| View previous topic :: View next topic |
| Author |
Message |
szczerb
Veteran
Joined: 24 Feb 2007
Posts: 1709
Location: Poland => Lodz
|
 Posted: Fri Apr 10, 2009 11:20 am Post subject: major network weirdness after x86 server upgrade |
 |
|
So I have a home server - it's on the normal 2008.0 profile (didn't get around to doing a hardened yet). Yesterday I updated it. Mostly xorg stuff + gnutls and gcc. At this point I can access it via ssh or smb, but it can't access anything. The only thing I can ping is localhost. None of the local machines are available to him. It can't even ping the damned gateway. dhcp works, routes are added correctly but other then that, outgoing networking doesn't work at all. I've been using the same iptables script for over a year so I'm sure I didn't mess anything up with the firewall.
Any ideas, guys?
BTW I have an embedded router doing NAT and dhcp, the server is just for storage, torrents, apache and stuff like that. |
|
| Back to top |
|
 |
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23089
|
| Posted: Fri Apr 10, 2009 11:13 pm Post subject: |
|
|
First, we need to know how it fails. What error message does ping print? That will let us identify whether this is a filtering problem or a routing problem. Next, what is the output of iptables-save -c ; ip route show ; ip addr show?
Your symptoms so far sound more like a filtering issue than routing. Routing problems should have blocked the return traffic needed to sustain your ssh connection. |
|
| Back to top |
|
|
szczerb
Veteran
Joined: 24 Feb 2007
Posts: 1709
Location: Poland => Lodz
|
| Posted: Sat Apr 11, 2009 12:28 am Post subject: |
|
|
I decided to tidy up my firewall script and it started working. It is very weird as I have been using my old script for a long time (a few restart due to kernel upgrades and power outages included) without ANY changes...
Thanks anyway. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23089
|
| Posted: Sat Apr 11, 2009 4:23 pm Post subject: |
|
|
| My guess would be that your script is loading the rules in a non-atomic manner, so some of your rules no longer work and were dropped during initialization, but other rules did work. The rules which happened to load caused problems when used without the bad rules. Your cleanup probably got it back into a sane state. |
|
| Back to top |
|
|
szczerb
Veteran
Joined: 24 Feb 2007
Posts: 1709
Location: Poland => Lodz
|
| Posted: Sun Apr 12, 2009 12:37 am Post subject: |
|
|
Both the old one and the new shorter one are straight as a (what's a proper english saying for something simple and straightforward?) - there is not a single condition in any of them, just a lot lines with 'iptables something' ;]
So I would guess that it's pretty atomic, but I can't really track down the problem (well, yeah I am too lazy to keep commenting/uncommenting parts of the old (probably well over a 100 lines) script until it starts working)...
Anyway - thanks again for the suggestion that helped me solve it ;] |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23089
|
| Posted: Sun Apr 12, 2009 4:16 am Post subject: |
|
|
| "Straight as an arrow." I meant that you were loading these via a shell script, where any single call to iptables could fail and leave your rulebase incomplete, as opposed to loading using iptables-restore, which will either load the entire rulebase for a table, or load none of it. Any failure would result in the entire table being unchanged. |
|
| Back to top |
|
|
szczerb
Veteran
Joined: 24 Feb 2007
Posts: 1709
Location: Poland => Lodz
|
| Posted: Sun Apr 12, 2009 5:54 pm Post subject: |
|
|
| Oh, well...that was probably it - thanks yet again ;] |
|
| Back to top |
|
|
|
Networking & Security
