[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Linux second NIC: Linux can ping XP but XP can't ping Linux

Posted on 2004-11-17
17
Medium Priority
?
597 Views
Last Modified: 2010-05-18
I have set up a Linux box with two NIC's:

eth0 192.168.0.2 connected to ADSL router 192.168.0.1
eth1 192.168.1.1 connected to netgear Fs108 switch and onto win XP m/c 192.168.1.2

I can ping 192.168.0.1 from linux
I can't ping 192.168.0.2 from linux (not sure if this is possible)
I can ping 192.168.1.2 (XP) from linux
I can't ping 192.168.1.1 from XP (192.168.1.2)

Any help would be appreciated.

Many thanks

Andy
0
Comment
Question by:Donoss
17 Comments
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12605460
What is your subnet mask should be somthing like 255.255.248.0 or even 255.255.0.0

Is ip forwarding turned on cat /proc/sys/net/ipv4/ip_forward should give 1 if not echo 1 > /proc/sys/net/ipv4/ip_forward

0
 
LVL 1

Expert Comment

by:reketnet
ID: 12605799
Hi
to me this sounds me like there is some iptable rule that is blocking pings. Execute iptables -L and show us .

regards,
0
 

Author Comment

by:Donoss
ID: 12606076
Hi,

below is the ifconfig, iptables, and route output (is the subnet mask the same as the netmask?)

Many thanks


eth0      Link encap:Ethernet  HWaddr 00:0B:CD:E7:7B:3F
          inet addr:192.168.0.2  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20b:cdff:fee7:7b3f/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1301 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1095 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:919110 (897.5 Kb)  TX bytes:155375 (151.7 Kb)
          Interrupt:17 Memory:e8200000-e8210000

eth1      Link encap:Ethernet  HWaddr 00:10:A7:0A:ED:0B
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::210:a7ff:fe0a:ed0b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:52 errors:0 dropped:0 overruns:0 frame:0
          TX packets:57 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:5602 (5.4 Kb)  TX bytes:5909 (5.7 Kb)
          Interrupt:21 Base address:0x6000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1496 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1496 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:359008 (350.5 Kb)  TX bytes:359008 (350.5 Kb)

[root@sambaserver1 root]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

ernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.1.0     *               255.255.255.0   U     0      0        0 eth1
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
127.0.0.0       *               255.0.0.0       U     0      0        0 lo

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Donoss
ID: 12606103
And ......

cat /proc/sys/net/ipv4/ip_forward
1
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12606122
Change your subnet masks to 255.255.0.0
0
 

Author Comment

by:Donoss
ID: 12606187
Is that on all interfaces, i.e. eth0, 1 and on the XP machine?
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12606240
Well as you effectivly have one network I see no reason to stop the pcs communicating. Alternatilvy you could use the same subnet throughout 192.168.0.x
0
 

Author Comment

by:Donoss
ID: 12606291
I've changed the netmask and still the XP machine can't ping the linux box.  For reference my ultimate aim is to have another NIC eth2 and use the Linux box as a router for two subnets, 192.168.1.0 and 192.168.2.0 routered through eth0 to a cable modem.  However I thought I would start simple and just get one PC talking to the linux box!

Regards

Andy
0
 
LVL 5

Accepted Solution

by:
paranoidcookie earned 1000 total points
ID: 12606393
Can you ping beyond the linux box?

Check the proc settingsby using cat

 /proc/sys/net/ipv4/icmp_echo_ignore_all

When enabled, ignore all ICMP ECHO REQUEST (ping) packets. Does nothing to actually increase security, but can hide you from ping sweeps, which may prevent you from being port scanned. Nmap, for example, will not scan unpingable hosts unless -P0 is specified. This will prevent normal network connectivity tests, however.

 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

When enabled, ignore broadcast and multicast pings. It's a good idea to ignore these to prevent you from becoming an inadvertent participant in a distributed denial of service attack, such as Smurf.

 /proc/sys/net/ipv4/conf/*/accept_source_route

When source routed packets are allowed, an attacker can forge the source IP address of connections by explicitly saying how a packet should be routed across the Internet. This could enable them to abuse trust relationships or get around TCP Wrapper-style access lists. There's no need for source routing on today's Internet.

