! Although I actually had to add "sshd:all allow". Did you add an extra colon by mistake?
Thanks for your help!
|
|
|
05-22-2003, 09:08 AM
|
#6
|
Member
Registered: Mar 2003
Location: Iowa, US
Distribution: Mint
Posts: 174
Rep:
|
I may have. I thought I double checked it but that doesn't mean much. Either way, I assume it worked for you too. Now if we could just get the ping to work. Granted, I don't really need it, but it would be nice as a way to do a quick "are you alive" to the firewall.
|
|
|
05-22-2003, 11:25 AM
|
#7
|
LQ Newbie
Registered: May 2003
Posts: 3
Original Poster
Rep:
|
I noticed that shorewall/rules doesn't include any entries for ICMP. Wouldn't that block all pings? I'll have to check it out later.
|
|
|
05-22-2003, 12:22 PM
|
#8
|
Member
Registered: Mar 2003
Location: Iowa, US
Distribution: Mint
Posts: 174
Rep:
|
So far, this is my history with the PING!
I have tried all variations with no success. These being:
ACCEPT loc fw icmp 8
ACCEPT loc fw icmp echo-request
I have tried each one alone and both together. The behavior I have seen is as follows.
With neither rule, I see the message rejected - icmp - 8 (summary) by tail -f 'ing the /var/log/messages file. If I add either or both this message is not generated. The client side correctly identifies the fw and its IP and sets there. When I ^c it shows 100% failure. As I mentioned before, I can ping from the fw to loc and from loc to net with the following rules.
ACCEPT loc net icmp 8
ACCEPT fw loc icmp 8
Actually, the loc2net may be a echo-request. I am still looking for the correct way to set this up. Let me know what you find.
Thanks,
PhilD
|
|
|
05-22-2003, 12:38 PM
|
#9
|
Member
Registered: Mar 2003
Location: Iowa, US
Distribution: Mint
Posts: 174
Rep:
|
Proud,
Thanks for the point to Guarddog. It looks like a very useful firewall configure tool. The only problem is I don't have KDE on this box, and I doubt I have room for it. One of the joys of linux is seting up minimal hardware for network tasks. Thanks for the hint. I may very well try it if/when I upgrade this box.
PhilD
|
|
|
05-22-2003, 01:06 PM
|
#10
|
Senior Member
Registered: Dec 2002
Location: England
Distribution: Used to use Mandrake/Mandriva
Posts: 2,794
Rep:
|
Well I see your problem, but if it helps, you should only need Qt and a few other things, not all of KDE. Guarddog does make creating a detailed firewall much easier for beginners
|
|
|
05-22-2003, 10:21 PM
|
#11
|
Member
Registered: Mar 2003
Location: Iowa, US
Distribution: Mint
Posts: 174
Rep:
|
tiduck,
I found the Ping culprit, well, I found it on another non related post and thought I should check it out. Here is what I did:
in file: /etc/sysctl.conf
change line: net.ipv4.icmp_echo_ignore_all=1
to: net.ipv4.icmp_echo_ignore_all=0
Then restart the network and shorewall. This, with the icmp 8 rules in shorewall worked. Now to complete the rule set for the firewall.
I still have the question about the rules vs. policies. Why do I need a rule to accept www from loc to net if the policy for loc2net is accept? I know this shouldn't be that difficult, but.... I am sure I will get it sometime.
Thanks for the help!
PhilD
|
|
|
All times are GMT -5. The time now is 04:42 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|