[SOLVED] Trying to rebuild a firewall system. Cannot connect/ping anything.
SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,814
Rep:
Trying to rebuild a firewall system. Cannot connect/ping anything.
Following a mysterious hardware glitch that rendered my Slackware 14.2 firewall unbootable, I re-installed using 15.0. Now... I find that I cannot get a connection from the firewall system to the LAN or to the Internet. I'm seeing a lot of connection failures that are likely default route problems. Unfortunately, the online FAQs and HOWTOs for Slackware appear to be woefully outdated. (Forget about TLDP---many/most links are 404 pages at iBiblio; some have been defaced and are porn sites).
Here's the configuration I have to work with:
eth0 is the internal net interface: 192.168.13.1
eth1 is the internet interface: 1.2.3.45 (static IP supplied by ISP; those first three octets are fake)
The information on the ISP's router specifies a gateway of: 1.2.3.1. There is no net mask information provided (I assume it's 255.255.255.254.
There is also a subnet address provided that, frankly, I have no idea what it's for (I don't recall from the 14.2 installation days -- a few years and two household moves since then -- any notes I made back then are not available) whether that played a part in Slackware's net configuration).
Where the network configuration stands right now is that eth0 has the 192.168.13.1/24 address assigned, eth1 has the 1.2.3.45/31 address (mask is an assumption on my part) and the default route is aimed at eth0. I cannot ping anything internally without getting a "Destination Unreachable" error message.
(Sorry I can't post actual config settings as I'm posting via the ISP's wifi connection and currently can't grab terminal output from the firewall.)
Anyone got any ideas where my configuration has gone awry? Or got a link to more up-to-date Slackware network configuration documentation?
I would also expect that the internet gateway is the default route, i.e. should be eth1 and not eth0.
If you want to route packets, are you running routed on that computer? By default this is commented out in /etc/rc.d/rc.inet2 :
Code:
# # Start the network routing daemon:
# if [ -x /usr/sbin/routed ]; then
# echo "Starting network routing daemon: /usr/sbin/routed"
# /usr/sbin/routed -g -s
# fi
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,814
Original Poster
Rep:
Quote:
Originally Posted by bitfuzzy
Is your firewall active? If so, try disabling it
Haven't gotten that far yet. Still working on basic pingability.
Quote:
My ip setup looks like
IPADDRS[0]="192.168.20.10"
...
IPADDRS[1]="xx.xx.xx.xx/29" (ISP STATIC)
...
GATEWAY="xx.xx.xx.xx" (ISP STATIC)
....
What does the output of
Code:
ifconfig
look like?
Information on the ISP's router doesn't even let one know what netmask to use. I'll try /30 and see what I get. (I found an old thumbdrive so I can sneakernet screen output onto the laptop I'm using through the ISP's wifi.)
After tweaking the netmask for the ISP addresses and restarting rc.inet1 and enabling routed in rc.inet2 (and restarting), I get:
Code:
root@fw:/etc/rc.d# ifconfig -a
[?2004l
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.13.1 netmask 255.255.255.0 broadcast 192.168.13.255
inet6 fe80::206:2bff:fe00:24d3 prefixlen 64 scopeid 0x20<link>
ether 00:06:2b:00:24:d3 txqueuelen 1000 (Ethernet)
RX packets 8535 bytes 756244 (738.5 KiB)
RX errors 1 dropped 3916 overruns 0 frame 0
TX packets 1142 bytes 51412 (50.2 KiB)
TX errors 7 dropped 0 overruns 0 carrier 7 collisions 0
eth2: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 99.46.146.45 netmask 255.255.255.252 broadcast 99.46.146.47
inet6 fe80::f2b4:d2ff:fe0c:9f55 prefixlen 64 scopeid 0x20<link>
ether f0:b4:d2:0c:9f:55 txqueuelen 1000 (Ethernet)
RX packets 1478 bytes 129551 (126.5 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 94 bytes 7356 (7.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 28 bytes 3034 (2.9 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 28 bytes 3034 (2.9 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
root@fw:/etc/rc.d# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
1.2.3.44 0.0.0.0 255.255.255.252 U 0 0 0 eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
192.168.13.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
root@fw:/etc/rc.d# grep -v '#' rc.inet1.conf
IPADDRS[0]="192.168.13.1/24"
USE_DHCP[0]=""
IP6ADDRS[0]=""
USE_SLAAC[0]=""
USE_DHCP6[0]=""
DHCP_HOSTNAME[0]=""
IPADDRS[1]="" # I was no long getting a link light on this interface so I
USE_DHCP[1]="" # pulled that card from the system. External connection is
IP6ADDRS[1]="" # now an old 10/100 interface.
