Find the answer to your Linux question:
Results 1 to 9 of 9
Hello, Following a reboot last sunday, I lost acces to the network. I don't know precisely what broke it, because I was installing various things at that time. More precisely: ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2008
    Posts
    6

    Problem with iptables and/or portmap


    Hello,

    Following a reboot last sunday, I lost acces to the network. I don't know precisely what broke it, because I was installing various things at that time.
    More precisely:

    Code:
    > sudo ping 212.27.40.240
    PING 212.27.40.240 (212.27.40.240) 56(84) bytes of data.
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted
    ping: sendmsg: Operation not permitted
    After a bit of searching, I found that my iptables config had changed to (well I only guess it has changed):

    Code:
    > sudo iptables -L
    Chain INPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    LOG        all  --  loopback/8           anywhere            LOG level warning 
    DROP       all  --  loopback/8           anywhere            
    LOG        all  --  anywhere             anywhere            LOG level warning 
    DROP       all  --  anywhere             anywhere            
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination         
    LOG        all  --  anywhere             anywhere            LOG level warning 
    DROP       all  --  anywhere             anywhere            
    
    Chain OUTPUT (policy DROP)
    target     prot opt source               destination         
    ACCEPT     all  --  anywhere             anywhere            
    LOG        all  --  anywhere             anywhere            LOG level warning 
    DROP       all  --  anywhere             anywhere
    I don't know what it was before, but a solution to the problem seems to do:

    Code:
    sudo iptables -F           
    sudo iptables -X   
    sudo iptables -P OUTPUT ACCEPT         
    sudo iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    The problem is that:
    - I don't know why this config changed
    - I have to do this trick after every reboot, and I don't know a clean way to automatize this
    - If I fo this trick, the following shutdown takes forever to complete. More precisely, it's blocking at the "stopping portmap daemon" step. I found out, by running it separately, that pmap_dump takes 6 minutes to complete and produces no output.

    Any help would be much welcome, and please excuse my bad wordings (both in english and linux).
    Thank !

  2. #2
    Just Joined!
    Join Date
    Oct 2008
    Posts
    21
    on which distribution are you working on, this looks like you have installed some iptables based firewall pack(shorewall etc or redhat firewall) if so disable that service from services and firewall will not be there at next reboot

  3. #3
    Just Joined!
    Join Date
    Oct 2008
    Posts
    6
    Hi,

    I don't think I have a firewall running, unless it has a strange name

    Code:
    #sudo ps -e | egrep -i 'fire|wall|net' 
     3114 ?        00:00:00 inetd
     3208 ?        00:00:00 NetworkManager
     3216 ?        00:00:00 NetworkManagerD
     3584 ?        00:00:44 firefox-bin
    Also, I cannot find out where this iptable config is coming from at every boot:

    #sudo grep -R iptables /etc/init.d
    #

    Maybe there are some other startup scripts places, but I'm not familiar with Linux yet. I'm running a "lenny"/testing Debian.

    Thanks !

  4. #4
    Just Joined!
    Join Date
    Oct 2008
    Posts
    21
    pls provide output of ls /etc/init.d/

  5. #5
    Just Joined!
    Join Date
    Oct 2008
    Posts
    6
    Here it is:

