Host Network Problem

Rick Stevens rstevens at vitalstream.com
Tue Aug 16 22:07:23 UTC 2005 

Rahul Jain wrote:
> Hi,
> 
> I am having a strange network problem with a linux box. I have
> configured a private network and the linux box has an IP address of
> 10.1.0.1. It is able to ping to its default gateway (10.1.0.2) and to the
> rest of the network. However none of the other services work. I have tried
> ftp, traceroute using both hostname and IP address. None of them work.
> Traceroute gives a strange result of ending at the gateway and ftp throws
> the error "no route to host". I even tried doing ftp to the gateway but
> got the same error.
> 
> I am not sure what is the problem since the host is able to ping all other
> hosts in the network. Any ideas what might be going wrong ?

There's a whole bunch of things.  First off, did you configure the
firewall when you installed (e.g. did you choose "high" or "medium"
security)?  If so, EVERYTHING except DNS (TCP/UDP port 53)is blocked.
To see if this is the issue, try "service iptables stop" and see if
things work.  If they do, then you need to modify your firewall
settings.

While it's not ideal, you can allow all outgoing traffic.  Only accept
incoming traffic to TCP port 22 (ssh), TCP/UDP port 53 (DNS), TCP/UDP
port 80 (web) and perhaps TCP/UDP port 123 (NTP).  If you're running an
FTP server, you can open up TCP/UDP port 21, but make SURE you configure
your firewall to do connection tracking and set up appropriate security.

Configure all other incoming traffic to "-j DROP" in the iptables rules
(don't use "-j DENY", as all that does is advertise the fact that there
is a machine out there that's denying access...DROP simply drops the
packets on the floor--an attacker sees nothing at all).

I'd suggest getting something like Firestarter
(http://firestarter.sourceforge.net) to give you a GUI to help you
configure the firewall if you're not comfortable doing it manually.

Also note that many "iffy" protocols (and I mean iffy in regards to
security such as telnet, ftp, finger, whois, etc.) are also disabled by
default on Linux installs (unlike that virusware from Washington).  You
specifically have to enable them, and only enable the ones you KNOW you
need.  Unless you're running a server of some type, generally the only
daemon you need to run will be sshd--and only that if you need to
access your machine remotely.  NEVER enable telnet.  Use ssh instead.
----------------------------------------------------------------------
- Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
- VitalStream, Inc.                       http://www.vitalstream.com -
-                                                                    -
-      "Doctor!  My brain hurts!"  "It will have to come out!"       -
----------------------------------------------------------------------

More information about the Redhat-install-list mailing list