Find the answer to your Linux question:
Results 1 to 5 of 5
Dear all, I have had a rather peculiar problem regarding multiple ethernet cards. I am running a website in conjunction with a SSH server. I recently updated the software on ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Nov 2006
    Posts
    25

    Conflicting ethernet cards


    Dear all,

    I have had a rather peculiar problem regarding multiple ethernet cards.

    I am running a website in conjunction with a SSH server. I recently updated the software on the server and installed a secondary ehternet card to run in the future a separate website from the same server. The server is running SUSE linux 10.1 with Apache 2.2.3. Both ehternet cards were given individual ip addresses and the listen.conf file was changed to ensure it was only listening on one ip address for the time being.

    However, for some reason, access could only be achieved within my institution (academic) to both the website and SSH. The outside world could not access either services, yet anyone from outside could use ping and nslookup to resolve the correct ip address.

    Access from the outside world was only achieved by disabling altogether the spare ethernet card.

    Can someone explain how this arises and how to be fixed? I want the second website to run from its own ip address and virtual host using apache rather than using Name virtual host and share the same ip address

    Thanks
    Will.

  2. #2
    Just Joined! vigour's Avatar
    Join Date
    Oct 2007
    Posts
    68
    Have you built some firewall with iptables for an example?

    Paste your iptables-save output if possible please.

  3. #3
    Just Joined!
    Join Date
    Nov 2006
    Posts
    25
    Hi vigour,

    Here is the output from iptables-save. This is only for one ethernet card. The other one has been disabled. Do you require the output from iptables-save with the second card enabled?

    Currently there are no firewalls in place to prevent server services. Though a firewall will be implemented institution wide shortly and exceptions will be granted to go through the firewall.

    Thanks

    Generated by iptables-save v1.3.5 on Wed Jan 9 13:17:36 2008
    *mangle
    :PREROUTING ACCEPT [2333172:654536234]
    :INPUT ACCEPT [1631707:560259826]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [2016696:2414708944]
    :POSTROUTING ACCEPT [2016781:2414716782]
    COMMIT
    # Completed on Wed Jan 9 13:17:36 2008
    # Generated by iptables-save v1.3.5 on Wed Jan 9 13:17:36 2008
    *nat
    :PREROUTING ACCEPT [894141:126911834]
    :POSTROUTING ACCEPT [2342:183122]
    :OUTPUT ACCEPT [2342:183122]
    COMMIT
    # Completed on Wed Jan 9 13:17:36 2008
    # Generated by iptables-save v1.3.5 on Wed Jan 9 13:17:36 2008
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT ACCEPT [150:6762]
    :forward_ext - [0:0]
    :input_ext - [0:0]
    :reject_func - [0:0]
    -A INPUT -i lo -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i eth0 -j input_ext
    -A INPUT -j input_ext
    -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
    -A INPUT -j DROP
    -A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
    -A OUTPUT -o lo -j ACCEPT
    -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
    -A input_ext -m pkttype --pkt-type broadcast -j DROP
    -A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
    -A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
    -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 0 -j ACCEPT
    -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3 -j ACCEPT
    -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 11 -j ACCEPT
    -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 12 -j ACCEPT
    -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 14 -j ACCEPT
    -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 18 -j ACCEPT
    -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 3/2 -j ACCEPT
    -A input_ext -p icmp -m state --state RELATED,ESTABLISHED -m icmp --icmp-type 5 -j ACCEPT
    -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5801 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m tcp --dport 5801 -j ACCEPT
    -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 5901 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m tcp --dport 5901 -j ACCEPT
    -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m tcp --dport 80 -j ACCEPT
    -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 53 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m tcp --dport 53 -j ACCEPT
    -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
    -A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
    -A input_ext -p udp -m udp --dport 53 -j ACCEPT
    -A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func
    -A input_ext -m limit --limit 3/min -m pkttype --pkt-type multicast -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_ext -m pkttype --pkt-type multicast -j DROP
    -A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_ext -p udp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
    -A input_ext -m limit --limit 3/min -m state --state INVALID -j LOG --log-prefix "SFW2-INext-DROP-DEFLT-INV " --log-tcp-options --log-ip-options
    -A input_ext -j DROP
    -A reject_func -p tcp -j REJECT --reject-with tcp-reset
    -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
    -A reject_func -j REJECT --reject-with icmp-proto-unreachable
    COMMIT
    # Completed on Wed Jan 9 13:17:36 2008

  4. #4
    Just Joined! vigour's Avatar
    Join Date
    Oct 2007
    Posts
    68
    Now.. I suppose this is your problem.

    Taking a look on your iptables config, I can tell that the policy of the INPUT chain in the filter table is DROP.

    Code:
    -A INPUT -j DROP
    And only one interface is mentioned in the newly created and attached to the INPUT chain, called input_ext

    Code:
    -A INPUT -i eth0 -j input_ext
    All ACCEPT rules are in the input_ext chain.

    Which means, that only the incoming via eth0 traffic will be a subject to acceptance. All other input traffic will be dropped.

    Now.. if you add additional interface, and those rules are kept, you'll definitely will experience problems accessing services trough the newly eth1.

  5. #5
    Just Joined! vigour's Avatar
    Join Date
    Oct 2007
    Posts
    68
    Do a little test.

    Add the new interface and execute:

    Code:
    iptables -P INPUT ACCEPT
    If that solves the problem, you have localized the issue in the iptables

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •