LinuxMCE Forums
General => Installation issues => Topic started by: ardirtbiker on July 27, 2014, 11:19:59 pm
-
I installed 12.04 from the July 19th image 29194.
after install completed (hybrid core), the MD came up fine. In Firefox, I can navigate pages. Apt update/install works as well. When 'pinging' from core (ping ubuntu.org), the name gets resolved to an IP, but ping times out. Cannot ping localhost or dcerouter either. Pinging IPs fails too.
Additionally, a workstation getting an IP from the core (Non-MD) cannot ping anything.
I installed ufw... and ran the command 'ufw enable' followed by 'ufw reset'. Ping started working. However on reboot of the core, everything reverts back to LMCE default Firewall settings.
Is there a workaround? I didnt see any posts in the forums by others with same issue.
Dennis
-
29194 should have the firewall fixes included. If things are not working get a hold of Alblasco1702 in irc to figure out what's still missing.
-
ardirtbiker:
can you put the output of "sudo iptables -vnL" (without the " ") here?
So i can check the firewall config.
Thnx
-
I did a re-install of 12.04 this evening and verified the same thing happens.
here is the output of iptables -nvL:
Chain INPUT (policy DROP 8041 packets, 2013K bytes)
pkts bytes target prot opt in out source destination
66532 78M BLOCKLIST all -- * * 0.0.0.0/0 0.0.0.0/0
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x29
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x3F
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x00
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x06/0x06
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x03/0x03
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x11/0x01
0 0 DROP tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcpflags: 0x3F/0x37
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 mark match 0x1
6543 1173K ACCEPT tcp -- lo * 0.0.0.0/0 0.0.0.0/0 /* Allow_Loopback */
795 116K ACCEPT udp -- lo * 0.0.0.0/0 0.0.0.0/0 /* Allow_Loopback */
50860 75M ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Allow_Established */
307 77973 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Allow_Established */
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Allow_Established */
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED /* Allow_Established */
0 0 ACCEPT udp -- eth1 * 0.0.0.0/0 0.0.0.0/0 udp spt:67 /* Allow_DHCP */
0 0 ACCEPT udp -- eth0 * 0.0.0.0/0 0.0.0.0/0 udp spt:68 /* Allow_DHCP */
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- lo lo 0.0.0.0/0 0.0.0.0/0 /* Allow_Loopback */
0 0 ACCEPT udp -- lo lo 0.0.0.0/0 0.0.0.0/0 /* Allow_Loopback */
Chain OUTPUT (policy ACCEPT 51507 packets, 4357K bytes)
pkts bytes target prot opt in out source destination
Chain BLOCKLIST (1 references)
pkts bytes target prot opt in out source destination
1 40 DROP all -- * * 218.77.79.0/24 0.0.0.0/0
0 0 DROP all -- * * 217.12.221.0/24 0.0.0.0/0
0 0 DROP all -- * * 198.20.69.0/24 0.0.0.0/0
0 0 DROP all -- * * 192.81.130.0/24 0.0.0.0/0
0 0 DROP all -- * * 185.56.80.0/24 0.0.0.0/0
0 0 DROP all -- * * 162.253.66.0/24 0.0.0.0/0
0 0 DROP all -- * * 125.96.160.0/24 0.0.0.0/0
0 0 DROP all -- * * 124.232.142.0/24 0.0.0.0/0
0 0 DROP all -- * * 93.180.5.0/24 0.0.0.0/0
0 0 DROP all -- * * 93.174.93.0/24 0.0.0.0/0
0 0 DROP all -- * * 84.200.17.0/24 0.0.0.0/0
0 0 DROP all -- * * 78.187.174.0/24 0.0.0.0/0
0 0 DROP all -- * * 71.6.216.0/24 0.0.0.0/0
0 0 DROP all -- * * 71.6.167.0/24 0.0.0.0/0
0 0 DROP all -- * * 71.6.165.0/24 0.0.0.0/0
0 0 DROP all -- * * 66.240.236.0/24 0.0.0.0/0
0 0 DROP all -- * * 66.240.192.0/24 0.0.0.0/0
0 0 DROP all -- * * 66.154.119.0/24 0.0.0.0/0
0 0 DROP all -- * * 46.148.130.0/24 0.0.0.0/0
0 0 DROP all -- * * 41.135.113.0/24 0.0.0.0/0
and here is the output of 'host linuxmce.org'
linuxmce.org has address 193.200.112.137
linuxmce.org mail is handled by 10 mail.linuxmce.org.
and the output of 'ping linuxmce.org' (note that I had to kill the process.. it never stopped)
PING linuxmce.org (193.200.112.137) 56(84) bytes of data.
