i just installed mandriva (finaly got rid of my ancient mandrake install) but i can't seem to get any incomming connections. not even pings.
however i van ping/ftp/ssh from mandriva to other systems. it even managed to get an ip from the dhcp.
now i already figured... shorewall (firewall standard for mandriva)
so i started editing that...
in the policy file it used to be this:
seemed to explain it all... 2nd line..Code:fw all ACCEPT net all DROP info all all DROP info
so i changed it to:
restarted shorewall, didn't work(still no incomming connects.. got desperate and restarted the systemCode:fw all ACCEPT net all ACCEPT info all all DROP infostill the same.
i tried shorewall clear
shorewall stop
but it all didn't matter... still doesn't work
system:
p2 350
192MB ram
3com 10/100 lan
6.5 gb disk
mandriva 2006 (installed from mini image since i only needed the basics. installed with security settings 'higher')
Being a bit unfamilial with Shorewall, I am going to assume that its a supplement or replacement to iptables. If I am correct, I would stop or clear the rules out, then retest it. I am betting that there is a block rule of some sort that is preventing the connections in iptables itself that is not being cleared via shorewall.
I don't run Mandriva so I can't really tell you what exactly is going on. BUT ......
Being the user of shorewall myself, I might point you to the right direction.
Shorewall's policy file is used for universal config. The "rules" file is what comes before policy file. Even if your stop your firewall, you need to flush all the iptables rules to accept the connections.
Example rules are here for your reference. This box is my gateway.
File "~/shorewall/policy"
File "~/shorewall/rules"Code:#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST loc net ACCEPT # If you want open access to the Internet from your Firewall # remove the comment from the following line. #fw net ACCEPT net all DROP info # THE FOLLOWING POLICY MUST BE LAST all all REJECT info #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
So what you do is if you want, say, web connections, then replace port 22 with port 80, restart shorewall (which will reflush all your rules) and you should be good to go. Let us know how it went.Code:ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL# PORT PORT(S) DEST # # Accept DNS connections from the firewall to the network # #ACCEPT fw net tcp 53 #ACCEPT fw net udp 53 # # Accept SSH connections from the local network for administration # ACCEPT loc fw tcp 22 # # Allow Ping To And From Firewall # ACCEPT loc fw icmp 8 ACCEPT net fw icmp 8 ACCEPT fw loc icmp 8 ACCEPT fw net icmp 8 # #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
HTH ...
Shorewall is a firewall package that makes use of iptables but take away the need to know the settings. All you do is set the simple rules and it takes care of the rest such as actually inserting the rules set in iptables format.Originally Posted by Schotty
Thanks for the clarification.
When it comes to firewalling, I just default to OpenBSD. So I have yet to really learn the firewalling rules more than what CentOS makes me know ;D
@ compunuts, i actually forgot the rules filei'm at my parents now (normally i'd ssh to my system
thanks all for your replies!
ok... this is what my rules file looks like:
so that can't be the problem. any other suggestions ?Code:ACCEPT net fw icmp 8 ACCEPT fw net icmp
So you are pinging from the box OUTSIDE of your firewall box such as from your friend's connection or from your ISP's? If you want to be able to do it, you need to enable loc (local) setting to fw and net.
Why don't you put all 4 in there and try it that way? Also, remember to restart your shorewall with /usr/sbin/shorewall restart as root.
right now it is set up with only one interface. witch is connected to my router. my 3 other pc's are also on my router and the router connects to the internet and provides stuff like dhcp.
so i try to ping from a local machine(also 1 interface) to another local machine using the local ip 10.0.0.9. the router simply acts as a switch in this case.
i can ping from 10.0.0.9 to my other machines, but not the other way around. i even tried to take out the router, put a hub in place and set the ip's manually in stead of dhcp.
Okay, now this is the new information. You never told us that a router is involved. Did you check your router to see if there is firewall built into it? If so, is it enabled?
I use Netgear (crappy POS, dont' get it) wireless AP plus router and it disabled ICMP by default plus enable firewall by default. There is no way for me to disable its firewall. I needed to do all sort of port forwarding to get things going unless I want to put in a box for DMZ.
May be that's because you NEVER had this rule inserted.i can ping from 10.0.0.9 to my other machines, but not the other way around. i even tried to take out the router, put a hub in place and set the ip's manually in stead of dhcp.
If you only have fw to net, only from WAN will be allowed.Code:ACCEPT fw loc icmp 8 ACCEPT loc fw icmp 8
Another common problem is your computer see another NIC as WAN/LAN while you wanted it to have the other way around. I had that before. I wanted to use built in NIC as WAN and another NIC on PCI port as LAN but for some reason, it sees built in NIC as LAN and the NIC on PCI as WAN. Until I switch the cables, it won't go. Something you can try, I guess.
Posting Permissions
Reply With Quote
Bookmarks