Facing problem with ICMP (ping request)

Discussion in 'Installation/Configuration' started by princeu28, Aug 13, 2008.

  1. princeu28

    princeu28 New Member

    Facing problem with ICMP (ping request) , its only replying to one ping request failing on second onwards

    I'm facing issue with ICMP , its a red hat linux 4.0 system. the first ping request works fine but when I try to start a second ping request it does not give any reply even if I'm trying from same machine . I have even checked from sending ping from different machines at same time & it only replies to one request at a time means sometime it replies to first request then move on to second one but only one is working at a time ..

    Any one has suggestion what it could be ...
     
  2. ralic

    ralic New Member

    Sounds like it could be some over cautious rate limiting on icmp traffic. Temporarily disable any firewall software that may be running, then retry your ping tests.
     
  3. princeu28

    princeu28 New Member

    I really dont know if there is any firewall software installed on this server or not ..Is there any method to check or stop those firewall setting ? I know it might be souding odd but I have no idea about firewall stuff just want to get this icmp working ...
     
  4. ralic

    ralic New Member

    If it's a production box, get professional help. Anything you copy/paste from the net without understanding could jeopardise your system.

    The most likely firewall would be iptables based. To check if there are any rules configured for the various tables, use the following bash for command as root. The output below the command shows no rules and default policy of ACCEPT, meaning nothing is being blocked and the firewall is effectively disabled.

    Code:
    user@host:~$ for TABLE in filter nat mangle raw; do echo "Listing table data for: $TABLE"; iptables -t $TABLE -L; echo " "; done
    Listing table data for: filter
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
     
    Listing table data for: nat
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
     
    Listing table data for: mangle
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain POSTROUTING (policy ACCEPT)
    target     prot opt source               destination         
     
    Listing table data for: raw
    Chain PREROUTING (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Any iptables output other than what you see above, except for an error, likely means that there are some kind of firewall rules in place.
     
    Last edited: Aug 13, 2008
  5. princeu28

    princeu28 New Member

    I understand you point & agrees that regarding getting professional , its like that I work on this system on daily basis as root user but only on the application installed on this system and as far as linux part is considered its also installed as part of my work but never ever faced such a problem with bundle solution and was wondering if its something simple then I can sort it out .

    Here is the iptable , can you see anything in iptable setting which will only allow one icmp request & will refuse more then one

    # Generated by iptables-save v1.2.11 on Wed Aug 13 10:01:23 2008
    *nat
    :pREROUTING ACCEPT [0:0]
    :pOSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    COMMIT
    # Completed on Wed Aug 13 10:01:23 2008
    # Generated by iptables-save v1.2.11 on Wed Aug 13 10:01:23 2008
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :LIMIT_TEST - [0:0]
    -A INPUT -m state --state INVALID -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -i lo -j ACCEPT
    -A INPUT -d 127.0.0.0/255.0.0.0 -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j LIMIT_TEST
    -A INPUT -p ipv6 -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
    -A INPUT -p icmp -m icmp --icmp-type 13 -j DROP
    -A INPUT -p icmp -m icmp --icmp-type 17 -j DROP
    -A INPUT -p icmp -f -j DROP
    -A INPUT -p icmp -m icmp --icmp-type 10 -j DROP
    -A INPUT -d 255.255.255.255 -p icmp -j DROP
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i ppp0 -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-unr
    eachable
    -A INPUT -p tcp -m tcp --dport 20 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
    -A INPUT -p udp -m udp --dport 53 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
    -A INPUT -p udp -m udp --dport 123 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 389 -j ACCEPT
    -A INPUT -p udp -m udp --dport 389 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 636 -j ACCEPT
    -A INPUT -p udp -m udp --dport 636 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 8443 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 111 -j ACCEPT
    -A INPUT -p udp -m udp --dport 111 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 2049 -j ACCEPT
    -A INPUT -p udp -m udp --dport 2049 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 3000 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22600 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22700 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22800 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 22900 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23100 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23101 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23120 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23121 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23130 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23131 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23140 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23141 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23150 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23151 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23160 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23161 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23200 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23201 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23220 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23221 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23240 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23241 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23260 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23261 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23280 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23281 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23320 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23321 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23370 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 23371 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 1024:63353 -j ACCEPT
    -A INPUT -p udp -m udp --dport 1024:63353 -j ACCEPT
    -A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable

    -A INPUT -p igmp -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -p tcp -m tcp --dport 80 -j REJECT --reject-with icmp-port-unreachable
    -A INPUT -p tcp -m tcp --dport 443 -j REJECT --reject-with icmp-port-unreachable

    -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 5/min -j LOG
    --log-prefix "Firewalled packet:"
    -A INPUT -p tcp -j REJECT --reject-with tcp-reset
    -A INPUT -j DROP
    -A FORWARD -m state --state INVALID -j REJECT --reject-with icmp-port-unreachabl
    e
    -A FORWARD -o eth0 -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-po
    rt-unreachable
    -A FORWARD -o eth1 -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-po
    rt-unreachable
    -A FORWARD -o ppp0 -p tcp -m tcp --dport 137 -j REJECT --reject-with icmp-port-u
    nreachable
    -A FORWARD -o ppp0 -p tcp -m tcp --dport 138 -j REJECT --reject-with icmp-port-u
    nreachable
    -A FORWARD -o ppp0 -p tcp -m tcp --dport 139 -j REJECT --reject-with icmp-port-u
    nreachable
    -A FORWARD -o ppp0 -p udp -m udp --dport 137 -j REJECT --reject-with icmp-port-u
    nreachable
    -A FORWARD -o ppp0 -p udp -m udp --dport 138 -j REJECT --reject-with icmp-port-u
    nreachable
    -A FORWARD -o ppp0 -p udp -m udp --dport 139 -j REJECT --reject-with icmp-port-u
    nreachable
    -A FORWARD -i eth0 -o ppp0 -j ACCEPT
    -A FORWARD -i eth1 -o ppp0 -j ACCEPT
    -A FORWARD -i eth2 -o ppp0 -j ACCEPT
    -A FORWARD -i ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 5/min -j L
    OG --log-prefix "Firewalled packet:"
    -A FORWARD -p tcp -j REJECT --reject-with tcp-reset
    -A FORWARD -j DROP
    -A OUTPUT -j ACCEPT
    -A LIMIT_TEST -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 50/sec
    --limit-burst 75 -j RETURN
    -A LIMIT_TEST -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
    COMMIT
    # Completed on Wed Aug 13 10:01:23 2008
     
  6. ralic

    ralic New Member

    I'm no iptables expert (is anyone?), but these look like the lines of interest:
    Code:
    -A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
    -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP
    
    If I interpret it correctly, any more than 1 icmp echo request packet per second will be dropped.

    The following commands should remove these two lines temporarily until the next reboot or firewall reload:
    Code:
    iptables -D INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
    iptables -D INPUT -p icmp -m icmp --icmp-type 8 -j DROP
    
    Just remember that someone put them there for a reason. You should find out where and how this was done so that you can make the change permanent if necessary.
     

Share This Page