 /proc/sys/net/ipv4/conf/*/rp_filter

When enabled, if a packet comes in on one interface, but our response would go out a different interface, drop the packet. Unnecessary on hosts with only one interface, but remember, PPP and VPN connections usually have their own interface, so it's a good idea to enable it anyway. Can be a problem for routers on a network that has dynamically changing routes. However on firewall/routers that are the single connection between networks, this automatically provides spoofing protection without network ACLs.

 /proc/sys/net/ipv4/conf/*/accept_redirects

When you send a packet destined to a remote machine you usually send it to a default router. If this machine sends an ICMP redirect, it lets you know that there is a different router to which you should address the packet for a better route, and your machine will send the packet there instead. A cracker can use ICMP redirects to trick you into sending your packets through a machine it controls to perform man-in-the-middle attacks. This should certainly never be enabled on a well configured router.

 /proc/sys/net/ipv4/conf/*/secure_redirects

Honor ICMP redirects only when they come from a router that is currently set up as a default gateway. Should only be enabled if you have multiple routers on your network. If your network is fairly static and stable, it's better to leave this disabled.

 /proc/sys/net/ipv4/conf/*/send_redirects

If you're a router and there are alternate routes of which you should inform your clients (you have multiple routers on your networks), you'll want to enable this. If you have a stable network where hosts already have the correct routes set up, this should not be necessary, and it's never needed for non-routing hosts
0
 
LVL 38

Expert Comment

by:wesly_chen
ID: 12607801
Hi,

   Could you check /etc/sysctl.conf
and comment out all the ipv6 stuff and reboot?

Wesly
0
 

Author Comment

by:Donoss
ID: 12613038
Hi,

Results as follows, do any need changing and how do I do it?

/proc/sys/net/ipv4/icmp_echo_ignore_all
1

/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
1

/proc/sys/net/ipv4/conf/*/accept_source_route
0, 1, 1, 1, 1

/proc/sys/net/ipv4/conf/*/rp_filter
1, 1, 1, 1, 1

/proc/sys/net/ipv4/conf/*/accept_redirects
0, 1, 1, 1, 1

/proc/sys/net/ipv4/conf/*/secure_redirects
1, 1, 1, 1, 1

/proc/sys/net/ipv4/conf/*/send_redirects

1, 1, 1, 1, 1
0
 

Author Comment

by:Donoss
ID: 12613048
/etc/sysctrl.conf looks like this, I can't see any ipv6 stuff:

net.ipv4.ip_forward=1
net.ipv4.tcp_ecn=0
net.ipv4.conf.all.log_martians=1
net.ipv4.icmp_echo_ignore_all=1
net.ipv4.ip_dynaddr=0
net.ipv4.conf.default.rp_filter=1
net.ipv4.conf.all.rp_filter=1
net.ipv4.icmp_echo_ignore_broadcasts=1
kernel.sysrq=1
dev.cdrom.autoclose=0
dev.cdrom.lock=0
net.ipv4.icmp_ignore_bogus_error_responses=1
kernel.core_uses_pid=1
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12613170
If net.ipv4.icmp_echo_ignore_all=1 then your linux box is ignoring all icmp (read ping traceroute)

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

and try again.
0
 

Author Comment

by:Donoss
ID: 12613209
Hi,

I changed the netmask on the Linux m/c to 255.255.255.0 and 255.255.0.0 on the XP and all works OK.  Is this correct, why should it now work?

Andy
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12613256
Because subnet masks restrick traffic from crossing networks except via a gateway.

So if you have 192.168.0.0/255.255.255.0 it can talk directly to any clients on the last 254 bits of the address so 192.168.0.1 - 192.268.0.254

Where as by changing the subnet mask to 255.255.0.0 you are explicitly saying the last two octects are connected.

Not sure if what Ive said makes sence so read this if not
http://xtronics.com/reference/ip-subnetmasks.htm
or
http://ask-leo.com/c000084.html
Might help
0
 

Author Comment

by:Donoss
ID: 12613327
Have set icmp_echo_ignore_all to 0 and all is fine.  

On the XP m/c should the default gateway be 192.168.1.1 my linux box or 192.168.0.1 my gateway router to the internet?  What do I need to add the the linux m/c router table to enable it to route subnet 192.168.1.0 to 192.168.0.0 ?  Or should I raise tis as another question?

Many thanks for your help thus far.

Andy
0
 
LVL 5

Expert Comment

by:paranoidcookie
ID: 12613441
The gateway should be set to the ip which gives access to other networks which I guess is your adsl router (which I assume runs some sort of NAT system).
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question