--- linuxmce.org ping statistics ---
940 packets transmitted, 0 received, 100% packet loss, time 946511ms
/etc/network/interfaces looks correct:
#####
# Loopback interface
#####
iface lo inet loopback
#####
# IPv4 network interfaces
#####
# --- External NIC ---
iface eth0 inet dhcp
pre-up sysctl -q -e -w net.ipv6.conf.eth0.disable_ipv6=1
# --- Internal NIC ---
iface eth1 inet static
address 192.168.80.1
netmask 255.255.255.0
pre-up sysctl -q -e -w net.ipv6.conf.eth1.disable_ipv6=1
# DNS Settings for Internal Net
dns-nameservers 192.168.80.1
dns-search LinuxMCE
#####
# Activating interfaces
#####
auto eth0 eth1 lo
Since 'host' command returns a result I know name resolution is working and I can get to the public internet. Ping returns a name resolution as well, but I do not get any 'ping' results back. I'm thinking this is something to do with the firewall... but I'm not all that experienced with firewalls to say for certain.
Dennis
-
Any ideas on this?
Dennis
-
ardirtbiker,
yes try the new scripts i have atached on this post.
-
I'm having the same issue on the 1204 install I did last night. Will test your scripts as soon as SWMBO allows.
-
The new scripts permit communication between the core and devices on the internal network. The core does not route internet traffic to the internal network unless the firewall is disabled via webadmin. Let me know what info I can provide.
-
Do you have strange firewall behavior please try a reset first.
to get some rules here are some basics.
from the outside to the internal lan like tcp port 770 on 192.168.80.17 do:
IP version Rule Type Protocol Source Port Destination Port Destination IP Limit to IP Rule policy Description
ipv4 port_forward (NAT) tcp 770:770 192.168.80.17 ACCEPT A description that let you remember why you set the rule And/or what the rule does.
if you need a different port than the port on the core like packets come in from port 770 on the core and come in on port 8080 on the client do:
IP version Rule Type Protocol Source Port Destination Port Destination IP Limit to IP Rule policy Description
ipv4 port_forward (NAT) tcp 770:8080 192.168.80.17 ACCEPT A description that let you remember why you set the rule And/or what the rule does.
to open ports to the core from outside like SSH do:
IP version Rule Type Protocol Source Port Destination Port Destination IP Limit to IP Rule policy Description
ipv4/ipv6 input tcp 22 ACCEPT Allow SSH
-
A updated Network_Firewall.sh file attached to this post.
to fix a bug.
-
Thanks Alblasco1702.
I will apply the scripts tomorrow and report back when I get a chance.
Dennis
-
Gentlemen,
I applied the updated files supplied by Alblasco.
Network_Firewall.sh (from reply #9) to /usr/pluto/bin/Network_Firewall.sh (replacing original)
firewall.php (from reply #5) to /var/www/lmce-admin/operations/network/firewall.php (replacing original)
Rebooted core.
still unable to 'ping' an internet web page by name or address from the core OR a workstation getting IP from the core.
can anyone else confirm?
Thanks,
Dennis
-
Did you go into the web firewall page, and reset all the rules.
-
Gentlemen,
I applied the updated files supplied by Alblasco.
Network_Firewall.sh (from reply #9) to /usr/pluto/bin/Network_Firewall.sh (replacing original)
firewall.php (from reply #5) to /var/www/lmce-admin/operations/network/firewall.php (replacing original)
Rebooted core.
still unable to 'ping' an internet web page by name or address from the core OR a workstation getting IP from the core.
can anyone else confirm?
Thanks,
Dennis
Alblasco's updated scripts worked for me, after a rule reset. I'm not an "IDIOT" but clicking that button did help matters :P
-
An update to this.
I could not get the updated scripts to 'fix' the firewall issues.
I did download the latest 12.04 snapshot and did a fresh install. This resolved the problem.
Thanks for the hard work guys...
now to see about creating an MD!!!
Dennis