Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > Linux Forums > Installation/Configuration

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 13th August 2008, 22:59
princeu28 princeu28 is offline
Junior Member
 
Join Date: Aug 2008
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default Facing problem with ICMP (ping request)

Facing problem with ICMP (ping request) , its only replying to one ping request failing on second onwards

I'm facing issue with ICMP , its a red hat linux 4.0 system. the first ping request works fine but when I try to start a second ping request it does not give any reply even if I'm trying from same machine . I have even checked from sending ping from different machines at same time & it only replies to one request at a time means sometime it replies to first request then move on to second one but only one is working at a time ..

Any one has suggestion what it could be ...
Reply With Quote
Sponsored Links
  #2  
Old 13th August 2008, 23:05
ralic ralic is offline
Member
 
Join Date: Jun 2008
Posts: 69
Thanks: 0
Thanked 11 Times in 11 Posts
Default

Quote:
Originally Posted by princeu28 View Post
Facing problem with ICMP (ping request) , its only replying to one ping request failing on second onwards
Sounds like it could be some over cautious rate limiting on icmp traffic. Temporarily disable any firewall software that may be running, then retry your ping tests.
Reply With Quote
  #3  
Old 13th August 2008, 23:13
princeu28 princeu28 is offline
Junior Member
 
Join Date: Aug 2008
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ralic View Post
Sounds like it could be some over cautious rate limiting on icmp traffic. Temporarily disable any firewall software that may be running, then retry your ping tests.
I really dont know if there is any firewall software installed on this server or not ..Is there any method to check or stop those firewall setting ? I know it might be souding odd but I have no idea about firewall stuff just want to get this icmp working ...
Reply With Quote
  #4  
Old 13th August 2008, 23:47
ralic ralic is offline
Member
 
Join Date: Jun 2008
Posts: 69
Thanks: 0
Thanked 11 Times in 11 Posts
Default

If it's a production box, get professional help. Anything you copy/paste from the net without understanding could jeopardise your system.

The most likely firewall would be iptables based. To check if there are any rules configured for the various tables, use the following bash for command as root. The output below the command shows no rules and default policy of ACCEPT, meaning nothing is being blocked and the firewall is effectively disabled.

Code:
user@host:~$ for TABLE in filter nat mangle raw; do echo "Listing table data for: $TABLE"; iptables -t $TABLE -L; echo " "; done
Listing table data for: filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
 
Listing table data for: nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
 
Listing table data for: mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
 
Listing table data for: raw
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Any iptables output other than what you see above, except for an error, likely means that there are some kind of firewall rules in place.

Last edited by ralic; 13th August 2008 at 23:49. Reason: Remove sudo. It's for redhat.
Reply With Quote
  #5  
Old 13th August 2008, 23:54
princeu28 princeu28 is offline
Junior Member
 
Join Date: Aug 2008
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by ralic View Post
If it's a production box, get professional help. Anything you copy/paste from the net without understanding could jeopardise your system.

The most likely firewall would be iptables based. To check if there are any rules configured for the various tables, use the following bash for command as root. The output below the command shows no rules and default policy of ACCEPT, meaning nothing is being blocked and the firewall is effectively disabled.

Code:
user@host:~$ for TABLE in filter nat mangle raw; do echo "Listing table data for: $TABLE"; iptables -t $TABLE -L; echo " "; done
Listing table data for: filter
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
 
Listing table data for: nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
 
Listing table data for: mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
 
Listing table data for: raw
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
Any iptables output other than what you see above, except for an error, likely means that there are some kind of firewall rules in place.
I understand you point & agrees that regarding getting professional , its like that I work on this system on daily basis as root user but only on the application installed on this system and as far as linux part is considered its also installed as part of my work but never ever faced such a problem with bundle solution and was wondering if its something simple then I can sort it out .

