LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 05-29-2007, 10:15 PM   #1
cyberfishee
Member
 
Registered: Mar 2005
Distribution: Debian Testing
Posts: 133

Rep: Reputation: 15
linux router unable to ping itself or other machines on the LAN


Hi,
I have recently configured one of my Debian Etch machines to act as a router for my home network (it also runs apache, postfix etc). Everything works properly except I am not able to connect to or ping other computers on the LAN from the server. Also, related or not, DNAT doesn't work.

My network setup:

ISP (24.86.168.0/21, gateway at 24.86.168.1)
Server (eth1:cable modem dhcp, eth0:192.168.0.1, runs dhcpd for internal network)
Clients (192.168.0.100 - 192.168.0.150)

internal network is 192.168.0.0/24

PROBLEM:
when pinging LAN machines from the server (via ssh) -
eg.

Code:
root@serv:/tmp# ping 192.168.0.100
PING 192.168.0.100 (192.168.0.100) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

--- 192.168.0.100 ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 3000ms
also when pinging the server itself -
Code:
root@serv:/tmp# ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted

--- localhost ping statistics ---
4 packets transmitted, 0 received, 100% packet loss, time 2999ms
output of "route -n" -
Code:
root@serv:/tmp# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0
24.86.168.0     0.0.0.0         255.255.252.0   U     0      0        0 eth1
127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo
0.0.0.0         24.86.168.1     0.0.0.0         UG    0      0        0 eth1
output of "iptables -L" (filter) -
Code:
root@serv:/tmp# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere
ACCEPT     tcp  --  anywhere             anywhere            tcp flags:ACK/ACK
ACCEPT     0    --  anywhere             anywhere            state ESTABLISHED
ACCEPT     0    --  anywhere             anywhere            state RELATED
ACCEPT     udp  --  anywhere             anywhere            udp spt:domain dpts:1024:65535
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:auth
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www
ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:ftp-data:smtp
ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap2

Chain FORWARD (policy DROP)
target     prot opt source               destination
ACCEPT     0    --  anywhere             anywhere
ACCEPT     0    --  anywhere             anywhere            state RELATED,ESTABLISHED

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
output of "iptables -t nat -L" -
Code:
root@serv:/tmp# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy DROP)
target     prot opt source               destination
MASQUERADE  0    --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
output of "iptables -t mangle -L" -
Code:
root@serv:/tmp# iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
output of "ifconfig" -
Code:
root@serv:/tmp# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:E0:7D:DF:2F:10
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3674815 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3291440 errors:0 dropped:0 overruns:1 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2243739616 (2.0 GiB)  TX bytes:1795159906 (1.6 GiB)
          Interrupt:10 Base address:0x2000

eth1      Link encap:Ethernet  HWaddr 00:12:C9:4E:10:D2
          inet addr:24.86.169.13  Bcast:255.255.255.255  Mask:255.255.252.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15599622 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3636595 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2180881493 (2.0 GiB)  TX bytes:2228424341 (2.0 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)
there is nothing related in dmesg and /var/log/syslog.

I have also tried setting the policy of my filter chains to ACCEPT, problem persists.

connecting from clients to the server works as expected, eg, I can ssh into the server, get pages from apache, check and send emails

anything else I should provide?

Thanks in advance
 
Old 05-30-2007, 12:41 AM   #2
KenJackson
Member
 
Registered: Jul 2006
Location: Maryland, USA
Distribution: Fedora and others
Posts: 757

Rep: Reputation: 145Reputation: 145
Your server has to have packet forwarding turned on.

File /etc/sysctl.conf should have this line:
net.ipv4.ip_forward = 1

Then restart your network to activate it. (Or echo 1 >/proc/sys/net/ipv4/ip_forward)
 
Old 05-30-2007, 12:47 AM   #3
cyberfishee
Member
 
Registered: Mar 2005
Distribution: Debian Testing
Posts: 133

Original Poster
Rep: Reputation: 15
Thank you for your reply

I have both /proc/sys/net/ipv4/ip_forward and /proc/sys/net/ipv4/ip_dynaddr set to 1

as I said in my original post, basic IP masquerading works, only DNAT (port forwarding) does not, and I suspect it to be related to the problem I described above
 
Old 05-30-2007, 07:09 AM   #4
this213
Member
 
Registered: Dec 2001
Location: ./
Distribution: Fedora, CentOS, RHEL, Gentoo
Posts: 167

Rep: Reputation: 34
You have to allow ICMP packets, something like (generally):
Code:
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
*edit* just noticed you had these:
Code:
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     icmp --  anywhere             anywhere            icmp destination-unreachable
ACCEPT     icmp --  anywhere             anywhere            icmp source-quench
ACCEPT     icmp --  anywhere             anywhere            icmp time-exceeded
ACCEPT     icmp --  anywhere             anywhere            icmp parameter-problem
it's icmp echo-request

Last edited by this213; 05-30-2007 at 07:12 AM.
 
