[pptp-server] ipchains killed my networking?!?!
Michael Walter
walterm at Gliatech.com
Tue Aug 8 14:22:26 CDT 2000
If you have already removed ipchains, and the interfaces are still denied,
have you checked your /etc/hosts.deny to make sure you are not denying your
local inerface?
Have you made any changes in /sbin/ifup ?
If you run "ifup lo" does it report any errors?
How about "ifup eth0"?
Have you installed any dhcp or bootp packages aside from those stock in the
kernel?
Have you recompiled your kernel or changed any of your kernel modules?(its a
long shot but try a depmod -a)
It's been a long day and thats all I can think of at the moment,
Michael J. Walter
mcse mcp+i rhce a+
Network Administrator
Gliatech, Inc.
23420 Commerce Park Rd.
Beachwood, Ohio 44122
Tel: (216) 831-3200
Email: walterm at gliatech.com
-----Original Message-----
From: estern at opennetwork.com [mailto:estern at opennetwork.com]
Sent: Tuesday, August 08, 2000 2:42 PM
To: Kenneth E. Lussier
Cc: pptp-server at lists.schulte.org
Subject: Re: [pptp-server] ipchains killed my networking?!?!
I did modify the rules for my environment :-) I can get lo up, kind
of. I am able to ping it if I explicitly make input and output rules to
allow it. I cannot get the other interfaces up however. I think I am
going to wipe the system :-( I just tried to run the 6.2 update, but I
still don't have network connectivity. I am about to wipe the system
and start from scratch...which it too bad because it WAS running so
well.
I didn't mention it before, but I also tried 'rpm -e ipchains' and
rebooting. But even without ipchains, I still couldn't access the
loopback (and then I couldn't add rules to allow loopback). Something
got hosed. Oh well. Thanks for your help.
-Elliott
"Kenneth E. Lussier" wrote:
>
> I'm hoping that you modified my rules set to reflect your environment.
> This looks like it could be a routing issue. If the loopback route get's
> blocked, it will shut itself down. Can you get any interfaces up? if you
> can, what does the output of ifconfig and route -n look like?
>
> Kenny
>
> Elliott Stern wrote:
> >
> > I just booted and did not start networking as the system loaded. After
> > logging in, I applied your chain rules from the prompt. Then I brought
> > up the lo interface ( 'ifup lo' ) and I got that "SIOCADDRT: Network is
> > unreachable" message again. I have checked the chains using 'ipchains
> > -L' and they are correct. Any other ideas? I appreciate the help.
> >
> > -Elliott
> >
> > -------- Original Message --------
> > Subject: Re: [pptp-server] ipchains killed my networking?!?!
> > Date: Tue, 08 Aug 2000 14:01:23 -0400
> > From: "Kenneth E. Lussier" <klussier at mclinux.com>
> > To: Elliott Stern <estern at opennetwork.com>
> > CC: pptp-server at lists.schulte.org
> > References:
> > <A373465542FFD311A3A90090275158F50DC6C4 at absrv06.astonbrooke.com>
> > <013601c0014e$ada40ba0$280111ac at amadorinc.com>
> > <39904216.918AB5B7 at opennetwork.com>
> >
> > I'd have to see the rules that you are using in order to make real
> > assessment. However, what is sounds like is a malformation of rules. I
> > put a copy of my ipchains rules at the bottom. In any event, you
> > shouldn't need to reboot the server to clear the rules. Just run
> > ipchains -F input; ipchains -F output; ipchains -F forward; ipchains -P
> > ACCEPT.
> >
> > Kenny
> >
> > Elliott Stern wrote:
> > >
> > > Maybe someone here can give me a hand with this. After setting up and
> > > testing PoPToP on a new computer, I decided to make a ipchains
firewall
> > > to protect the box. Well, now my system has no networking
> > > capabilities. I have reset my computer and run 'ipchains -L' to
verify
> > > that all rules are clear and that the default policy for all chains is
> > > ACCEPT, but I still can't get my networking to work (including the
> > > loopback interface). When I bring up the loopback interface, I get a
> > > message: "SIOCADDRT: Network is unreachable". I have even tried
> > > shutting down and unplugging the power for 15-20 seconds to clear the
> > > cache, but that isn't helping. Anyone have any ideas?