Here is the iptable , can you see anything in iptable setting which will only allow one icmp request & will refuse more then one

# Generated by iptables-save v1.2.11 on Wed Aug 13 10:01:23 2008
*nat
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
COMMIT
# Completed on Wed Aug 13 10:01:23 2008
# Generated by iptables-save v1.2.11 on Wed Aug 13 10:01:23 2008
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:LIMIT_TEST - [0:0]
-A INPUT -m state --state INVALID -j REJECT --reject-with icmp-port-unreachable
-A INPUT -i lo -j ACCEPT
-A INPUT -d 127.0.0.0/255.0.0.0 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LIMIT_TEST
-A INPUT -p ipv6 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
-A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
-A INPUT -p icmp -f -j DROP
-A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
-A INPUT -d 255.255.255.255 -p icmp -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i ppp0 -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-unr
eachable
-A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -p udp -m udp --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 389 -j ACCEPT
-A INPUT -p udp -m udp --dport 389 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 636 -j ACCEPT
-A INPUT -p udp -m udp --dport 636 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
-A INPUT -p udp -m udp --dport 111 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
-A INPUT -p udp -m udp --dport 2049 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22600 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22700 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22800 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22900 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23100 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23101 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23120 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23121 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23130 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23131 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23140 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23141 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23150 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23151 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23160 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23161 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23200 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23201 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23220 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23221 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23240 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23241 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23260 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23261 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23280 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23281 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23320 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23321 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23370 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 23371 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1024:63353 -j ACCEPT
-A INPUT -p udp -m udp --dport 1024:63353 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable

-A INPUT -p igmp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable

-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 5/min -j LOG
--log-prefix "Firewalled packet:"
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j DROP
-A FORWARD -m state --state INVALID -j REJECT --reject-with icmp-port-unreachabl
e
-A FORWARD -o eth0 -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-po
rt-unreachable
-A FORWARD -o eth1 -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-po
rt-unreachable
-A FORWARD -o ppp0 -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp-port-u
nreachable
-A FORWARD -o ppp0 -p tcp -m tcp --dport 138 -j REJECT --reject-with icmp-port-u
nreachable
-A FORWARD -o ppp0 -p tcp -m tcp --dport 139 -j REJECT --reject-with icmp-port-u
nreachable
-A FORWARD -o ppp0 -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-u
nreachable
-A FORWARD -o ppp0 -p udp -m udp --dport 138 -j REJECT --reject-with icmp-port-u
nreachable
-A FORWARD -o ppp0 -p udp -m udp --dport 139 -j REJECT --reject-with icmp-port-u
nreachable
-A FORWARD -i eth0 -o ppp0 -j ACCEPT
-A FORWARD -i eth1 -o ppp0 -j ACCEPT
-A FORWARD -i eth2 -o ppp0 -j ACCEPT
-A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 5/min -j L
OG --log-prefix "Firewalled packet:"
-A FORWARD -p tcp -j REJECT --reject-with tcp-reset
-A FORWARD -j DROP
-A OUTPUT -j ACCEPT
-A LIMIT_TEST -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 50/sec
--limit-burst 75 -j RETURN
-A LIMIT_TEST -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
COMMIT
# Completed on Wed Aug 13 10:01:23 2008
Reply With Quote
  #6  
Old 14th August 2008, 00:13
ralic ralic is offline
Member
 
Join Date: Jun 2008
Posts: 69
Thanks: 0
Thanked 11 Times in 11 Posts
 
Default

I'm no iptables expert (is anyone?), but these look like the lines of interest:
Code:
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
If I interpret it correctly, any more than 1 icmp echo request packet per second will be dropped.

The following commands should remove these two lines temporarily until the next reboot or firewall reload:
Code:
iptables -D INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
iptables -D INPUT -p icmp -m icmp --icmp-type 8 -j DROP
Just remember that someone put them there for a reason. You should find out where and how this was done so that you can make the change permanent if necessary.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
proFTPd passive mode problems bisbell Server Operation 8 6th August 2008 21:12
slow download through webserver problem snewp Technical 14 9th May 2008 05:25
Logsize issue cryptic General 46 7th April 2008 22:29
No ftp login for ispconfig-webuser agri Installation/Configuration 12 19th March 2007 10:06
ISPConfig Firewall and no sense MyLinux General 7 9th September 2005 17:35


All times are GMT +2. The time now is 00:48.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.