I've got a lot of friends stumped over this problem i'm having with my network. A few days ago i reinstalled my linux box from scratch, installing Mandrake 9.1 for the first time. THis linux system is my firewall/gateway for the net, and i've never had issues with it before.

After a bit of work I have everything configured and they appear to be working well. the Firewall correctly allows all internal computers to 'talk' to the net, and nothing is broken in that system. The linux box itself can also speak to the net as it should. The problem lies in trying to talk to the linux box...

the linux box has two net cards, eth0 and eth1. eth1, as usual, is the internal LAN, eth0 is connected to the DSL modem and obtains IP via DHCP (eth1 is assigned 192.168.0.1)
Here's the issue:

No computer in the network, including the linux box, can ping or connect to services on 192.168.0.1
No computer inside or outside the network can ping or connect to services on the IP address assigned by DHCP
The linux box cannot ping 'localhost' or 127.0.0.1

These issues occur whether or not the firewall (Shorewall) is active. (deactivation verified by running iptables -vnL and reciving nothing but headers)

Any help would be appreciated =)

what error messages are you getting ?

It's not running ipchains instead of iptables is it?

If not, how about posting your route table here.

I get no errors - the pings just never return to sender (they time out) However, the interesting part is that the machine appears to be receiving the pings and returning them, they just get eaten somewhere. I set up a continuous ping to 127.0.0.1 and ran ifconfig a few times. the TX and RX packets were going up at the same rate, as they should.. so the interface was receiving and returning the packets, but they never got all the way back - presumably eaten somewhere on the way

I find it important to emphasize that this bizarre behaviour occurs regardless of whether the firewall is enabled or not - the firewall does indeed use iptables (i've confirmed this), but... the pings still die even with it fully disabled. leaving me to believe that the firewall has nothing to do with the problem.

It's also possibly worth mentioning that the address tied to eth0 is also timing out when pinged, regardless of where from - eth0 is a ne2k type driver, while eth1 is running a tulip driver, so i can probably assume it's not an issue with network drivers.

If, despite the fact that this issue occurs even without firewall enabled, you still think i should post my routing tables, please let me know which information you need in particular (firewall Rules and Policy are easily postable, if you need the output from iptables -vnL i can attach file probably?)

Thanks again for the help
-- Rayanth

Let us see the route table /sbin/route

It certainly is a bizarre problem. Usually when a computer can't ping localhost or it's own IP address, it means that the IP stack isn't installed properly. But, your computer can access the Internet and it is functioning as a gateway to the Internet for other machines so at least something about IP is functioning properly.

It's almost like your machine was set up to act as a bridge instead of a router. But, the only way that would work is if both NICs were on the same IP subnet.

Normally when you ping 127.0.0.1, you see a response something like this:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.029 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.025 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.025 ms
64 bytes from 127.0.0.1: icmp_seq=4 ttl=64 time=0.025 ms
64 bytes from 127.0.0.1: icmp_seq=5 ttl=64 time=0.027 ms
64 bytes from 127.0.0.1: icmp_seq=6 ttl=64 time=0.027 ms
64 bytes from 127.0.0.1: icmp_seq=7 ttl=64 time=0.028 ms
64 bytes from 127.0.0.1: icmp_seq=8 ttl=64 time=0.028 ms
64 bytes from 127.0.0.1: icmp_seq=9 ttl=64 time=0.026 ms

--- 127.0.0.1 ping statistics ---
9 packets transmitted, 9 received, 0% packet loss, time 7996ms
rtt min/avg/max/mdev = 0.025/0.026/0.029/0.006 ms

I take it you are not seeing any responses at all and if you hit CTRL+C to stop the pings you see something like this:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.

--- 127.0.0.1 ping statistics ---
9 packets transmitted, 0 received, 100% packet loss, time 7999ms

Is that correct?

If you do an ifconfig -a, does if just show eth0, eth1 and lo?

It will be interesting to see your route table. It would also be helpful if you would post the output of ifconfig -a.

The Shorewall command shorewall stop does not clear the iptables rules.
The command to do so is iptables clear.
There are issues with the Maqndrake implementation of Shorewall. See www.shorewall.net The author recommends that you uninstall the Mandrake RPM and install the version downloaded from his site. I believe it's now at about 1.4b.
I think that shorewall block ICMP into and out of the FW box by default.
You can probably find which line of code to change or comment out at the FAQ or elsewhere on the Shorewall site. The author provides extensive documentation and attentive support.

I am attaching the output if /sbin/route, ifconfig -a, and iptables -vnL

cowan, i do indeed receive the latter of those two, all pings fail to return, when i control-C out of ping, i get 100% packet loss, etc.

camelrider thank you for pointing out that rule about shorewall, however I already knew about it =) I shut down shorewall via "shorewall stop" and then "shorewall clear" as outlined in the shorewall documentation (though i'm reasonably certain a "shorewall clear" by itself will shut down and clear). an iptables -vnL after the shorewall clear, confirms that there are no rules loaded, i get only the three headers, with no entries under them.

This machine has nothing important on it, and when I installed Mandrake 9.0 I had no such issues as this... I am fully willing to just yank 9.1 and reinstall 9.0 from scratch, just to get away from this nonsense.


/sbin/route:

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.0.0 * 255.255.255.0 U 0 0 0 eth1
4.42.92.0 * 255.255.252.0 U 0 0 0 eth0
127.0.0.0 * 255.0.0.0 U 0 0 0 lo
default evrtwa1-ar14-4- 0.0.0.0 UG 0 0 0 eth0


ifconfig -a:

eth0 Link encap:Ethernet HWaddr 00:00:E8:D5:C3:1A
inet addr:4.42.92.165 Bcast:4.42.95.255 Mask:255.255.252.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:57873 errors:0 dropped:0 overruns:0 frame:0
TX packets:52529 errors:0 dropped:0 overruns:0 carrier:0
collisions:6 txqueuelen:100
RX bytes:42823367 (40.8 Mb) TX bytes:6050940 (5.7 Mb)
Interrupt:9 Base address:0x6500

eth1 Link encap:Ethernet HWaddr 00:80:AD:90:9A:C1
inet addr:192.168.0.1 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:52192 errors:0 dropped:0 overruns:0 frame:0
TX packets:57009 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:5987379 (5.7 Mb) TX bytes:42632671 (40.6 Mb)
Interrupt:11 Base address:0x6600

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:53 errors:0 dropped:0 overruns:0 frame:0
TX packets:53 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4050 (3.9 Kb) TX bytes:4050 (3.9 Kb)

iptables -vnL is attached.

do a:

cat /proc/sys/net/ipv4/icmp_echo_ignore_all

if it comes back 0, pings are allowed
if it comes back 1, pings are NOT allowed

to change do a

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

retest, fixed??

If fixed check /etc/sysctl.conf for a line with

icmp_echo_ignore_all = 1

changing the 1 to a 0 should allow pings after a reboot....

sweet mother of... i never even knew that file existed =)

Thanks a million, jumped, it's all working beautifully now =)

Now that i can ping it, i can work on figuring out why i can't SSH or telnet to it... those are probably firewall settings though.

-- Rayanth, quite happy now

I use shorewall, post back if you need some pointers...

i'd love to get some pointers, i've only just started using shorewall since it came with Mdk 9.1. As for SSH, telnet, etc... i haven't actively configured them yet, so i'm not surprised they don't work.

I'm not a huge security freak on this linux box, so my firewall rules are pretty lax. plus I test a lot of chat, mu* etc servers (and program them) on the linux box so i more or less need to allow the world to reach it. I use the firewall more as a oruter than anything - it's there to let all my other comps have net access from the one connection.

But pointers are always welcome, maybe we should move this to PM ? I'm taking off for work shortly, unfortunately