Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
01-17-2014, 05:10 PM
|
#1
|
Member
Registered: Dec 2007
Posts: 59
Rep:
|
Networking problems, how to turn off firewall?
I have been having a number of mysterious networking problems all revolving around my Fedora 20 virtual machine. I have resolved some of them to file permissions issues but some still persist. Basically they are failures to connect (NFS, tftp, snmp) with symptoms that make me think a firewall is involved.
Problem is, I have pretty much disabled every firewall I can find between the systems. One system is a ucLinux embedded system without a firewall at all, the other is my Fedora 20 VM, and I have an Ubuntu VM also. All of them ping each other; all are on the same router; all have addresses like 192.168.*.*. So does the router.
I disabled the firewall on the router by going into it from the browser.
I disabled the firewall on the Fedora VM by opening ports in the GUI, then finally:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables-save
This produces an iptables file that looks like I would expect, ACCEPT pretty much everywhere.
I disabled the firewall on the Ubuntu VM by way of ufw:
root@instant-contiki:/home/user# ufw status
Status: inactive
But many net ops into that Fedora VM are still failing.
Is there something I have overlooked? Is it possible to have two firewalls running? I have disabled SELinux because that was causing problems also.
This is a pretty vanilla setup and this should be easy. Process dump from Fedora box follows (I noticed firewalld is still running ... hmm...).
[root@localhost eric]# ps -e
PID TTY TIME CMD
1 ? 00:00:01 systemd
2 ? 00:00:00 kthreadd
3 ? 00:00:00 ksoftirqd/0
5 ? 00:00:00 kworker/0:0H
6 ? 00:00:00 kworker/u128:0
7 ? 00:00:00 migration/0
8 ? 00:00:00 rcu_bh
9 ? 00:00:00 rcu_sched
10 ? 00:00:00 khelper
11 ? 00:00:00 kdevtmpfs
12 ? 00:00:00 netns
13 ? 00:00:00 writeback
14 ? 00:00:00 kintegrityd
15 ? 00:00:00 bioset
16 ? 00:00:00 kblockd
17 ? 00:00:00 ata_sff
18 ? 00:00:00 khubd
19 ? 00:00:00 md
44 ? 00:00:00 kswapd0
45 ? 00:00:00 ksmd
46 ? 00:00:00 khugepaged
47 ? 00:00:00 fsnotify_mark
48 ? 00:00:00 crypto
57 ? 00:00:00 kthrotld
58 ? 00:00:00 scsi_eh_0
59 ? 00:00:00 scsi_eh_1
61 ? 00:00:00 kpsmoused
62 ? 00:00:01 kworker/0:2
63 ? 00:00:00 deferwq
69 ? 00:00:00 kauditd
220 ? 00:00:00 mpt_poll_0
221 ? 00:00:00 mpt/0
222 ? 00:00:00 scsi_eh_2
223 ? 00:00:00 ttm_swap
225 ? 00:00:00 kworker/0:1H
294 ? 00:00:00 kdmflush
295 ? 00:00:00 bioset
297 ? 00:00:00 kdmflush
299 ? 00:00:00 bioset
321 ? 00:00:00 jbd2/dm-1-8
322 ? 00:00:00 ext4-rsv-conver
323 ? 00:00:00 ext4-unrsv-conv
394 ? 00:00:00 systemd-journal
414 ? 00:00:00 rpciod
416 ? 00:00:00 lvmetad
424 ? 00:00:00 systemd-udevd
463 ? 00:00:00 jbd2/sda1-8
464 ? 00:00:00 ext4-rsv-conver
465 ? 00:00:00 ext4-unrsv-conv
470 ? 00:00:00 auditd
495 ? 00:00:00 audispd
499 ? 00:00:00 sedispatch