USE_SLAAC[1]=""
USE_DHCP6[1]=""
DHCP_HOSTNAME[1]=""
IPADDRS[2]="1.2.3.45/30"
USE_DHCP[2]=""
IP6ADDRS[2]=""
USE_SLAAC[2]=""
USE_DHCP6[2]=""
DHCP_HOSTNAME[2]=""
IPADDRS[3]=""
USE_DHCP[3]=""
IP6ADDRS[3]=""
USE_SLAAC[3]=""
USE_DHCP6[3]=""
DHCP_HOSTNAME[3]=""
GATEWAY="1.2.3.1"
GATEWAY6=""
DEBUG_ETH_UP="no"
root@fw:/etc/rc.d# grep -v '#' rc.inet2
if [ -x /etc/rc.d/rc.firewall ]; then
/etc/rc.d/rc.firewall start
fi
if [ -x /etc/rc.d/rc.ip_forward ]; then
. /etc/rc.d/rc.ip_forward start
fi
if [ -x /etc/rc.d/rc.krb5kdc ]; then
sh /etc/rc.d/rc.krb5kdc start
fi
if [ -x /etc/rc.d/rc.kadmind ]; then
sh /etc/rc.d/rc.kadmind start
fi
if [ -x /etc/rc.d/rc.kpropd ]; then
sh /etc/rc.d/rc.kpropd start
fi
if [ -r /etc/rc.d/rc.rpc ]; then
sh /etc/rc.d/rc.rpc start
fi
echo "Mounting remote (NFS) file systems: /sbin/mount -a -t nfs"
/sbin/mount -v -t nfs
fi
if [ -x /etc/rc.d/rc.rpc ]; then
sh /etc/rc.d/rc.rpc start
fi
echo "Mounting remote CIFS file systems: /sbin/mount -a -t cifs"
/sbin/mount -a -t cifs
/sbin/mount -v -t cifs
fi
echo "Mounting remote SMBFS file systems: /sbin/mount -a -t smbfs"
/sbin/mount -a -t smbfs
/sbin/mount -v -t smbfs
fi
if [ -x /etc/rc.d/rc.syslog -a -d /var/log -a ! -r /var/run/syslogd.pid ]; then
. /etc/rc.d/rc.syslog start
fi
if [ -x /etc/rc.d/rc.inetd ]; then
/etc/rc.d/rc.inetd start
fi
if [ -x /etc/rc.d/rc.sshd ]; then
echo "Starting OpenSSH SSH daemon: /usr/sbin/sshd"
/etc/rc.d/rc.sshd start
fi
if [ -x /etc/rc.d/rc.bind ]; then
/etc/rc.d/rc.bind start
fi
if [ -x /etc/rc.d/rc.yp ]; then
/etc/rc.d/rc.yp start
fi
if [ -x /etc/rc.d/rc.openvpn ]; then
/etc/rc.d/rc.openvpn start
fi
if [ -x /etc/rc.d/rc.nfsd ]; then
/etc/rc.d/rc.nfsd start
fi
if [ -x /usr/sbin/routed ]; then
echo "Starting network routing daemon: /usr/sbin/routed"
/usr/sbin/routed -g -s
fi
root@fw:/etc/rc.d#
I'm still not able to ping anything externally or internally.
