Ubuntu Server 10.04 in Virtual environment
We have an Ubuntu Server version 10.04 that has dual nics running in a VMWare 4.1 environment. When server first boots up you can ping it, after a while the server cannot be ping, however on the private side you can ping the DG, and any of my other servers without any issues, just cant ping it. I am not a linux guru at all. Any help would be appreciated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Why do you have dual NIC in VM? It is virtual NIC and you do not gain in redundancy.
also it might be your source of problems - PING icmp goin IN via 1st nic, and trying to get OUT via 2nd nic = ping lost.
But if you have dual HARDWARE NIC, well, it's OK, but make sure, they ar both conncted to switch, not to different routers, because you might end up in same situation as I described above.
also it might be your source of problems - PING icmp goin IN via 1st nic, and trying to get OUT via 2nd nic = ping lost.
But if you have dual HARDWARE NIC, well, it's OK, but make sure, they ar both conncted to switch, not to different routers, because you might end up in same situation as I described above.
ASKER
interfaces.pdfDoc1.docxThe reason for dual NICs is one is attached to our private network, the other connects to another law enforcement agency to run queries.
Attached you will see images from the ifconfig and the netstat -rn as for the iptables -L -n i guess i dont know the correct syntax because it pulled up output options.
Attached is another image of our interfaces file, we have routing enable that should keep the traffic from going where it shouldnt, the server also blocks all traffic that doesnt come from the addresses in the post-up 192.168.x.x network
According to the guy that wrote the software and installed it on the server the firewall is disabled by default (i have no clue if that is right or not, as i have very little linux knowledge)
Attached you will see images from the ifconfig and the netstat -rn as for the iptables -L -n i guess i dont know the correct syntax because it pulled up output options.
Attached is another image of our interfaces file, we have routing enable that should keep the traffic from going where it shouldnt, the server also blocks all traffic that doesnt come from the addresses in the post-up 192.168.x.x network
According to the guy that wrote the software and installed it on the server the firewall is disabled by default (i have no clue if that is right or not, as i have very little linux knowledge)
According to the interfaces output:
You have 2 gateways defined. You should have only one. Since the Law enforcement agency accesses you on 192.168.150 interface remove the gateway for it. Since you have 2 gateways I suspect the law enforcement network takes precedence and your packets are routed to wrong gateway. But even in this case systems located in either interface network can still ping your system.
Then you have some post-up routes defined over gateway address at 192.168.10.40. Since this is not accessible you don't need them either. I guess previously your Law enforcement network was over 192.168.10.0/24 subnet instead of 192.168.150.0/24 subnet. After you've modified the IP you forgot to modify the rules. Once you've cleared the default gateway for eth0 you won2t need the post-up rule for the interface since it is the default gateway now. Don't forget to restart your network service after doing modifications.
Cheers,
K.
You have 2 gateways defined. You should have only one. Since the Law enforcement agency accesses you on 192.168.150 interface remove the gateway for it. Since you have 2 gateways I suspect the law enforcement network takes precedence and your packets are routed to wrong gateway. But even in this case systems located in either interface network can still ping your system.
Then you have some post-up routes defined over gateway address at 192.168.10.40. Since this is not accessible you don't need them either. I guess previously your Law enforcement network was over 192.168.10.0/24 subnet instead of 192.168.150.0/24 subnet. After you've modified the IP you forgot to modify the rules. Once you've cleared the default gateway for eth0 you won2t need the post-up rule for the interface since it is the default gateway now. Don't forget to restart your network service after doing modifications.
Cheers,
K.
BTW netstat -rn and iptables -L -n outputs are missing anyway we've found the culprit: you have 2 default gateways.
ASKER
I took off the 170.x.x.x gateway, the 192.168.150.x interface is for out local network and we need that one, all the post up route statements allow access to that server, if you take them out then those networks wont be able to access that server (those IP's are other departments in the City, we have everything vlan'd off)
Right now everything appears to be working and is stable, i will keep monitoring today to make sure. I will reward you the points once my testing is complete.