Old 05-30-2007, 09:24 AM   #5
cyberfishee
Member
 
Registered: Mar 2005
Distribution: Debian Testing
Posts: 133

Original Poster
Rep: Reputation: 15
Thank you for your reply, but I have tried setting the policies to ACCEPT and the problem persists (I do not have DROP rules in my chains)
 
Old 05-30-2007, 10:23 AM   #6
Eduardo!!!
LQ Newbie
 
Registered: May 2007
Location: Guayaquil, Ecuador
Distribution: RHEL, Fedora
Posts: 7

Rep: Reputation: 0
Stoping your iptables service enables ping?
If so, check carefully your rules

Do:
Iptables -F
Iptables -X
Iptables -P INPUT ACCEPT
Iptables -P OUTPUT ACCEPT
Iptables -P FORWARD ACCEPT

Last edited by Eduardo!!!; 05-30-2007 at 10:29 AM.
 
Old 05-30-2007, 11:14 AM   #7
kees-jan
Member
 
Registered: Sep 2004
Distribution: Debian, Ubuntu, BeatrIX, OpenWRT
Posts: 273

Rep: Reputation: 30
This is weird. Even if your firewall is configured all wrong, it should not say "sendmsg: Operation not permitted". It would either fail silently or say "connection refused".

Do you by any chance have "selinux" enabled? In my experience it often produces vague "not permitted" messages for things I typically want to do :-)

Groetjes,

Kees-Jan
 
Old 05-30-2007, 11:14 AM   #8
FMC
Member
 
Registered: May 2007
Location: São Paulo
Distribution: Gentoo & Debian
Posts: 97

Rep: Reputation: 15
Flush your nat table and try again!

Also... check to see if your lo netmask is set to /8!

[]´s, FMC!
 
Old 05-30-2007, 11:39 AM   #9
FMC
Member
 
Registered: May 2007
Location: São Paulo
Distribution: Gentoo & Debian
Posts: 97

Rep: Reputation: 15
I believe your problem is in this rule:
Code:
MASQUERADE  0    --  anywhere             anywhere
It should be:
Code:
MASQUERADE  0    --  <some IP addr>       anywhere
[]´s, FMC!

Last edited by FMC; 05-30-2007 at 11:40 AM.
 
Old 05-30-2007, 07:16 PM   #10
cyberfishee
Member
 
Registered: Mar 2005
Distribution: Debian Testing
Posts: 133

Original Poster
Rep: Reputation: 15
Thank you for your advices, however, the problem persists

Quote:
I believe your problem is in this rule:
Code:
MASQUERADE 0 -- anywhere anywhere
It should be:
Code:
MASQUERADE 0 -- <some IP addr> anywhere
[]´s, FMC!
I changed it to
Code:
Chain POSTROUTING (policy DROP)
target     prot opt source               destination
MASQUERADE  0    --  192.168.0.0/24       anywhere
yet I still cannot ping localhost (pinging google works).

Quote:
Flush your nat table and try again!

Also... check to see if your lo netmask is set to /8!

[]´s, FMC!
flushed my nat table, did not fix it
according to ifconfig output, lo netmask is set to /8 (255.0.0.0)

Quote:
This is weird. Even if your firewall is configured all wrong, it should not say "sendmsg: Operation not permitted". It would either fail silently or say "connection refused".

Do you by any chance have "selinux" enabled? In my experience it often produces vague "not permitted" messages for things I typically want to do :-)
yes, very weird indeed, I have done this sometime ago on this machine running the same distro and it worked flawlessly without much effort.

I do not have SELinux enabled.

Quote:
Stoping your iptables service enables ping?
If so, check carefully your rules

Do:
Iptables -F
Iptables -X
Iptables -P INPUT ACCEPT
Iptables -P OUTPUT ACCEPT
Iptables -P FORWARD ACCEPT
it does not enable ping

Thank you very much
 
Old 05-31-2007, 07:39 AM   #11
FMC
Member
 
Registered: May 2007
Location: São Paulo
Distribution: Gentoo & Debian
Posts: 97

Rep: Reputation: 15
If you have ipmasq installed, try initializing it!

I googled for "ping: sendmsg: Operation not permitted" and the first result is from a brazilian forum, the first answer is mine! weird! lol

[]´, FMC!
 
Old 05-31-2007, 03:21 PM   #12
cyberfishee
Member
 
Registered: Mar 2005
Distribution: Debian Testing
Posts: 133

Original Poster
Rep: Reputation: 15
Thank you for your reply

Quote:
If you have ipmasq installed, try initializing it!
Can you please elaborate on that a bit? I have already done echo "1" > /proc/sys/net/ipv4/ip_forward and iptables is up and running (is that what you meant?)

I have googled the error message already, but it seems to me that everyone else having this problem is caused by iptables, and disabling it does not fix my problem, as it did for others
 
Old 05-31-2007, 06:27 PM   #13
cyberfishee
Member
 
Registered: Mar 2005
Distribution: Debian Testing
Posts: 133

Original Poster
Rep: Reputation: 15
Thank you all who have helped

i solved the problem

for other people who are having this issue -

changing the default policy of the POSTROUTING chain in the NAT table to ACCEPT from DROP fixed it for me
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to configure 2 Linux machines LAN with a router? Baran Linux - Networking 11 02-18-2007 05:45 AM
Unable to ping my Linux box from other machines on the network Nylex Linux - Networking 3 07-19-2006 05:13 AM
LAN/ADSL Router ping working but DNS ping fails R N Ghosh Linux - Networking 1 01-13-2006 07:44 AM
Unable to ping linux machines on my netowrk molbill Linux - Networking 6 09-13-2004 12:35 AM
Cannot ping between 2 machines on same router acampbell Linux - Wireless Networking 8 02-24-2004 03:27 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 04:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration