# 1-way network communication?

## grant123

I have 192.168.1.10 and 192.168.1.11 connected to a wired router.  192.168.1.10 can ping and ssh 192.168.1.11, but 192.168.1.11 can't ping or ssh 192.168.1.10.  Both systems can reach the internet.  I've disabled the router's firewall and the firewall running on both systems.  ifconfig confirms the IP address of both systems.  Both systems are composed of identical hardware and both run Gentoo with near-identical configurations.

I'm puzzled.  Any ideas why can't 192.168.1.11 can't reach 192.168.1.10?

----------

## grant123

I fixed it by enabling the firewall (shorewall) on 192.168.1.10 and configuring it to let 192.168.1.11 in.  Why doesn't it work with the firewall disabled?

----------

## Hu

We would need to see the applicable filter rules to answer that question.  Please place it back in a broken state and post the output of iptables-save -c.

----------

## grant123

I'm sorry for the delay with this.  This is what I get after '/etc/init.d/shorewall stop':

# iptables-save -c

# Generated by iptables-save v1.4.16.3 on Tue Dec 25 12:34:58 2012

*raw

:PREROUTING ACCEPT [858:352950]

:OUTPUT ACCEPT [2194:2568714]

COMMIT

# Completed on Tue Dec 25 12:34:58 2012

# Generated by iptables-save v1.4.16.3 on Tue Dec 25 12:34:58 2012

*nat

:PREROUTING ACCEPT [0:0]

:INPUT ACCEPT [0:0]

:OUTPUT ACCEPT [2:208]

:POSTROUTING ACCEPT [2:208]

COMMIT

# Completed on Tue Dec 25 12:34:58 2012

# Generated by iptables-save v1.4.16.3 on Tue Dec 25 12:34:58 2012

*mangle

:PREROUTING ACCEPT [858:352950]

:INPUT ACCEPT [858:352950]

:FORWARD ACCEPT [0:0]

:OUTPUT ACCEPT [2194:2568714]

:POSTROUTING ACCEPT [2194:2568714]

COMMIT

# Completed on Tue Dec 25 12:34:58 2012

# Generated by iptables-save v1.4.16.3 on Tue Dec 25 12:34:58 2012

*filter

:INPUT DROP [0:0]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [2194:2568714]

[858:352950] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

[0:0] -A INPUT -i lo -j ACCEPT

[0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

COMMIT

# Completed on Tue Dec 25 12:34:58 2012

I thought the firewall would stop functioning after a '/etc/init.d/shorewall stop', but maybe there is some residual stuff left in iptables?

----------

## The Doctor

 *grant123 wrote:*   

> I thought the firewall would stop functioning after a '/etc/init.d/shorewall stop', but maybe there is some residual stuff left in iptables?

  If it does, you can use 

```
iptables -F
```

 to flush the rules.

----------

## s_bernstein

Also, if you use shorewall and issue a shorewall stop command, it will not operate as a system without firewall because shorewall will p. ex. implement the routestopped config file. This might not contain the same routings as you would have without firewall.

----------

## truc

 *grant123 wrote:*   

> *filter
> 
> :INPUT DROP [0:0]
> 
> :FORWARD DROP [0:0]
> ...

 

input policy is still set to DROP, which is which you have this problem. You can set it to ACCEPT with 

```
iptables -P INPUT ACCEPT
```

and should probably report that to the shorewall maintainers?

----------

## grant123

 *Quote:*   

> Also, if you use shorewall and issue a shorewall stop command, it will not operate as a system without firewall because shorewall will p. ex. implement the routestopped config file. This might not contain the same routings as you would have without firewall.

 

Without modifying /etc/init.d/shorewall, can I have the firewall become totally inactive when '/etc/init.d/shorewall stop' is issued?

 *Quote:*   

> and should probably report that to the shorewall maintainers?

 

Can anyone confirm that I should file a Gentoo bug for this?

----------

## grant123

Can anyone help me out with this?

----------

