# Gentoo!!--Cannot ping my machine. Yet inside the network....

## Netdale

Ok, I have a newly updated system.  Ran emerge -e world, and everything went w/o a hitch.  The system is now running fine, except I cannot ping into it.  I started up the default iptable stuff yet the machine will not allow pings or website outbound stuff.  Yet inside my network I can do all these things.  One more note, I cannot ping the machine inside the network, my windows based app reports "timed out". (microsofts ping command times out as well). Any suggestions would be of help.  I'm just out of ideas, could it be that the kernel was compiled w/ GCC3.2?

Dale

----------

## de4d

why do u all 'use the default iptable stuff' w/o ne idea what u are doing?

read manpages, try again, and if u dont understand come back 2 ask more specific questions and/or post ur iptable list.

----------

## klieber

 *Netdale wrote:*   

> I started up the default iptable stuff yet the machine will not allow pings or website outbound stuff.  

 

This is almost assuredly the problem.  Get rid of the iptables ruleset and see if that solves your problem.  If it does, read the IPTables Tutorial to get more familiar with what it is and how it works. Then, start adding iptables rules back in one by one until you get your machine to a state where you're comfortable with it.

--kurt

----------

## Netdale

Haha, sry guys.....I was at school and didnt have the scritps.

Here it is.......

```
#!/bin/sh

echo -e "\n\nLoading IpTables....\n"

#Setting the EXTERNAL and INTERNAL interfaces for the network

EXTIF="eth0"

INTIF="eth1"

echo " External Interface: $EXTIF"

echo " Internal Interface: $INTIF"

# The location of the 'iptables' program

IPTABLES=/sbin/iptables

#Clearing any previous configuration

#

# Unless specified, the defaults for INPUT and OUTPUT is ACCEPT

# The default for FORWARD is DROP

#

        echo " - Setting default policies"

$IPTABLES -P INPUT ACCEPT

$IPTABLES -F INPUT

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -F OUTPUT

$IPTABLES -P FORWARD ACCEPT

$IPTABLES -F FORWARD

$IPTABLES -t nat -F

# "masq" everything before it goes out the external side

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

echo " - Defining IPCHAINS rules"

# let everything on loopback

$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A OUTPUT -o lo -j ACCEPT

# Load base rules

IPTABLES=/sbin/iptables

# Base firewall rules which will apply in every scheme

echo "1" > /proc/sys/net/ipv4/ip_forward

/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects

/bin/echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

# let everything on loopback

$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A OUTPUT -o lo -j ACCEPT

# let everyting INPUT and OUTPUT from the safe side, regardless of defaults

$IPTABLES -A INPUT -i eth1 -j ACCEPT

$IPTABLES -A OUTPUT -o eth1 -j ACCEPT

# Drop RPC type ports all the time, regardless of defaults

$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 3306 -j DROP    # MySql

$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 139 -j DROP     # NetBios

$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 135 -j DROP     # Windows RPC

$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 111 -j DROP     # UNIX RPC

$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 5000 -j DROP    # PlugnPlay

$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 111 -j DROP     # UNIX RPC

$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 5000 -j DROP    # PlugnPlay

$IPTABLES -A PREROUTING -t nat -i eth0 -p udp --dport 139 -j DROP

$IPTABLES -A PREROUTING -t nat -i eth0 -p udp --dport 135 -j DROP

$IPTABLES -A PREROUTING -t nat -i eth0 -p udp --dport 111 -j DROP

$IPTABLES -A PREROUTING -t nat -i eth0 -p udp --dport 5000 -j DROP

# A little hole for AIM file transfers..

$IPTABLES -A POSTROUTING -t nat -o eth0 -p tcp --sport 5191 -j SNAT --to-source 10.0.0.100:5191

$IPTABLES -A PREROUTING -t nat -i eth0 -p tcp --dport 5191 -j DNAT --to-destination 10.0.0.100:5191

# MOSTLY-CLOSED FIREWALL FOR CONNECTION REQUESTS (MOSTLY-OPEN AS A CLIENT)

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP

echo -e "\nDone.\n"
```

----------

## Emperor

```
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all 
```

Maybe that has something to do with it?

----------

## Netdale

I commented all the /bin/echo "1" > ***** except for the ip_forward.

So I eliminated that problem

Dale

----------

## Netdale

Ok, I made these adjustments

/bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all

/bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

/bin/echo "1" > /proc/sys/net/ipv4/conf/all/accept_source_route

/bin/echo "1" > /proc/sys/net/ipv4/conf/all/accept_redirects

/bin/echo "0" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

I now can ping the server from within the server which I counldnt do b4.  (in SSH 'ping localhost').  Yet I still cannot ping cnn.com, or what have u, fom inside the network.  At all...........server nor workstation can ping anything outside.  Ideas?

Dale

----------

## Netdale

Anyone??

Something weird is happening thought?  I've read it may be ACPI? Any ideas??  try www.mtcrew.net  (68.82.225.203)

Thats the ip, as u can its kinda working.  So i dont know whats going on.  Kernel? Iptables? I just dont know

Dale

----------

## Naan Yaar

Sites don't necessarily answer pings.  cnn.com doesn't.  Try pinging something friendlier, like www.gentoo.org or www.yahoo.com.

 *Netdale wrote:*   

> ...
> 
> I now can ping the server from within the server which I counldnt do b4.  (in SSH 'ping localhost').  Yet I still cannot ping cnn.com, or what have u, fom inside the network.  At all...........server nor workstation can ping anything outside.  Ideas?
> 
> Dale

 

----------

## pilla

iptables is a complex tool. If you want to use it, you should take some time to read the manuals and tutorials about it.

----------

## Netdale

Ok, thanks Yaar---pinging gentoo.org works now.  Ok, yet people still cannot access my site.......

Anyone want to portscan against this (internel scan from my windows machine):

TCP: 10.0.0.1 [21-ftp]

TCP: 10.0.0.1 [22-ssh]

TCP: 10.0.0.1 [25-smtp]

TCP: 10.0.0.1 [80-www-http]

TCP: 10.0.0.1 [110-pop3]

TCP: 10.0.0.1 [443-https]

TCP: 10.0.0.1 [2222-rockwell-csp2]

TCP: 10.0.0.1 [3306-mysql]

Thanks

Dale

----------

## rac

 *Netdale wrote:*   

> Anyone want to portscan against this

 

External portscan results emailed.

----------

## Netdale

Thanks RAC.....

I believe the problem lied in this line....

```
# MOSTLY-CLOSED FIREWALL FOR CONNECTION REQUESTS (MOSTLY-OPEN AS A CLIENT) 

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP 

```

So yea, thanks, according to ur email, everything is closed except filtered ones, which arent show....i.e.  80, 21, 22?

Thanks Dale

----------

