LAN client can surf but not ping ?
I have a firewall-router-printer server and 1 LAN client both with Mandrake 10.1.
As SU,I can ping the client from my router I can see the printer fron my client but cannot print As SU, I cannot ping the firewall from the client ( destination unreachable error type ), BUT I can surf the Internet on the client, so I'm 100% confident that my NIC on the client works. The only cause I see is a permission problem on the firewall-router On the frouter-firewall I set the security level to normal and don't allow access to any service from the outside. On the client, the security level is set to low and the firewall is desabled. I find Mandrake firewall setting confusing. I run the same hardware config witf Fedora core2 usinfg Firestarter and naver had any problem. The problem is that Mandrake complain about a missing file when installing and running Firestarter RPM on my router-firewall. Tia for any suggestion. |
I think the problem is that you don't allow ANY traffic to the router. The MDK firewall isn't really made for routers so it doesn't
separate incoming traffic on eth0 from incoming traffic on eth1. Assuming your internal NIC is eth1 and you're not afraid of any traffic from your LAN to the router you can try entering : iptables -I INPUT -i eth1 -j ACCEPT This will allow all incoming traffic on eth1. If it works run ' iptables-save > /etc/sysconfig/iptables' and it'll work after next reboot as well. As for Firestarter it's in the contrib directory (for MDK 10.x anyways) so for MDK 10.1 you should be able to do: Code:
urpmi.addmedia Contrib ftp://ftp.sunet.se/pub/Linux/distributions/mandrakelinux/official/10.1/i586/media/contrib with media_info/hdlist.cz For MDK 10.0 use : Code:
urpmi.addmedia Contrib ftp://ftp.sunet.se/pub/Linux/distributions/mandrakelinux/official/10.0/contrib/i586 with synthesis.hdlist.cz - Peder |
Thanks for the suggestion Bunnadik, but I'm trying to avoid rolling my own iptables rules.
Mandrake 10.1 doesn't have the /etc/sysconfig/iptables file because it uses Shorewall ( an iptables wrapper ) that has its config files in /etc/shorewall. So today I printed the Shorewall doc and its config files ( 40 + pages ) and I'm having a look at it. I desagree when you say that "The MDK firewall isn't really made for routers" because Shorewall has a specific doc article and examples config files about configuring a LAN with a 2 interfaces firewall-router that matches exactly my situation. But at least we both agree that my problem is firewall permissions related. |
Yupp, you're right about shorewall. I thought you meant the firewall you can config through the installation process or through MCC.
I haven't installed shorewall in a long time; tried it once and didn't like it. But I still suggest you try the 'iptables -I INPUT -i eth1 -j ACCEPT' command. It's only persistent until the next reboot (unless you remove it sooner by issuing 'iptables -D INPUT -i eth1 -j ACCEPT' ) and if it works at least you that's the problem. - Peder |
Quote:
About Firestarter, I installed it via urpmi. The problem is that when I run firestarter, there is one windows that opens with the following message: "missing configuration file" ?? Thanks again for your suggestions. |
update:
I added the suggested command: iptables -I INPUT -i eth1 -j ACCEPT I was then able to ping the firewall from my client. Thanks again for the help Bunnadik. So obviously, it looks like a problem caused by Shorewall. Damn why does Mandrake has to use Shorewall in the first place ?? It's not much less complicate than to roll his own iptables. |
iptables -I INPUT -i eth1 -j ACCEPT
dose this command accept all incoming traffic?? and hence render the rest of firewall rules useless?? |
wisdom,
Quote:
HTH, |
Quote:
eth0 is connected to the internet. Anyway, I solved my problem: By default Mandrake does not allow pinging on the LAN. So I had to add the following lines to my /etc/shorewall/rules: # Allow Ping To And From Firewall # ACCEPT loc fw icmp 8 ACCEPT fw loc icmp Thanks for the help. |
All times are GMT -5. The time now is 12:55 PM. |