509 ? 00:00:00 alsactl
510 ? 00:00:00 firewalld
512 ? 00:00:00 accounts-daemon
513 ? 00:00:00 rtkit-daemon
518 ? 00:00:02 vmtoolsd
519 ? 00:00:00 ModemManager
521 ? 00:00:00 avahi-daemon
524 ? 00:00:00 systemd-logind
527 ? 00:00:00 dbus-daemon
531 ? 00:00:00 atd
532 ? 00:00:00 crond
535 ? 00:00:00 abrtd
537 ? 00:00:00 abrt-watch-log
541 ? 00:00:00 abrt-watch-log
545 ? 00:00:00 gdm
547 ? 00:00:00 chronyd
562 ? 00:00:00 rpcbind
563 ? 00:00:00 avahi-daemon
576 ? 00:00:00 gdm-simple-slav
582 tty1 00:00:05 Xorg
583 ? 00:00:01 polkitd
646 ? 00:00:00 NetworkManager
720 ? 00:00:00 cfg80211
741 ? 00:00:00 systemd
748 ? 00:00:00 (sd-pam)
858 ? 00:00:00 xinetd
875 ? 00:00:00 rpc.statd
922 ? 00:00:00 bluetoothd
1152 ? 00:00:00 upowerd
1298 ? 00:00:00 colord
1302 ? 00:00:00 dhclient
1415 ? 00:00:00 gdm-session-wor
1419 ? 00:00:00 systemd
1420 ? 00:00:00 (sd-pam)
1423 ? 00:00:00 gnome-keyring-d
1425 ? 00:00:00 gnome-session
1433 ? 00:00:00 dbus-launch
1434 ? 00:00:00 dbus-daemon
1451 ? 00:00:00 at-spi-bus-laun
1455 ? 00:00:00 dbus-daemon
1458 ? 00:00:00 at-spi2-registr
1465 ? 00:00:00 gvfsd
1469 ? 00:00:00 gvfsd-fuse
1480 ? 00:00:00 gnome-settings-
1501 ? 00:00:00 pulseaudio
1517 ? 00:00:00 gvfs-udisks2-vo
1519 ? 00:00:00 udisksd
1528 ? 00:00:00 gvfs-goa-volume
1531 ? 00:00:00 goa-daemon
1539 ? 00:00:00 mission-control
1540 ? 00:00:00 gvfs-afc-volume
1547 ? 00:00:00 gvfs-mtp-volume
1552 ? 00:00:00 gvfs-gphoto2-vo
1559 ? 00:00:11 gnome-shell
1564 ? 00:00:00 dconf-service
1575 ? 00:00:00 cupsd
1587 ? 00:00:00 gsd-printer
1607 ? 00:00:00 ibus-daemon
1611 ? 00:00:00 ibus-dconf
1613 ? 00:00:00 ibus-x11
1630 ? 00:00:00 gnome-shell-cal
1636 ? 00:00:00 evolution-sourc
1678 ? 00:00:00 ibus-engine-sim
1682 ? 00:00:00 tracker-store
1706 ? 00:00:01 vmtoolsd
1709 ? 00:00:00 abrt-applet
1712 ? 00:00:00 tracker-miner-f
1715 ? 00:00:00 evolution-calen
1720 ? 00:00:00 evolution-alarm
1810 ? 00:00:00 obexd
1893 ? 00:00:02 gnome-terminal-
1896 ? 00:00:00 gnome-pty-helpe
1897 pts/0 00:00:00 bash
1990 ? 00:00:00 nfsiod
2085 ? 00:00:00 nfsd4
2086 ? 00:00:00 nfsd4_callbacks
2087 ? 00:00:00 lockd
2090 ? 00:00:00 nfsd
2091 ? 00:00:00 nfsd
2092 ? 00:00:00 nfsd
2093 ? 00:00:00 nfsd
2094 ? 00:00:00 nfsd
2095 ? 00:00:00 nfsd
2096 ? 00:00:00 nfsd
2097 ? 00:00:00 nfsd
2106 ? 00:00:00 rpc.rquotad
2107 ? 00:00:00 rpc.idmapd
2108 ? 00:00:00 rpc.mountd
2132 ? 00:00:00 kworker/u128:2
2239 pts/0 00:00:00 su
2244 pts/0 00:00:00 bash
2268 pts/0 00:00:00 su
2271 pts/0 00:00:00 bash
2592 ? 00:00:00 kworker/0:1
2594 ? 00:00:00 systemd
2605 ? 00:00:00 (sd-pam)
2719 ? 00:00:00 kworker/0:0
2740 pts/0 00:00:00 ps
[root@localhost eric]#
|
|
|
01-17-2014, 10:08 PM
|
#2
|
LQ Guru
Registered: May 2005
Location: Atlanta Georgia USA
Distribution: Redhat (RHEL), CentOS, Fedora, CoreOS, Debian, FreeBSD, HP-UX, Solaris, SCO
Posts: 7,831
|
If you want to disable the firewall on Fedora why not just type "service iptables stop"?
