HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials

HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials (http://www.howtoforge.com/forums/index.php)
-   Installation/Configuration (http://www.howtoforge.com/forums/forumdisplay.php?f=4)
-   -   Facing problem with ICMP (ping request) (http://www.howtoforge.com/forums/showthread.php?t=26014)

princeu28 13th August 2008 22:59

Facing problem with ICMP (ping request)
 
Facing problem with ICMP (ping request) , its only replying to one ping request failing on second onwards

I'm facing issue with ICMP , its a red hat linux 4.0 system. the first ping request works fine but when I try to start a second ping request it does not give any reply even if I'm trying from same machine . I have even checked from sending ping from different machines at same time & it only replies to one request at a time means sometime it replies to first request then move on to second one but only one is working at a time ..

Any one has suggestion what it could be ...

ralic 13th August 2008 23:05

Quote:

Originally Posted by princeu28 (Post 140848)
Facing problem with ICMP (ping request) , its only replying to one ping request failing on second onwards

Sounds like it could be some over cautious rate limiting on icmp traffic. Temporarily disable any firewall software that may be running, then retry your ping tests.

princeu28 13th August 2008 23:13

Quote:

Originally Posted by ralic (Post 140851)
Sounds like it could be some over cautious rate limiting on icmp traffic. Temporarily disable any firewall software that may be running, then retry your ping tests.

I really dont know if there is any firewall software installed on this server or not ..Is there any method to check or stop those firewall setting ? I know it might be souding odd but I have no idea about firewall stuff just want to get this icmp working ...

ralic 13th August 2008 23:47

If it's a production box, get professional help. Anything you copy/paste from the net without understanding could jeopardise your system.

The most likely firewall would be iptables based. To check if there are any rules configured for the various tables, use the following bash for command as root. The output below the command shows no rules and default policy of ACCEPT, meaning nothing is being blocked and the firewall is effectively disabled.

Code:

user@host:~$ for TABLE in filter nat mangle raw; do echo "Listing table data for: $TABLE"; iptables -t $TABLE -L; echo " "; done
Listing table data for: filter
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
 
Listing table data for: nat
Chain PREROUTING (policy ACCEPT)
target    prot opt source              destination       

Chain POSTROUTING (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
 
Listing table data for: mangle
Chain PREROUTING (policy ACCEPT)
target    prot opt source              destination       

Chain INPUT (policy ACCEPT)
target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       

Chain POSTROUTING (policy ACCEPT)
target    prot opt source              destination       
 
Listing table data for: raw
Chain PREROUTING (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

Any iptables output other than what you see above, except for an error, likely means that there are some kind of firewall rules in place.

princeu28 13th August 2008 23:54

Quote:

Originally Posted by ralic (Post 140855)
If it's a production box, get professional help. Anything you copy/paste from the net without understanding could jeopardise your system.

The most likely firewall would be iptables based. To check if there are any rules configured for the various tables, use the following bash for command as root. The output below the command shows no rules and default policy of ACCEPT, meaning nothing is being blocked and the firewall is effectively disabled.

Code:

user@host:~$ for TABLE in filter nat mangle raw; do echo "Listing table data for: $TABLE"; iptables -t $TABLE -L; echo " "; done
Listing table data for: filter
Chain INPUT (policy ACCEPT)
target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
 
Listing table data for: nat
Chain PREROUTING (policy ACCEPT)
target    prot opt source              destination       

Chain POSTROUTING (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       
 
Listing table data for: mangle
Chain PREROUTING (policy ACCEPT)
target    prot opt source              destination       

Chain INPUT (policy ACCEPT)
target    prot opt source              destination       

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination       

Chain POSTROUTING (policy ACCEPT)
target    prot opt source              destination       
 
Listing table data for: raw
Chain PREROUTING (policy ACCEPT)
target    prot opt source              destination       

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination

Any iptables output other than what you see above, except for an error, likely means that there are some kind of firewall rules in place.

I understand you point & agrees that regarding getting professional , its like that I work on this system on daily basis as root user but only on the application installed on this system and as far as linux part is considered its also installed as part of my work but never ever faced such a problem with bundle solution and was wondering if its something simple then I can sort it out .

Here is the iptable , can you see anything in iptable setting which will only allow one icmp request & will refuse more then one

# Generated by iptables-save v1.2.11 on Wed Aug 13 10:01:23 2008
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Aug 13 10:01:23 2008
# Generated by iptables-save v1.2.11 on Wed Aug 13 10:01:23 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIMIT_TEST - [0:0]
-A INPUT -m state --state INVALID -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/255.0.0.0 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LIMIT_TEST
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -f -j DROP
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
-A INPUT -d 255.255.255.255 -p icmp -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-unr
eachable
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 389 -j ACCEPT
-A INPUT -p udp -m udp --dport 389 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 636 -j ACCEPT
-A INPUT -p udp -m udp --dport 636 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -p udp -m udp --dport 2049 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22600 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22700 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22800 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22900 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23101 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23120 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23121 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23130 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23131 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23140 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23141 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23150 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23151 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23160 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23161 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23200 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23201 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23220 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23221 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23240 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23241 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23260 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23261 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23280 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23281 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23320 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23321 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23370 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23371 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1024:63353 -j ACCEPT
-A INPUT -p udp -m udp --dport 1024:63353 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable

-A INPUT -p igmp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable

-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 5/min -j LOG
--log-prefix "Firewalled packet:"
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j DROP
-A FORWARD -m state --state INVALID -j REJECT --reject-with icmp-port-unreachabl
e
-A FORWARD -o eth0 -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-po
rt-unreachable
-A FORWARD -o eth1 -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-po
rt-unreachable
-A FORWARD -o ppp0 -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp-port-u
nreachable
-A FORWARD -o ppp0 -p tcp -m tcp --dport 138 -j REJECT --reject-with icmp-port-u
nreachable
-A FORWARD -o ppp0 -p tcp -m tcp --dport 139 -j REJECT --reject-with icmp-port-u
nreachable
-A FORWARD -o ppp0 -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-u
nreachable
-A FORWARD -o ppp0 -p udp -m udp --dport 138 -j REJECT --reject-with icmp-port-u
nreachable
-A FORWARD -o ppp0 -p udp -m udp --dport 139 -j REJECT --reject-with icmp-port-u
nreachable
-A FORWARD -i eth0 -o ppp0 -j ACCEPT
-A FORWARD -i eth1 -o ppp0 -j ACCEPT
-A FORWARD -i eth2 -o ppp0 -j ACCEPT
-A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 5/min -j L
OG --log-prefix "Firewalled packet:"
-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
-A LIMIT_TEST -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 50/sec
--limit-burst 75 -j RETURN
-A LIMIT_TEST -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
COMMIT
# Completed on Wed Aug 13 10:01:23 2008

ralic 14th August 2008 00:13

I'm no iptables expert (is anyone?), but these look like the lines of interest:
Code:

-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP

If I interpret it correctly, any more than 1 icmp echo request packet per second will be dropped.

The following commands should remove these two lines temporarily until the next reboot or firewall reload:
Code:

iptables -D INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
iptables -D INPUT -p icmp -m icmp --icmp-type 8 -j DROP

Just remember that someone put them there for a reason. You should find out where and how this was done so that you can make the change permanent if necessary.


All times are GMT +2. The time now is 08:32.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.