And thank you for your help, i normally dont do both gateways but the guy that wrote the software told me what to put in my interfaces file and i didnt think twice. (long long hours of dealing with this)
Right now everything appears to be working and is stable, i will keep monitoring today to make sure. I will reward you the points once my testing is complete.
And thank you for your help, i normally dont do both gateways but the guy that wrote the software told me what to put in my interfaces file and i didnt think twice. (long long hours of dealing with this)
> I took off the 170.x.x.x gateway, the 192.168.150.x interface is for out local network and we > need that one,
Ok but it should be OK now. Law Enf. guys onlyneeds to access your system over the 170.x.x.x IP nothing else.
> all the post up route statements allow access to that server, if you take them
> out then those networks wont be able to access that server (those IP's are other
> departments in the City, we have everything vlan'd off)
This is what I am saying. First group of post-up subnets have gw address of 192.168.23.40 which is not local to either of your interfaces. When a TCP/IP host wabts to communicate with an IP and if it is not belonging to any of its local nets then it directs it to its DG. So your DG or the router it is connected to should know how to contact these subnets.
An exception to this rule is if you have static routes such as you have. But in this case the IP address of the gw should be local to your 192.168.150x/24 subnet. If not any attempt to access these subnets will fail. Becasue since you have a static route the packets wouold not be sent to your DG. Also the gw is unknown.
I am sure that you can't access any of these post-up subnets either through ping or taceroute because the gw setting is wrong.
So you should either remove these if your DG knows how to access them or modify the gw IP so that it points to a local interface which knows how to communicate with them
> And thank you for your help, i normally dont do both gateways but the guy that wrote
> the software told me what to put in my interfaces file and i didnt think twice. (long long
> hours of dealing with this)
You're welcome. I know this felling in fact all us IT guys knows about that :))
Cheers,
K.
Ok but it should be OK now. Law Enf. guys onlyneeds to access your system over the 170.x.x.x IP nothing else.
> all the post up route statements allow access to that server, if you take them
> out then those networks wont be able to access that server (those IP's are other
> departments in the City, we have everything vlan'd off)
This is what I am saying. First group of post-up subnets have gw address of 192.168.23.40 which is not local to either of your interfaces. When a TCP/IP host wabts to communicate with an IP and if it is not belonging to any of its local nets then it directs it to its DG. So your DG or the router it is connected to should know how to contact these subnets.
An exception to this rule is if you have static routes such as you have. But in this case the IP address of the gw should be local to your 192.168.150x/24 subnet. If not any attempt to access these subnets will fail. Becasue since you have a static route the packets wouold not be sent to your DG. Also the gw is unknown.
I am sure that you can't access any of these post-up subnets either through ping or taceroute because the gw setting is wrong.
So you should either remove these if your DG knows how to access them or modify the gw IP so that it points to a local interface which knows how to communicate with them
> And thank you for your help, i normally dont do both gateways but the guy that wrote
> the software told me what to put in my interfaces file and i didnt think twice. (long long
> hours of dealing with this)
You're welcome. I know this felling in fact all us IT guys knows about that :))
Cheers,
K.
Enable PING
Note: Security by obscurity may be of very little actual benefit with modern cracker scripts. By default, UFW allows ping requests. You may find you wish to leave (icmp) ping requests enabled to diagnose networking problems.
You need to edit /etc/ufw/before.rules and remove edit the following lines:
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j ACCEPT
-A ufw-before-input -p icmp --icmp-type source-quench -j ACCEPT
-A ufw-before-input -p icmp --icmp-type time-exceeded -j ACCEPT
-A ufw-before-input -p icmp --icmp-type parameter-problem -j ACCEPT
-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT
Change the "ACCEPT" to "DROP" or
# ok icmp codes
-A ufw-before-input -p icmp --icmp-type destination-unreachable -j DROP
-A ufw-before-input -p icmp --icmp-type source-quench -j DROP
-A ufw-before-input -p icmp --icmp-type time-exceeded -j DROP
-A ufw-before-input -p icmp --icmp-type parameter-problem -j DROP
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
For more info on UFW, check link below;
https://help.ubuntu.com/community/UFW