Networking problem

Rick Sewill rsewill at gmail.com
Sat May 14 23:10:40 UTC 2011


On Saturday, May 14, 2011 03:27:53 PM JD wrote:
> On 05/14/11 12:55, Rick Sewill wrote:
> > On Saturday, May 14, 2011 10:46:51 AM JD wrote:
> >> On 05/14/11 09:17, Rick Sewill wrote:
> >>> On Saturday, May 14, 2011 09:27:55 AM JD wrote:
> >>>> On 05/14/11 08:48, G.Wolfe Woodbury wrote:
> >>>>> On 05/14/2011 09:36 AM, JD wrote:
> >>>>>> On my F14, I am running a firewall that accepts specific connection
> >>>>>> on specific ports from some machines on the LAN.
> >>>>>> 
> >>>>>> However, for one machine I made a general rule to accept all
> >>>>>> connections:
> >>>>>> 
> >>>>>> -A INPUT -s 192.168.1.60 -j ACCEPT
> >>>>>> 
> >>>>>> After restarting the firewall,
> >>>>>> 
> >>>>>> I still am unable to ping that machine and it is unable to ping me.
> >>>>>> That machine is not running a firewall.
> >>>>>> 
> >>>>>> I can ping the router and another machine I have on the LAN.
> >>>>>> The machine at 192.168.1.60 can do the same.
> >>>>>> 
> >>>>>> What else do I need to do to be able to talk to machine 192.168.1.60
> >>>>>> and it to my fedora machine?
> >>>>> 
> >>>>> Try:
> >>>>> 
> >>>>> -A INPUT -s 192.168.1.60/32 -j ACCEPT
> >>>>> 
> >>>>> there needs to be a netmask in the syntax.
> >>>> 
> >>>> Tried it.
> >>>> Did not change anything :(
> >>> 
> >>> Could we see more of the network topology please?
> >>> 
> >>> Can you do on both machines:
> >>> /bin/netstat -rn
> >> 
> >> On Fedora Machine:
> >> # /bin/netstat -rn
> >> Kernel IP routing table
> >> Destination     Gateway         Genmask         Flags   MSS Window  irtt
> >> Iface
> >> 10.0.0.0        0.0.0.0         255.255.255.0   U         0 0          0
> >> eth0
> >> 192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0
> >> wlan0
> >> 10.1.1.0        0.0.0.0         255.255.255.0   U         0 0          0
> >> eth0
> >> 192.168.122.0   0.0.0.0         255.255.255.0   U         0 0          0
> >> virbr0
> >> 0.0.0.0         192.168.1.254   0.0.0.0         UG        0 0          0
> >> wlan0
> >> 
> >> 
> >> On the machine in question (192.168.1.60)
> >> # /sbin/netstat -rn
> >> Routing tables
> >> 
> >> Internet:
> >> Destination        Gateway            Flags    Refs      Use  Netif
> >> Expire default            192.168.1.254      UGSc        8        0   
> >> en1 127                127.0.0.1          UCS         0        0    lo0
> >> 127.0.0.1          127.0.0.1          UH          0        4    lo0
> >> 169.254            link#6             UCS         0        0    en1
> >> 192.168.1          link#6             UCS         2        0    en1
> >> 192.168.1.1        0:26:18:6:ef:7     UHLW        0      113    en1   
> >> 566 192.168.1.60       127.0.0.1          UHS         0        0    lo0
> >> 192.168.1.254      0:1d:5a:c8:91:c1   UHLW       15      153    en1   
> >> 565
> >> 
> >> Internet6:
> >> Destination                             Gateway
> >> Flags      Netif Expire
> >> 
> >> ::1                                     link#1
> >> 
> >> UHL         lo0
> >> fe80::%lo0/64                           fe80::1%lo0
> >> Uc          lo0
> >> fe80::1%lo0                             link#1
> >> UHL         lo0
> >> ff01::/32                               ::1
> >> U           lo0
> >> ff02::/32                               fe80::1%lo0
> >> UC          lo0
> >> 
> >>> /sbin/ifconfig
> >> 
> >> On Fedora machine:
> >> 
> >> # /sbin/ifconfig
> >> eth0      Link encap:Ethernet  HWaddr 00:03:0D:15:2B:9E
> >> 
> >>             inet addr:10.1.1.1  Bcast:10.1.1.255  Mask:255.255.255.0