    Code:
    #ls -ltr /etc/init.d 
    total 384
    -rwxr-xr-x 1 root root   117 2005-12-02 18:44 rcS
    -rwxr-xr-x 1 root root  1046 2006-09-15 20:03 ifupdown-clean
    -rwxr-xr-x 1 root root  2518 2006-09-15 20:03 ifupdown
    -rw-r--r-- 1 root root  1510 2007-12-26 16:23 README
    -rwxr-xr-x 1 root root   946 2008-01-27 06:34 atd
    -rwxr-xr-x 1 root root  1301 2008-03-10 02:14 anacron
    -rwxr-xr-x 1 root root  2565 2008-03-14 01:52 cron
    -rwxr-xr-x 1 root root  1777 2008-03-24 00:26 x11-common
    -rwxr-xr-x 1 root root  7195 2008-03-28 00:22 glibc.sh
    -rwxr-xr-x 1 root root  2476 2008-04-01 23:31 jabber
    -rwxr-xr-x 1 root root  1793 2008-04-05 04:05 module-init-tools
    -rwxr-xr-x 1 root root  2594 2008-04-05 12:23 avahi-daemon
    -rwxr-xr-x 1 root root  2299 2008-04-05 15:46 uml-utilities
    -rwxr-xr-x 1 root root  1505 2008-04-06 16:23 dhcdbd
    -rwxr-xr-x 1 root root  1144 2008-04-08 01:14 procps
    -rwxr-xr-x 1 root root  1547 2008-04-08 13:42 kerneloops
    -rwxr-xr-x 1 root root  1815 2008-04-12 09:52 urandom
    -rwxr-xr-x 1 root root  2140 2008-04-12 09:52 umountnfs.sh
    -rwxr-xr-x 1 root root  3175 2008-04-12 09:52 umountfs
    -rwxr-xr-x 1 root root  1096 2008-04-12 09:52 stop-bootlogd-single
    -rwxr-xr-x 1 root root   525 2008-04-12 09:52 stop-bootlogd
    -rwxr-xr-x 1 root root   590 2008-04-12 09:52 single
    -rwxr-xr-x 1 root root   941 2008-04-12 09:52 rmnologin
    -rwxr-xr-x 1 root root   639 2008-04-12 09:52 reboot
    -rwxr-xr-x 1 root root   788 2008-04-12 09:52 rc.local
    -rwxr-xr-x 1 root root  3668 2008-04-12 09:52 mtab.sh
    -rwxr-xr-x 1 root root  1321 2008-04-12 09:52 mountoverflowtmp
    -rwxr-xr-x 1 root root  2330 2008-04-12 09:52 mountnfs.sh
    -rwxr-xr-x 1 root root   618 2008-04-12 09:52 mountnfs-bootclean.sh
    -rwxr-xr-x 1 root root  2476 2008-04-12 09:52 mountkernfs.sh
    -rwxr-xr-x 1 root root  2194 2008-04-12 09:52 mountdevsubfs.sh
    -rwxr-xr-x 1 root root   620 2008-04-12 09:52 mountall-bootclean.sh
    -rwxr-xr-x 1 root root  1484 2008-04-12 09:52 killprocs
    -rwxr-xr-x 1 root root  1287 2008-04-12 09:52 hostname.sh
    -rwxr-xr-x 1 root root  1329 2008-04-12 09:52 halt
    -rwxr-xr-x 1 root root  9831 2008-04-12 09:52 checkroot.sh
    -rwxr-xr-x 1 root root  2155 2008-04-12 09:52 bootlogd
    -rwxr-xr-x 1 root root  6032 2008-04-15 22:42 console-screen.sh
    -rwxr-xr-x 1 root root  2330 2008-04-20 16:07 openbsd-inetd
    -rwxr-xr-x 1 root root  4521 2008-04-29 04:36 hwclock.sh
    -rwxr-xr-x 1 root root  4528 2008-04-29 04:36 hwclockfirst.sh
    -rwxr-xr-x 1 root root  4714 2008-04-30 00:43 setserial
    -rwxr-xr-x 1 root root  1870 2008-04-30 00:43 etc-setserial
    -rwxr-xr-x 1 root root  2592 2008-05-04 08:08 irda-utils
    -rwxr-xr-x 1 root root  3777 2008-05-17 08:47 keymap.sh
    -rwxr-xr-x 1 root root   474 2008-05-31 12:12 ipmasq-kmod
    -rwxr-xr-x 1 root root   626 2008-05-31 12:12 ipmasq
    -rwxr-xr-x 1 root root  2029 2008-06-12 11:44 portmap
    -rwxr-xr-x 1 root root  2692 2008-06-20 12:08 sysklogd
    -rwxr-xr-x 1 root root  1472 2008-06-20 12:08 klogd
    -rwxr-xr-x 1 root root  8820 2008-06-25 14:30 alsa-utils
    -rwxr-xr-x 1 root root  4215 2008-06-27 09:21 hotkey-setup
    -rwxr-xr-x 1 root root  1732 2008-07-05 15:37 network-manager-dispatcher
    -rwxr-xr-x 1 root root  1760 2008-07-05 15:37 network-manager
    -rwxr-xr-x 1 root root   515 2008-07-06 09:36 sudo
    -rwxr-xr-x 1 root root  5964 2008-07-14 12:24 nfs-common
    -rwxr-xr-x 1 root root  7172 2008-07-19 13:07 loadcpufreq
    -rwxr-xr-x 1 root root  2489 2008-07-19 13:07 cpufrequtils
    -rwxr-xr-x 1 root root  2611 2008-07-24 10:44 system-tools-backends
    -rwxr-xr-x 1 root root  1844 2008-07-26 01:02 networking
    -rwxr-xr-x 1 root root  4546 2008-07-31 01:39 dbus
    -rwxr-xr-x 1 root root 10036 2008-08-12 14:33 rc
    -rwxr-xr-x 1 root root  1456 2008-08-12 16:20 umountroot
    -rw-r--r-- 1 root root  4167 2008-08-12 16:20 skeleton
    -rwxr-xr-x 1 root root  2283 2008-08-12 16:20 sendsigs
    -rwxr-xr-x 1 root root  1956 2008-08-12 16:20 mountall.sh
    -rwxr-xr-x 1 root root  3004 2008-08-12 16:20 checkfs.sh
    -rwxr-xr-x 1 root root  1988 2008-08-12 16:20 bootmisc.sh
    -rwxr-xr-x 1 root root  1489 2008-08-20 13:04 fglrx-driver
    -rwxr-xr-x 1 root root  2345 2008-08-20 15:49 gdm
    -rwxr-xr-x 1 root root  2324 2008-09-01 13:57 wpa-ifupdown
    -rwxr-xr-x 1 root root  2526 2008-09-02 09:20 cups
    -rwxr-xr-x 1 root root  2517 2008-09-02 20:54 policycoreutils
    -rwxr-xr-x 1 root root  1001 2008-09-19 03:23 udev-mtab
    -rwxr-xr-x 1 root root  7473 2008-09-19 03:23 udev
    -rwxr-xr-x 1 root root  3201 2008-09-24 13:08 acpid
    -rwxr-xr-x 1 root root  6593 2008-09-30 20:53 exim4
    -rwxr-xr-x 1 root root  2090 2008-10-09 08:58 hal
    Thanks for looking at my case !