You need to ask your ISP what to use for the netmask. /30 is 255.255.255.252 and only allows for two hosts.
Your gateway address would have to be x.x.x.46
For reference /24 = 255.255.255.0 which allows for 253 hosts.
eth1 is the internet interface: 1.2.3.45 (static IP supplied by ISP; those first three octets are fake)
The information on the ISP's router specifies a gateway of: 1.2.3.1. There is no net mask information provided (I assume it's 255.255.255.254.
There is also a subnet address provided that, frankly, I have no idea what it's for
The assumption that the netmask is 255.255.255.254 is probably wrong. With such a netmask 1.2.3.45 and 1.2.3.1 would not be on the same subnet.
You should be able to read out your netmask from the subnet address.
Is your IP address static? If you ISP assigns your IP address using DHCP you will most likely also be able to get a correct netmask from DHCP.
Even if a guess of a netmask 255.255.255.0 would be wrong, it would at least probably be useful enough for you to be able to reach and route through 1.2.3.1. Guessing netmask 255.255.255.254 will not allow you to reach 1.2.3.1.
From the output of ‘ifconfig -a’ in post#4, the interfaces are present and up as eth0 and eth2.
Any chance that you have copied old config into the new setup? The interface naming is odd. Perhaps try deleting /etc/udev/rules.d/70-persistent-net.rules and rebooting.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,814
Original Poster
Rep:
Quote:
Originally Posted by henca
The assumption that the netmask is 255.255.255.254 is probably wng. With such a netmask 1.2.3.45 and 1.2.3.1 would not be on the same subnet.
Ouch! If that's the case then the information on the router's web interface is bogus. I put in a call to the ISP to try and get some clarification on the information but all I could get was one of the script readers who didn't understand what I was asking about and insisted that they send a tech out who'd need access to the communications room (after I calmly explained that basic net access was working fine -- via wifi -- and that there was no need for the visit.) I declined the visit as being a waste of everyone's time. (And money as they wanted to charge if the tech did anything over and above the hardware check.)
Quote:
Is your IP address static? If you ISP assigns your IP address using DHCP you will most likely also be able to get a correct netmask from DHCP.
It's static. Servers on the LAN need that.
Quote:
Even if a guess of a netmask 255.255.255.0 would be wrong, it would at least probably be useful enough for you to be able to reach and route through 1.2.3.1. Guessing netmask 255.255.255.254 will not allow you to reach 1.2.3.1.
Worth a try though it feels like a random shot in the dark.
UPDATE: Modified rc.inet1 to use "/24" on the gateway.
The output of 'route -n' after following pingo_penguin's suggestion is now:
Code:
root@fw:/mnt# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 1.2.3.1 0.0.0.0 UG 0 0 0 eth2
1.2.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth2
127.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 lo
192.168.13.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
root@fw:/mnt#
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,814
Original Poster
Rep:
Quote:
Originally Posted by allend
From the output of ‘ifconfig -a’ in post#4, the interfaces are present and up as eth0 and eth2.
Any chance that you have copied old config into the new setup? The interface naming is odd. Perhaps try deleting /etc/udev/rules.d/70-persistent-net.rules and rebooting.
Not a problem. eth1 was a PCIe gigabit card that, apparently, failed and was removed. eth2 is a 10/100 ( ) Tulip port on an older disk controller. The ISP supplied address is defined in the rc.inet1.conf file's section for eth2.
UPDATE:
I removed the udev/rules.d fie, rebooted and am now back to eth0 and eth1. No improvement. I have link lights on both interfaces so I'm reasonably confident that both interface are operable and the cabling is not faulty.
Bottom line is still: Can ping internally but not to external sites.
I believe the idea of trying to use dhcp on the WAN side (eth2) is if it works would be that you would then know the actual netmask used by your ISP. You would also be able to confirm your ISP's gateway address.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.