Solved

Can't ping anything on LAN or WAN

Posted on 2003-11-18
20
1,090 Views
Last Modified: 2010-05-18
Background info:

OS: MandrakeSecurity Multi-Network-Firewall 8.2
Kernel: 2.4.18-8.1mdksecure

Hope-to-have setup:

Internet -> ADSL router -> eth0 (server) eth1 -> switch -> LAN

Current setup: (until the server is configured)

Internet -> ADSL router/gateway/DHCP -> hub -> LAN -> Linux server

My Linux box is a IBM eServer xSeries 335 (rack) with 2 built-in BroadCom netXtreme Gigabit Ethernet cards. I have (finally) successfully installed the drivers and Linux detects both as eth0 and eth1.

I have tried assigning static IPs and using the router's IP as gateway. I have tried assigning a static IP to one card and a DHCP to the other. Finally I tried both DHCP. The cards get IP addresses from the DHCP server.

But I cannot ping anything except 127.0.0.1 (and the current IP). The router is 192.168.1.1. If i ping that or any other machine, I get this

[root@localhost ]# ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) from 192.168.1.102 : 58(84) bytes of data.
^C
--- Ping statistics for 192.168.1.1 ---
5 packets sent, 0 packets received, 100% packet loss
[root@localhost ]#

Here's the (current) contents of /etc/sysconfig/network
NETWORKING=yes
FORWARD_IPV4=yes
HOSTNAME=localhost.localdomain

DOMAINNAME=localdomain

# Gateway configuration
GATEWAYDEV=eth1
GATEWAY= //note: doesn't seem to make a difference if there's an IP here or not

Here's the contents of /etc/sysconfig/network-scripts/ifcfg-eth0 (currently set up with static IP)
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.99.2
NETMASK=255.255.255.0
GATEWAY=192.168.99.254 //note: fake

Here's the contents of /etc/sysconfig/network-scripts/ifcfg-eth1
(currently set up with DHCP)
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=dhcp

the eth1 interface is currently 192.168.1.102 and the router is at 192.168.1.1. All DHCP machines are 192.168.1.1XX.

Whenever I try to ping anything, I just get 0 packets received.

When I ping either 192.168.1.103 or when it's static like 192.168.1.3 from a Windows ME computer, I get this error

C:\WINDOWS> ping 192.168.1.103
Pinging 192.168.1.103 with 32 bytes of data:

Reply from 192.168.1.103: Destination port unreachable.
Reply from 192.168.1.103: Destination port unreachable.
Reply from 192.168.1.103: Destination port unreachable.
Reply from 192.168.1.103: Destination port unreachable.

Ping statistics for 192.168.1.103:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip in milliseconds:
Minimum = 0ms, Maximum = 0ms, Average = 0ms
C:\WINDOWS>

Please tell me what could be wrong and how could I connect to my LAN/Router/ Internet!!!!
0
Comment
Question by:x13
  • 10
  • 9
20 Comments
 
LVL 6

Expert Comment

by:robertjbarker
ID: 9776473
Can you run

route -nNvee

and post the results?
0
 
LVL 6

Expert Comment

by:robertjbarker
ID: 9776477
Also, please run

ifconfig

and post those results.  
0
 

Author Comment

by:x13
ID: 9779579
Sure:

[root@localhost ]# route -nNvee
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface MSS Window irtt
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 40 0 0
192.168.99.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 40 0 0
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo 40 0 0

[root@localhost ]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:(etc)
       inet addr: 192.168.99.2 Bcast: 192.168.99.255 Mask: 255.255.255.0
       UP BROADCAST RUNNING MULTICAST MTU: 1500 Metric:1
       Rx packets:160 errors:0 dropped:0 overruns:0 frame:0
       Tx packets:1 errors:0 dropped:0 overruns:0 carrier:0
       collisions:0 txqueuelen:100
       RX bytes:16618(16.2 Kb) TX bytes:64 (64.0 b)
       Interrupt:24 Memory:fbff0000-fc000000

eth1 Link encap:Ethernet HWaddr:00:09:6B:etc
       inet addr:192.168.1.102 Bcast:192.168.1.255 Mask:255.255.255.0
       UP BROADCAST NOTRAILERS RUNNING MULTICAST MTU:1500 Metric:1
       RX packets:243 errors:0 dropped:0 overruns:0 frame:0
       TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
       collisions:0 txqueuelen:100
       RX bytes:23814 (23.2 Kb) TX bytes:812 (812.0 b)
       Interrupt:25 Memory:fbfe0000-fbff0000

lo   Link encap:Local Loopback
      inet addr:127.0.0.1 Mask:255.0.0.0
      UP LOOPBACK RUNNING MTU:16436 Metric:1
      RX packets:0 errors:0 dropped:0 overruns:0 frame:0
      TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
      collisions:0 txqueuelen:0
      RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
[root@localhost ]#

Phew, that was a lot of typing. :-) Let me know if you need any more info. Oh, I almost forgot. I couldn't ping even the loopback address, 127.0.0.1, until I modified this: /proc/sys/net/ipv4/icmp_echo_ignore_all to have a value of 0. I now can ping loopback and my own IP but nothing else.