  6. #6
    Just Joined!
    Join Date
    Oct 2008
    Posts
    21
    following servies appears to be starting iptables
    ipmasq-kmod
    ipmasq
    use the following command to stop then them and check the status
    /etc/init.d/ipmasq stop
    it is automatic firewall which comes with debian does it solve

  7. #7
    Just Joined!
    Join Date
    Oct 2008
    Posts
    6
    Hi,


    Yes it does solve the problem, although there were no 'ipmasq' processes running (I must be confusing something here) !

    It's even better than forcing the iptables like I did, because it solves the " long pmap_dump" problem.

    However, this leaves me with iptables rules that allow everything. Is this the default configuration ? I feel not much protected (I run a computer behind a simple modem).

    Also, I still have to do it at every boot. Can that come from those links ?:
    Code:
    /etc/rcS.d/S41ipmasq
    /etc/rcS.d/S42ipmasq-kmod
    Is it safe to "uninstall" them ? Is is done by simply removing them ?

    Thanks, I feel my matter is progressing !

  8. #8
    Just Joined!
    Join Date
    Oct 2008
    Posts
    21
    please read through this to secure your system and to know more about debian firewall
    Securing Debian Manual - Securing services running on your system

  9. #9
    Just Joined!
    Join Date
    Oct 2008
    Posts
    6
    I'll read all of it ! This looks very interesting and accessible to me, surprisingly.
    I'm regaining hope of understanding how this system works

    Thanks a lot.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •