Host Network Problem

Rick Stevens rstevens at vitalstream.com
Wed Aug 17 19:09:50 UTC 2005 

Rahul Jain wrote:
> On Tue, 16 Aug 2005, Rick Stevens wrote:
> 
> 
>>Rahul Jain wrote:
>>
>>>Hi,
>>>
>>>I am having a strange network problem with a linux box. I have
>>>configured a private network and the linux box has an IP address of
>>>10.1.0.1. It is able to ping to its default gateway (10.1.0.2) and to the
>>>rest of the network. However none of the other services work. I have tried
>>>ftp, traceroute using both hostname and IP address. None of them work.
>>>Traceroute gives a strange result of ending at the gateway and ftp throws
>>>the error "no route to host". I even tried doing ftp to the gateway but
>>>got the same error.
>>>
>>>I am not sure what is the problem since the host is able to ping all other
>>>hosts in the network. Any ideas what might be going wrong ?
>>
>>There's a whole bunch of things.  First off, did you configure the
>>firewall when you installed (e.g. did you choose "high" or "medium"
>>security)?  If so, EVERYTHING except DNS (TCP/UDP port 53)is blocked.
>>To see if this is the issue, try "service iptables stop" and see if
>>things work.  If they do, then you need to modify your firewall
>>settings.
>>
>>While it's not ideal, you can allow all outgoing traffic.  Only accept
>>incoming traffic to TCP port 22 (ssh), TCP/UDP port 53 (DNS), TCP/UDP
>>port 80 (web) and perhaps TCP/UDP port 123 (NTP).  If you're running an
>>FTP server, you can open up TCP/UDP port 21, but make SURE you configure
>>your firewall to do connection tracking and set up appropriate security.
>>
>>Configure all other incoming traffic to "-j DROP" in the iptables rules
>>(don't use "-j DENY", as all that does is advertise the fact that there
>>is a machine out there that's denying access...DROP simply drops the
>>packets on the floor--an attacker sees nothing at all).
>>
>>I'd suggest getting something like Firestarter
>>(http://firestarter.sourceforge.net) to give you a GUI to help you
>>configure the firewall if you're not comfortable doing it manually.
>>
>>Also note that many "iffy" protocols (and I mean iffy in regards to
>>security such as telnet, ftp, finger, whois, etc.) are also disabled by
>>default on Linux installs (unlike that virusware from Washington).  You
>>specifically have to enable them, and only enable the ones you KNOW you
>>need.  Unless you're running a server of some type, generally the only
>>daemon you need to run will be sshd--and only that if you need to
>>access your machine remotely.  NEVER enable telnet.  Use ssh instead.
> 
> Thanks Rick and Jaun for your replies.
> 
> The firewall on my host is disabled since my network is behind a NAT with
> no external access. However the firewall at my gateway (setup by
> another guy) was running. Thanks for your tips, it now works :->

Ta DAH!  No problem, Rahul.  As the old saying goes, "if it pings
but it won't serve, then your firewall is a perv!"  Or something like
that. ;-)
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-  BASIC is the Computer Science version of `Scientific Creationism' -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list