Visit The New, Modern Unix Linux Community


How to enable ping?a litte complex


 
Thread Tools Search this Thread
Operating Systems Solaris How to enable ping?a litte complex
# 8  
Sorry,forgot to put ouput
Here's output

Code:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 318K   76M            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 318K   76M            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 318K   76M            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 318K   76M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED
    9   536 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:6000
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:3000
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:2000
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:137
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:137
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:138
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:138
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:139
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:139
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:445
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:445
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:65529
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:65530
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:65533
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:65529
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:65533
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:65530
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpts:4711:4712
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpts:4711:4712
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:25
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:631
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:631
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:515
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:515
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:111
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:111
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:662
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:662
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:2049
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:2049
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:4001
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:4001
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:32768
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:32768
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:2122
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:20 state ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:21 state ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:2121 state ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpts:60000:65535
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpts:60000:65535
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:5859
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpts:54233:54234
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpts:54233:54234
   14   817 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 415K packets, 499M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:20 state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2121 state NEW,ESTABLISHED

# 9  
Ok. That'll help you a lot.

If you look at your table...

... what rules would you assume relevant for the failed ping?
... what rule, do you assume, matches for your icmp-packages(inbound and outbound)?

And last but not least, what do you think the following of your rules does accomplish?
Code:
iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

You will be suprised, what you have created. Very rare. ;-)

Hint: Look at the counters!

Last edited by stomp; 04-10-2018 at 01:48 PM..
This User Gave Thanks to stomp For This Post:
# 10  
Sorry, I'm a little(or more..) not too expert with firewallls.

This rule

Code:
 iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

accept connections if new,releated or already estabilished before firewall start,or i'm wrong?

Code:
 ... what rules would you assume relevant for the failed ping?

The latest,with big count.

Code:
 ... what rule, do you assume, matches for your icmp-packages(inbound and outbound)?

Mmm..the latest?
Now try to fix..

---------- Post updated at 01:20 PM ---------- Previous update was at 01:12 PM ----------

Thanks stomp for help.
I have fixed the script removing the last line
# 11  
There is no single rule about allowing ICMP-pakets, which means it goes to the default-drop-rule(last line of INPUT Chain with packet count 14).

Code:
 iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

This rule means that EVERY stateful Connection is allowed. Every possible TCP-Connection.

The only thing being not allowed is ping. (more or less ;-) )

Delete the NEW-State of the rule, so only established and related connections are matched by this rule.

And remove all -m something Elements of your iptables rules.

replace the icmp block with this:

Code:
 # Icmp
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT

This User Gave Thanks to stomp For This Post:
# 12  
Made it, thanks for help me
# 13  
Quote:
I have fixed the script removing the last line
This way too, you disabled your firewall-functionality completely.

---

The first 3 rules of INPUT Chain seem defective. They have no effect and there must be some error in the rules so that the rules show up like this.
# 14  
Quote:
Originally Posted by stomp
This way too, you disabled your firewall-functionality completely.

---

The first 3 rules of INPUT Chain seem defective. They have no effect and there must be some error in the rules so that the rules show up like this.
Whoops!
I fix now.

---------- Post updated at 01:42 PM ---------- Previous update was at 01:40 PM ----------

This is the script now.
I'm testing it

Code:
#!/bin/sh
#a simple script firewall

# We need this for redirection
echo 1 > /proc/sys/net/ipv4/ip_forward

firewall_start() {
# Clean
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z

# Default policy
#iptables -P PREROUTING  ACCEPT
#iptables -P OUTPUT  ACCEPT
#iptables -P POSTROUTING  ACCEPT
#iptables -P INPUT ACCEPT
#iptables -P FORWARD ACCEPT


# firewall rules INPUT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT


# X11
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 6000 -j ACCEPT

# Vdr
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 3000 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 2000 -j ACCEPT

# Samba
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 445 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 445 -j ACCEPT

# Amule
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 65529 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 65530 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 65533 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 65529 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 65533 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 65530 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 4711:4712 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 4711:4712 -j ACCEPT

# Mail
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 25 -j ACCEPT

# Print
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 515 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 515 -j ACCEPT

# Nfs
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 111 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 111 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 662 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 662 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 2049 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 2049 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 4001 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 4001 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 32768 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 32768 -j ACCEPT 

# Ssh 
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 2122 -j ACCEPT

# Ftp
iptables -A INPUT  -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --sport 2121 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 2121 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 60000:65535 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 60000:65535 -j ACCEPT

# Secure telnet
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 5859 -j ACCEPT

# Ktorrent
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 54233:54234 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 54233:54234 -j ACCEPT

