Host Network Problem

Rahul Jain rbj2 at oak.njit.edu
Wed Aug 17 14:16:05 UTC 2005 

On Tue, 16 Aug 2005, Rick Stevens wrote:

> Rahul Jain wrote:
> > Hi,
> >
> > I am having a strange network problem with a linux box. I have
> > configured a private network and the linux box has an IP address of
> > 10.1.0.1. It is able to ping to its default gateway (10.1.0.2) and to the
> > rest of the network. However none of the other services work. I have tried
> > ftp, traceroute using both hostname and IP address. None of them work.
> > Traceroute gives a strange result of ending at the gateway and ftp throws
> > the error "no route to host". I even tried doing ftp to the gateway but
> > got the same error.
> >
> > I am not sure what is the problem since the host is able to ping all other
> > hosts in the network. Any ideas what might be going wrong ?
>
> There's a whole bunch of things.  First off, did you configure the
> firewall when you installed (e.g. did you choose "high" or "medium"
> security)?  If so, EVERYTHING except DNS (TCP/UDP port 53)is blocked.
> To see if this is the issue, try "service iptables stop" and see if
> things work.  If they do, then you need to modify your firewall
> settings.
>
> While it's not ideal, you can allow all outgoing traffic.  Only accept
> incoming traffic to TCP port 22 (ssh), TCP/UDP port 53 (DNS), TCP/UDP
> port 80 (web) and perhaps TCP/UDP port 123 (NTP).  If you're running an
> FTP server, you can open up TCP/UDP port 21, but make SURE you configure
> your firewall to do connection tracking and set up appropriate security.
>
> Configure all other incoming traffic to "-j DROP" in the iptables rules
> (don't use "-j DENY", as all that does is advertise the fact that there
> is a machine out there that's denying access...DROP simply drops the
> packets on the floor--an attacker sees nothing at all).
>
> I'd suggest getting something like Firestarter
> (http://firestarter.sourceforge.net) to give you a GUI to help you
> configure the firewall if you're not comfortable doing it manually.
>
> Also note that many "iffy" protocols (and I mean iffy in regards to
> security such as telnet, ftp, finger, whois, etc.) are also disabled by
> default on Linux installs (unlike that virusware from Washington).  You
> specifically have to enable them, and only enable the ones you KNOW you
> need.  Unless you're running a server of some type, generally the only
> daemon you need to run will be sshd--and only that if you need to
> access your machine remotely.  NEVER enable telnet.  Use ssh instead.
> ----------------------------------------------------------------------
> - Rick Stevens, Senior Systems Engineer     rstevens at vitalstream.com -
> - VitalStream, Inc.                       http://www.vitalstream.com -
> -                                                                    -
> -      "Doctor!  My brain hurts!"  "It will have to come out!"       -
> ----------------------------------------------------------------------
Thanks Rick and Jaun for your replies.

The firewall on my host is disabled since my network is behind a NAT with
no external access. However the firewall at my gateway (setup by
another guy) was running. Thanks for your tips, it now works :->

Rahul.

More information about the Redhat-install-list mailing list