Also, I am supposed to be able to use a web browser on the LAN to configure the server, but I can't access it using https: protocol either.

ideas??
0
 

Author Comment

by:x13
ID: 9779957
could it be related to iptables?
0
 
LVL 6

Expert Comment

by:robertjbarker
ID: 9780628
Sorry, the typing could have been avoided using redirection

route -nNvee >outroute.txt
ipconfig >outconfig.txt

Really sorry...
0
 

Author Comment

by:x13
ID: 9780721
that's ok, as long as it helps to find an answer... it's like this machine isn't even plugged in. I can't FTP, telnet, or http or ping it from another computer. I can't ping or ftp out either. I have no idea what to do, and i'm suposed to be configuring it from a browser on my LAN. Well I can't because the LAN can't see the blasted thing, except to say "Port unreachable" and stuff. :-(
0
 
LVL 6

Expert Comment

by:robertjbarker
ID: 9780765
eth0 is pointing to the ADSL router?  I would have expected that to have an IP of somthing like 192.168.1.103 (what eth1 seems to have).  As it is it looks like eth0 has an address that does not mesh with the ADSL.  Is eth0 getting its address from DHCP from the ADSL?  If not, I would try allowing it to.

Then the following might do the trick:

ip route add default via 192.168.1.1 dev eth0

But then you have the situation where eth0 and eth1 are using the same subnet...
0
 

Author Comment

by:x13
ID: 9780790
eth0 is not pointing to anything. I gave it a fake static IP on a new subnet (192.168.99.X) because someone had mentioned that the subnets have to be different.

The DSL modem is somewhere on the LAN right now.

eth1 *should* be able to connect to the LAN

eth0 should *not* connect to the lan due to its IP address.

If I set both eth0 and eth1 to DHCP they get IP addresses:
eth0: 192.168.1.103
eth1: 192.168.1.102

But I just set eth0 to have a static IP. My goal is just to connect to my LAN at least. I am hoping that once I can connect to the server with a browser, I can configure the rest that way.
0
 
LVL 6

Expert Comment

by:robertjbarker
ID: 9780880
The DSL modem is at 192.168.1.1 ?
Then eth0 will have to have an address of 192.168.1.x if it is to contact the modem.
What happens if you let both eth0 and eth1 use DHCP and you say

ip route add default via 192.168.1.1 dev eth0
0
 
LVL 6

Expert Comment

by:robertjbarker
ID: 9781359
If you want eth0 to have access to only to the DSL modem then you will have to change the IP address of the modem.
So if eth0 has address 192.168.66.2 then the modem should have address 192.168.66.1 (for example).  This will make the modem unavailable to the LAN - except for your system through eth0.

Is the DSL Modem supplying DHCP services?  This is not good if there is another DHCP server on the LAN.  You should disable this on the modem if this is the case.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:x13
ID: 9782211
hi robertjbarker,

thank you for continuing to send your ideas.

RIGHT NOW - the DSL modem is the *only* dchp server on the network. the Linux box is not yet configured to do anything (well not that I know of anyway). eth0 is not plugged into the modem yet.

in the future, I am planning to set it up the way you said, with the modem and the eth0 on one subnet, and eth1 and LAN on another. But currently eth0 and the modem aren't direcly connected.

I set both to use DHCP and they have
eth0: 192.168.1.103
eth1: 192.168.1.102

[root@localhost ]# ip route add default via 192.168.1.1 dev eth0
RTNETLINK answers: Network is unreachable
[root@localhost ]# ip route add default via 192.168.1.1 dev eth1
RTNETLINK answers: File exists
[root@localhost ]#

Interesting. after ONCE AGAIN editing that pesky /proc/sys/net/ipv4/icmp_echo_ignore_all, I have discovered that I can ping 192.168.1.102 (eth1) from eth1 and 192.168.1.103 (eth0) from eth0, but I can't ping eth1 from eth0. (Error: Destination host unreachable)
0
 
LVL 6

Expert Comment

by:robertjbarker
ID: 9783777
Can you get through to the DSL modem through eth1 now?
0
 
LVL 6

Expert Comment

by:robertjbarker
ID: 9784832
I worry about the responses to the ip route commands.  If you run ifconfig after these I would expect that you would come up with output something like this:

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface    MSS   Window irtt
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth0     0     0      0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth0     0     0      0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 eth1     0     0      0
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 eth1     0     0      0

If not then something is clearly amiss with the execution of the ip route commands

I wonder if you are running into firewall rules.