Have you checked to see if ip6tables is running and stopped it?
Have you checked to see if SELinux is enabled and enforcing? SELinux is another level of security.
|
|
|
01-17-2014, 11:00 PM
|
#3
|
Member
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 665
Rep:
|
@OP: I must say your approach was wrong enough to frustate you:
if you have networking issues accessing snmp, nfs etc allow them in firewall for your network and see if that gets resolved, and before anything you didnt even tried to fetch the logs to see whats actually could be a problem. As said in above post it could be selinux too!!
and it is not only this could allow everything comes in or going out:
Quote:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables-save
|
better stop firewall by stopping the services and then try connections --> fetch logs see whats there!!
|
|
|
01-17-2014, 11:20 PM
|
#4
|
Senior Member
Registered: Jan 2012
Distribution: Slackware
Posts: 3,348
Rep:
|
Quote:
Originally Posted by RileyTheWiley
I disabled the firewall on the Fedora VM by opening ports in the GUI, then finally:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables-save
This produces an iptables file that looks like I would expect, ACCEPT pretty much everywhere.
|
Setting the policies to ACCEPT simply means that the catch-all rule at the bottom of the chain(s) is "ACCEPT" instead of "DROP". Any blocking rules will still be in effect.
To completely disable the firewall, you'll have to flush the chains as well:
Code:
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
Some distributions have a "firewall service" that manages the ruleset. Stopping such a process may or may not empty the ruleset and may or may not change the policies to "ACCEPT".
The iptables firewall itself is a kernel feature, not a process or daemon. If iptables -L or iptables-save shows no blocking rules and an ACCEPT policy, then there's no firewall.
What makes you suspect the communication issues are caused by firewall settings? Can you connect to the VM at all with, say, ping? Do such connection attempts leave an entry in the ARP table on the connecting system?
|
|
|
01-20-2014, 04:28 PM
|
#5
|
Member
Registered: Dec 2007
Posts: 59
Original Poster
Rep:
|
Quote:
Originally Posted by MensaWater
If you want to disable the firewall on Fedora why not just type "service iptables stop"?
Have you checked to see if ip6tables is running and stopped it?
Have you checked to see if SELinux is enabled and enforcing? SELinux is another level of security.
|
iptables/ip6tables both not running
selinux is disabled
|
|
|
01-20-2014, 04:33 PM
|
#6
|
Member
Registered: Dec 2007
Posts: 59
Original Poster
Rep:
|
That helped ....
Quote:
Originally Posted by Ser Olmy
Setting the policies to ACCEPT simply means that the catch-all rule at the bottom of the chain(s) is "ACCEPT" instead of "DROP". Any blocking rules will still be in effect.
To completely disable the firewall, you'll have to flush the chains as well:
Code:
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
Some distributions have a "firewall service" that manages the ruleset. Stopping such a process may or may not empty the ruleset and may or may not change the policies to "ACCEPT".
The iptables firewall itself is a kernel feature, not a process or daemon. If iptables -L or iptables-save shows no blocking rules and an ACCEPT policy, then there's no firewall.
What makes you suspect the communication issues are caused by firewall settings? Can you connect to the VM at all with, say, ping? Do such connection attempts leave an entry in the ARP table on the connecting system?
|
Now *that* was helpful; I got from 'no route to host' to 'connection refused'. One roadblock out of the way, now to work on the permissions issue. Good!
I can ping the VM, yes.
The server's arp table contains the client's ip address, not sure how it got there. But addresses and firewalls are not the problem any more.
|
|
|
01-28-2014, 07:50 AM
|
#7
|
Member
Registered: May 2013
Distribution: Arch Linux
Posts: 86
Rep:
|
You're using fedora 20. The iptables service isn't enabled. Try
Code:
systemctl stop firewalld.service
or
Code:
service firewalld stop
getenforce should return the status of selinux. Outside of that we need actual error message to troubleshoot anything. Try systemctl status <service name> for the service your trying to run.
Last edited by wstewart90; 01-28-2014 at 07:52 AM.
|
|
|
All times are GMT -5. The time now is 10:21 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|