> >>             inet6 addr: fe80::203:dff:fe15:2b9e/64 Scope:Link
> >>             UP BROADCAST MULTICAST  MTU:1500  Metric:1
> >>             RX packets:1340 errors:0 dropped:0 overruns:0 frame:0
> >>             TX packets:849 errors:0 dropped:0 overruns:0 carrier:0
> >>             collisions:0 txqueuelen:1000
> >>             RX bytes:174589 (170.4 KiB)  TX bytes:418153 (408.3 KiB)
> >>             Interrupt:19 Base address:0xd800
> >> 
> >> eth0:0    Link encap:Ethernet  HWaddr 00:03:0D:15:2B:9E
> >> 
> >>             inet addr:10.0.0.1  Bcast:10.0.0.255  Mask:255.255.255.0
> >>             UP BROADCAST MULTICAST  MTU:1500  Metric:1
> >>             Interrupt:19 Base address:0xd800
> >> 
> >> lo        Link encap:Local Loopback
> >> 
> >>             inet addr:127.0.0.1  Mask:255.0.0.0
> >>             inet6 addr: ::1/128 Scope:Host
> >>             UP LOOPBACK RUNNING  MTU:16436  Metric:1
> >>             RX packets:4734603 errors:0 dropped:0 overruns:0 frame:0
> >>             TX packets:4734603 errors:0 dropped:0 overruns:0 carrier:0
> >>             collisions:0 txqueuelen:0
> >>             RX bytes:373719874 (356.4 MiB)  TX bytes:373719874 (356.4
> >>             MiB)
> >> 
> >> virbr0    Link encap:Ethernet  HWaddr 22:3E:A6:BB:CD:51
> >> 
> >>             inet addr:192.168.122.1  Bcast:192.168.122.255
> >> 
> >> Mask:255.255.255.0
> >> 
> >>             UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >>             RX packets:0 errors:0 dropped:0 overruns:0 frame:0
> >>             TX packets:8391 errors:0 dropped:0 overruns:0 carrier:0
> >>             collisions:0 txqueuelen:0
> >>             RX bytes:0 (0.0 b)  TX bytes:1617830 (1.5 MiB)
> >> 
> >> wlan0     Link encap:Ethernet  HWaddr 00:34:56:00:03:43
> >> 
> >>             inet6 addr: fe80::234:56ff:fe00:343/64 Scope:Link
> >>             UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
> >>             RX packets:4976669 errors:0 dropped:0 overruns:0 frame:0
> >>             TX packets:4947232 errors:0 dropped:0 overruns:0 carrier:0
> >>             collisions:0 txqueuelen:1000
> >>             RX bytes:1062494718 (1013.2 MiB)  TX bytes:500756007 (477.5
> >>             MiB)
> >> 
> >> wlan0:0   Link encap:Ethernet  HWaddr 00:34:56:00:03:43
> >> 
> >>             inet addr:192.168.1.108  Bcast:192.168.1.255 
> >>             Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST  MTU:1500
> >>              Metric:1
> >> 
> >> On 192.168.1.60:
> >> # /sbin/ifconfig
> >> lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST>  mtu 16384
> >> 
> >>       inet6 fe80::1%lo0 prefixlen 64 scopeid 0x1
> >>       inet 127.0.0.1 netmask 0xff000000
> >>       inet6 ::1 prefixlen 128
> >> 
> >> gif0: flags=8010<POINTOPOINT,MULTICAST>  mtu 1280
> >> stf0: flags=0<>  mtu 1280
> >> en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST>  mtu 1500
> >> 
> >>       ether 00:11:24:7e:2d:c8
> >>       media: autoselect (none) status: inactive
> >>       supported media: none autoselect 10baseT/UTP<half-duplex>
> >> 
> >> 10baseT/UTP<full-duplex>  10baseT/UTP<full-duplex,flow-control>
> >> 10baseT/UTP<full-duplex,hw-loopback>  100baseTX<half-duplex>  100baseTX
> >> <full-duplex>  100baseTX<full-duplex,flow-control>  100baseTX
> >> <full-duplex,hw-loopback>  1000baseT<full-duplex>  1000baseT
> >> <full-duplex,flow-control>  1000baseT<full-duplex,hw-loopback>
> >> fw0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST>  mtu 4078
> >> 
> >>       lladdr 00:11:24:ff:fe:7e:2d:c8
> >>       media: autoselect<full-duplex>  status: inactive