> > >
> > > -Elliott
> >
> > #!/bin/bash
> >
> > ipchains -F
> > ipchains -F input
> > ipchains -F output
> > ipchains -F forward
> > ipchains -A input -i 127.0.0.1 -j ACCEPT
> > ipchains -A input -i eth0 -j ACCEPT
> > ipchains -M -S 36000 0 0
> >
> > #PPTP Rules
> >
> > ipchains -A input -i eth1 -p 47 -d external.ipaddress.here -j ACCEPT
> >
> > ipchains -A input -i eth1 -p tcp -d external.ipaddress.here 1723 -j
> > ACCEPT
> >
> > ipchains -A input -i ppp+ -j ACCEPT
> >
> > ipchains -A forward -b -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
> >
> > #SSH Rules
> >
> > ipchains -A input -i eth1 -p tcp \
> > -s 0/0 1024:65535 \
> > -d external.ipaddress.here/32 22 -j ACCEPT
> >
> > ipchains -A output -i eth1 -p tcp ! -y \
> > -s external.ipaddress.here/32 22 \
> > -d 0/0 1024:65535 -j ACCEPT
> >
> > ipchains -A input -i eth1 -p tcp \
> > -s 0/0 512:1023 \
> > -d external.ipaddress.here/32 22 -j ACCEPT
> >
> > ipchains -A output -i eth1 -p tcp ! -y \
> > -s 208.51.139.30/32 22 \
> > -d 0/0 512:1023 -j ACCEPT
> >
> > ipchains -A input -i eth1 -p tcp \
> > -s 0/0 0:1023 \
> > -d external.ipaddress.here/32 22 -j ACCEPT
> >
> > ipchains -A output -i eth1 -p tcp ! -y \
> > -s external.ipaddress.here/32 22 \
> > -d 0/0 512:1023 -j ACCEPT
> >
> > ipchains -A input -i eth0 -p tcp \
> > -s 0/0 1024:65535 \
> > -d 10.100.0.2/32 -j ACCEPT
> >
> > ipchains -A output -i eth0 -p tcp ! -y \
> > -s 10.100.0.2/32 22 \
> > -d 0/0 1024:65535 -j ACCEPT
> >
> > ipchains -A input -i eth0 -p tcp \
> > -s 0/0 512:1023 \
> > -d 10.100.0.2/32 22 -j ACCEPT
> >
> > ipchains -A output -i eth0 -p tcp ! -y \
> > -s 10.100.0.2/32 22 \
> > -d 0/0 512:1023 -j ACCEPT
> >
> > ipchains -A input -i eth0 -p tcp \
> > -s 0/0 0:1023 \
> > -d 10.100.0.2/32 22 -j ACCEPT
> >
> > ipchains -A output -i eth0 -p tcp ! -y \
> > -s 10.100.0.2/32 22 \
> > -d 0/0 512:1023 -j ACCEPT
> >
> > #IPSec rules
> >
> > ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT
> > ipchains -A input -p UDP -d external.ipaddress.here/32 500 -j ACCEPT
> >
> > ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT
> > ipchains -A input -p 50 -d external.ipaddress.here/32 -j ACCEPT
> >
> > ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT
> > ipchains -A input -p 51 -d external.ipaddress.here/32 -j ACCEPT
> >
> > ipchains -A input -b -s 10.0.0.0/8 -j ACCEPT
> >
> > ipchains -A forward -b -s 10.0.0.0/8 -j ACCEPT
> >
> > #DENY and LOG everything else!!
> > ipchains -A input -i eth0 -p all -j DENY -l
> > ipchains -A input -i eth1 -p all -j DENY -l
> > ipchains -P input DENY
> >
> > --
> > Kenny Lussier
> > Systems Administrator
> > Mission Critical Linux
> > ***********************************************************
> > Life is a lesson, you learn it at the end
> > Reality has become increasingly less accurate
> > ***********************************************************
> > _______________________________________________
> > pptp-server maillist - pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
>
> --
> Kenny Lussier
> Systems Administrator
> Mission Critical Linux
> ***********************************************************
> Life is a lesson, you learn it at the end
> Reality has become increasingly less accurate
> ***********************************************************
--
*************************
Elliott Stern
OpenNetwork Technologies
Network Intern
727-561-9500 ext 270
estern at opennetwork.com
*************************
_______________________________________________
pptp-server maillist - pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulteconsulting.com!
More information about the pptp-server
mailing list