# Firewall rules NAT/OUTPUT
iptables -t nat -A PREROUTING -s 192.168.0.0/24  -p tcp --dport 21 -j REDIRECT --to-port 2121
iptables -t nat -A OUTPUT -s 192.168.0.0/24  -p tcp -o lo --dport 21 -j REDIRECT --to-port 2121
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 22 -j REDIRECT --to-ports 2122
iptables -t nat -A OUTPUT -s 192.168.0.0/24 -p tcp -o lo --dport 22 -j REDIRECT --to-ports 2122

# Icmp
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT

# Log
#iptables -A INPUT -j LOG
#iptables -A FORWARD -j LOG

#Final rules
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
}

firewall_stop() {
# Clean
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
}


firewall_restart() {
firewall_stop
firewall_start
}

case "$1" in
'start')
  firewall_start
  ;;
'stop')
  firewall_stop
  ;;
'restart')
  firewall_restart
  ;;
*)
  echo "usage $0 start|stop|restart"
esac


Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Test Your Knowledge in Computers #683
Difficulty: Medium
According to both NetMarketShare and WikiMedia, Safari has a desktop market share of over 6% in 2019.
True or False?

10 More Discussions You Might Find Interesting

1. Linux

Please: a litte help to crosscompile.

I have installed the "mipsel tuxbox" compile suite for crosscompile Host system is x86_64 slackware destination is mipsel32bit "vuduo+" For example,I want to compile a program, I use this script make clean export TOOLCHAIN=/opt/mipsel-tuxbox-linux-gnu export... (0 Replies)
Discussion started by: Linusolaradm1
0 Replies

2. Programming

Ping test sends mail when ping fails

help with bash script! im am working on this script to make sure my server will stay online, so i made this script.. HOSTS="192.168.138.155" COUNT=4 pingtest(){ for myhost in "$@" do ping -c "$COUNT" "$myhost" &&return 1 done return 0 } if pingtest $HOSTS #100% failed... (4 Replies)
Discussion started by: mort3924
4 Replies

3. UNIX for Advanced & Expert Users

Enable lpfc changes!

Hi Folks! I am writing a script which changes lpfc.conf if there it has been setup on RHEL BOXes, do I need to put dracut -f for enabling it? I am not sure, Can someone help! (6 Replies)
Discussion started by: nixhead
6 Replies

4. SCO

Auditing: how to enable?

edit: solution found Auditing Quick Start and Compatibility Notes (1 Reply)
Discussion started by: Linusolaradm1
1 Replies

5. Shell Programming and Scripting

How to get reason for ping failure using perls Net::Ping->new("icmp");?

Hi I am using perl to ping a list of nodes - with script below : $p = Net::Ping->new("icmp"); if ($p->ping($host,1)){ print "$host is alive.\n"; } else { print "$host is unreacheable.\n"; } $p->close();... (4 Replies)
Discussion started by: tavanagh
4 Replies

6. Shell Programming and Scripting

Animation Ping on Solaris Like Cisco Ping

Hi, I develop simple animation ping script on Solaris Platform. It is like Cisco ping. Examples and source code are below. bash-3.00$ gokcell 152.155.180.8 30 Sending 30 Ping Packets to 152.155.180.8 !!!!!!!!!!!!!.!!!!!!!!!!!!!!!. % 93.33 success... % 6.66 packet loss...... (1 Reply)
Discussion started by: gokcell
1 Replies

7. AIX

Enable SMT

How to enable SMT in aix 5.2 ml 9? If i run smtctl it gives error ksh: smtctl: not found. please tell me if SMT is supported in 5.2 (4 Replies)
Discussion started by: vjm
4 Replies

8. AIX

How to enable XDMCP?

Hello everyone, I installed AIX the other day (several times!) but I can't get XDMCP to work. I remember from when I installed it the last time it worked out of the box. So why doesn't it work now? This is the error message I get: XDMCP fatal error: Session failed Session 2 failed for... (3 Replies)
Discussion started by: Kotzkroete
3 Replies

9. Linux

How to enable Hibernate

Hi, I want to enable hibernate in my machine. when i click hibernate option, it is throwing message that hibernate is not enabled in kernel. earlier, i was hibernating in the same machine with windows os. any idea ? Thx in advance. Siva (0 Replies)
Discussion started by: Sivaswami
0 Replies

10. Solaris

enable log

dear all i want to enable the below logs can you help me /var/adm/xferlog /var/spool/uucp/.Admin thanx you (0 Replies)
Discussion started by: murad.jaber
0 Replies

Featured Tech Videos