> >>       supported media: autoselect<full-duplex>
> >> 
> >> en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST>  mtu 1500
> >> 
> >>       inet 192.168.1.70 netmask 0xffffff00 broadcast 192.168.1.255
> >>       ether 00:11:24:92:bc:e0
> >>       media: autoselect status: active
> >>       supported media: autoselect
> >>> 
> >>> If you don't mind, it might be easiest to copy your filewall
> >>> rules so we can see them.  As root,
> >>> /sbin/iptables -L -v
> >> 
> >> Sorry. I cannot expose my FW settings to a public list because
> >> they might contain weaknesses that someone could exploit.
> >> 
> >>> If you are concerned with security and sharing your public IP address,
> >>> may I suggest changing the public IP address ranges to something else,
> >>> like xxx.xxx.xxx.0, yyy.yyy.yyy.0, etc, in the output.
> >> 
> >> Actually, I have no public IP addresses in the rules.
> >> 
> >>> Another question...if you have multiple ethernet devices,
> >>> which device is 192.168.1.60 connected to?
> >> 
> >> en1 (this is a Powerbook g4 running OS X 10.5.8).
> > 
> > Both Fedora and the Powerbook can ping the default gateway,
> > 192.168.254.1 ?
> > 
> > The Powerbook entries confuse me.
> > According to the Powerbook netstat -rn, I would expect an interface,
> > 192.168.1.60/some mask
> > 
> > When I look at the Powerbook ifconfig, I see
> > en1: ... inet 192.168.1.70 netmask 0xffffff00 ...
> > I expected this entry to read inet 192.168.1.60 netmask 0xffffff00
> > 
> > Can I suggest, for a test, change the iptables filters to allow any
> > incoming packet from 192.168.1.0/24, and then, try to ping from
> > the Powerbook.  Also, you might wish to check the ARP table on
> > Fedora to see what IP address/Mac address entries it knows about.
> > As root, try /sbin/arp -a
> > I am interested to know, after the attempted ping from the Powerbook,
> > what IP address/Mac entry is found, if any, in the Fedora.
> 
> I added the rule
> -A INPUT -s 192.168.1.0/24 -j ACCEPT
> and retried.
> Same thing.
> both machines can ping the GW, and they can ping a third machine I have
> on the LAN.
> But they cannot ping each other.
> I also brought the fedora firewall down, and retried to ping Fedora
> from Powerbook. No go!!

Interesting.  Let me recap so I understand.
1) Only wireless links are active on the Fedora and the Powerbook.
2) the Powerbook wifi is interface en1; the Fedora wifi is wlan0 (wlan0:0)
3) both the Fedora and Powerbook can ping the gateway through the wifi.
4) From the above, a third machine is "on the LAN".  
    I get this idea because of the phrase above, "they can ping a third
    machine I have on the LAN."  This LAN is a wired, ethernet network,
    connected to the gateway.

I need someone to chime in to help me understand wifi bridging better.
This setup sounds like wifi bridge mode as opposed to wifi ad-hoc mode.

Question: in wifi bridging, does the packet from the Powerbook,
which is destined for the Fedora, go through the gateway, 
or can the packet still go directly from the Powerbook to the Fedora?

If the answer is the former, I would ask why the gateway doesn't
relay the packet to the Fedora.  if the answer is the latter,
I would assume we should see entries in the ARP tables, in both machines,
for the other device in question, and would ask what are the ARP entries
in both the Fedora and the Powerbook.

Could you tell us the make/model of the gateway please.
I read, on the Internet, different wifi gateways have different capabilities.





More information about the users mailing list