iodisciple
Junior Member
Posts: 33 Joined: 09 Jan 2018, 12:52
Post
by iodisciple » 09 Mar 2018, 15:10
Hi all,
I've discovered a strange problem with all my Debian 9.3 servers with CSF/LFD latest version. I cannot ping via IPv4. It does ping via IPv6 though. Settings are as below. I also still can't ping when both servers are in the csf.allow and csf.deny files.
ICMP_IN = "1"
ICMP_IN_RATE = "1/s" (also tried other variables)
ICMP_OUT = "1"
ICMP_OUT_RATE = "0"
IPV6_ICMP_STRICT = "0"
What am I doing wrong?
Edit: see also ping localhost
Code: Select all
root@backup01:~# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
^C
--- 127.0.0.1 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5126ms
root@backup01:~# ping ::1
PING ::1(::1) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.078 ms
64 bytes from ::1: icmp_seq=2 ttl=64 time=0.046 ms
64 bytes from ::1: icmp_seq=3 ttl=64 time=0.053 ms
--- ::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2040ms
rtt min/avg/max/mdev = 0.046/0.059/0.078/0.013 ms
root@backup01:~#
ForumAdmin
Moderator
Posts: 1524 Joined: 01 Oct 2008, 09:24
Post
by ForumAdmin » 09 Mar 2018, 15:22
I'm unable to recreate a problem, so do not know where on your system might be causing one:
Code: Select all
root@debian:~# cat /etc/debian_version
9.3
Code: Select all
root@debian:~# grep "ICMP_.* =" /etc/csf/csf.conf
ICMP_IN = "1"
ICMP_IN_RATE = "1/s"
ICMP_OUT = "1"
ICMP_OUT_RATE = "0"
IPV6_ICMP_STRICT = "0"
Code: Select all
root@debian:~# ping google.com -c 5
PING google.com (216.58.213.110) 56(84) bytes of data.
64 bytes from lhr25s02-in-f110.1e100.net (216.58.213.110): icmp_seq=1 ttl=52 time=19.0 ms
64 bytes from lhr25s02-in-f110.1e100.net (216.58.213.110): icmp_seq=2 ttl=52 time=29.2 ms
64 bytes from lhr25s02-in-f110.1e100.net (216.58.213.110): icmp_seq=3 ttl=52 time=21.6 ms
64 bytes from lhr25s02-in-f110.1e100.net (216.58.213.110): icmp_seq=4 ttl=52 time=21.4 ms
64 bytes from lhr25s02-in-f110.1e100.net (216.58.213.110): icmp_seq=5 ttl=52 time=23.1 ms
--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 19.025/22.912/29.271/3.449 ms
Code: Select all
root@debian:~# csf -g icmp
Chain num pkts bytes target prot opt in out source destination
INPUT 29 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
INPUT 30 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 0 limit: avg 1/sec burst 5
INPUT 31 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 11
INPUT 32 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 3
OUTPUT 35 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 0
OUTPUT 36 2 168 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 8
OUTPUT 37 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 11
OUTPUT 38 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 3
LOGDROPIN 23 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
LOGDROPOUT 3 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
LOGDROPOUT 4 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
iodisciple
Junior Member
Posts: 33 Joined: 09 Jan 2018, 12:52
Post
by iodisciple » 09 Mar 2018, 15:42
Thank you for your reply. I wasn't clear. I can ping with IPv4 to
www.google.com etc. but not to a server with CSF / LFD installed.
Code: Select all
root@backup01:~# cat /etc/debian_version
9.3
root@backup01:~# grep "ICMP_.* =" /etc/csf/csf.conf
ICMP_IN = "1"
ICMP_IN_RATE = "1/s"
ICMP_OUT = "1"
ICMP_OUT_RATE = "0"
IPV6_ICMP_STRICT = "0"
root@backup01:~# csf -g icmp
Chain num pkts bytes target prot opt in out source destination
INPUT 14 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
INPUT 15 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 0 limit: avg 1/sec burst 5
INPUT 16 0 0 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 11
INPUT 17 1 92 ACCEPT icmp -- !lo * 0.0.0.0/0 0.0.0.0/0 icmptype 3
OUTPUT 22 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 0
OUTPUT 23 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 8
OUTPUT 24 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 11
OUTPUT 25 0 0 ACCEPT icmp -- * !lo 0.0.0.0/0 0.0.0.0/0 icmptype 3
LOGDROPIN 23 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "
LOGDROPOUT 3 0 0 LOG icmp -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
LOGDROPOUT 4 0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 reject-with icmp-port-unreachable
ip6tables:
Chain num pkts bytes target prot opt in out source destination
No matches found for icmp in ip6tables
root@backup01:~#
On other servers the same config.
ForumAdmin
Moderator
Posts: 1524 Joined: 01 Oct 2008, 09:24
Post
by ForumAdmin » 10 Mar 2018, 10:14
I'm unable to recreate a problem pinging a remote Debian 9.3 server running csf.
You could try running a trace on the incoming IP address:
Code: Select all
iptables -F -t raw
/sbin/iptables --wait -v -t raw -I PREROUTING --source 11.22.33.44 -j TRACE
# where 11.22.33.44 is the incoming IP address
You can then tail the message log or wherever the kernel is logging iptables and watch where the packets are being dropped in iptables.
You then need to manually flush the raw table afterwards to remove the trace.
iodisciple
Junior Member
Posts: 33 Joined: 09 Jan 2018, 12:52
Post
by iodisciple » 10 Mar 2018, 18:24
Thank you for your support.
Since you weren't able to reproduce it, I went looking elsewhere. Finally I was able to pinpoint this to a value in sysctl.conf:
net.ipv4.icmp_echo_ignore_all = 1
Which somehow made it into my server template...
Thanks again.