First, it seems strange to me to have two network connections on a firewall communicating with the same subnet - it kind of defeats the purpose of the whole thing.

Perhaps it would be better if you went straight to your intended configuration and tried to get it going. Then you would at least be solving the problems you will need to solve in your intended solution, instead of problems you might not run into otherwise.

Am I right to assume that the DSL modem is in use by the others on the LAN now so that you don't want to take it out of the 192.168.1.0 subnet at this time?  If so, you could try taking eth0 off the LAN and hooking it directly to a single workstation.  Then you could set up a subnet, say 10.x.x.x, with just that workstation and eth0, and figure out how to route through the firewall to the modem.
0
 

Author Comment

by:x13
ID: 9787778
You are correct, the DSL modem is in use, and unfortunately I don't have access to the building after hours (no one does) so the amount of time I will have to play with it will be very limited.

Excellent suggestion. I am going to plug eth0 into this little workstation here, and make a new subnet. And leave eth1 plugged into the LAN. I will post back here shortly. Thank you.
0
 

Author Comment

by:x13
ID: 9788253
OK

Current configuration

DSL modem -> LAN -> my hub -> Windows ME (192.168.1.122)
                                                   Windows 98 (192.168.99.121)
                                                   Linux eth0 (192.168.99.1)
                                                   Linux eth1 (192.168.1.2)

route -n:

Destination      Gateway      Genmask        Flags Metric Ref Use Iface
192.168.1.0      0.0.0.0    255.255.255.0    U       0      0    0    eth1
192.168.99.0    0.0.0.0    255.255.255.0    U       0      0    0    eth0
127.0.0.0         0.0.0.0     255.0.0.0           U       0      0    0    lo
0.0.0.0         192.168.1.1  0.0.0.0             UG      0      0    0    eth1

I even tried netconfig -d eth0 --gateway=192.168.99.1 but it doesn't put a gateway for eth0.

Results:

From the Windows 98 workstation (192.168.99.121) ping 192.168.99.1 -> Destination port unreachable

From eth0 (192.168.99.1) ping 192.168.99.121 -> 0 packets received

From eth1 (192.168.1.2) ping 192.168.1.1 -> 0 packets received

From Windows ME (192.168.1.121) ping 192.168.1.2 -> Destination port unreachable.

Drat.
0
 
LVL 6

Expert Comment

by:robertjbarker
ID: 9789617
I don't seem to be helping a great deal, do I.

I'm pretty much stumped, and pretty sorry about it too...
0
 

Author Comment

by:x13
ID: 9790230
Well, i appreciate all your help, do not give up...

a tcpdump reveals the message

17 packets received by filter
0 packets dropped by kernel

This makes me think that my firewall or iptables are interfereing in some way. I have renamed my iptables file and tried to edit the policies in shorewall. But still the problem persists and I can't ping anyone, not even the other network card
0
 

Author Comment

by:x13
ID: 9790743
Solved the mystery.

I had to disable shorewall:

[root@localhost ]# shorewall stop

enable icmp

[root@localhost ]# echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

and delete, remove executable, and flush IP tables (after backing up onto floppy of course

[root@localhost ]# cd /etc/rc.d/init.d
[root@localhost ]# rm iptables
[root@localhost ]# chmod -x iptables // yes it makes another one
[root@localhost ]# iptables -F (get rid of all the default rulse
[root@localhost ]# iptables -P INPUT ACCEPT
[root@localhost ]# iptables -P OUTPUT ACCEPT
[root@localhost ]# iptables -P FORWARD ACCEPT

finally!!!

[root@localhost ]# ping 192.168.1.1
PING 192.168.1.1 from 192.168.1.66 : 56(84) bytes of data
64 bytes from 192.168.1.1: icmp_seq=0 ttl=128 time=726 usec
64 bytes from 192.168.1.1: icmp_seq=1 ttl=128 time=403 usec
64 bytes from 192.168.1.1: icmp_seq=2 ttl=128 time=402 usec

--- 192.168.1.1 ping statistics
3 packets transmitted, 3 packets received, 0% packet loss

*YAY*

Of course, i now have no firewall and no protection. But at least i can function better. Yeesh.
0
 
LVL 6

Expert Comment

by:robertjbarker
ID: 9793593
Very good, and congrats!
0
 

Accepted Solution

by:
PashaMod earned 0 total points
ID: 9811545
Question closed and points refunded

PashaMod
CS Moderator
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now