Can't ping IPv4

5 posts Page 1 of 1
iodisciple
Junior Member
Posts: 33
Joined: 09 Jan 2018, 12:52


Hi all,

I've discovered a strange problem with all my Debian 9.3 servers with CSF/LFD latest version. I cannot ping via IPv4. It does ping via IPv6 though. Settings are as below. I also still can't ping when both servers are in the csf.allow and csf.deny files.

ICMP_IN = "1"
ICMP_IN_RATE = "1/s" (also tried other variables)
ICMP_OUT = "1"
ICMP_OUT_RATE = "0"
IPV6_ICMP_STRICT = "0"

What am I doing wrong?

Edit: see also ping localhost
Code: Select all
root@backup01:~# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
^C
--- 127.0.0.1 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5126ms

root@backup01:~# ping ::1
PING ::1(::1) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.078 ms
64 bytes from ::1: icmp_seq=2 ttl=64 time=0.046 ms
64 bytes from ::1: icmp_seq=3 ttl=64 time=0.053 ms

--- ::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2040ms
rtt min/avg/max/mdev = 0.046/0.059/0.078/0.013 ms
root@backup01:~# 
ForumAdmin
Moderator
Posts: 1433
Joined: 01 Oct 2008, 09:24


I'm unable to recreate a problem, so do not know where on your system might be causing one:
Code: Select all
root@debian:~# cat /etc/debian_version 
9.3
Code: Select all
root@debian:~# grep "ICMP_.* =" /etc/csf/csf.conf 
ICMP_IN = "1"
ICMP_IN_RATE = "1/s"
ICMP_OUT = "1"
ICMP_OUT_RATE = "0"
IPV6_ICMP_STRICT = "0"
Code: Select all
root@debian:~# ping google.com -c 5
PING google.com (216.58.213.110) 56(84) bytes of data.
64 bytes from lhr25s02-in-f110.1e100.net (216.58.213.110): icmp_seq=1 ttl=52 time=19.0 ms
64 bytes from lhr25s02-in-f110.1e100.net (216.58.213.110): icmp_seq=2 ttl=52 time=29.2 ms
64 bytes from lhr25s02-in-f110.1e100.net (216.58.213.110): icmp_seq=3 ttl=52 time=21.6 ms
64 bytes from lhr25s02-in-f110.1e100.net (216.58.213.110): icmp_seq=4 ttl=52 time=21.4 ms
64 bytes from lhr25s02-in-f110.1e100.net (216.58.213.110): icmp_seq=5 ttl=52 time=23.1 ms

--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 19.025/22.912/29.271/3.449 ms
Code: Select all
root@debian:~# csf -g icmp

Chain            num   pkts bytes target     prot opt in     out     source               destination         
INPUT            29       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
INPUT            30       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 0 limit: avg 1/sec burst 5
INPUT            31       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 11
INPUT            32       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 3

OUTPUT           35       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 0
OUTPUT           36       2   168 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 8
OUTPUT           37       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 11
OUTPUT           38       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 3

LOGDROPIN        23       0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "

LOGDROPOUT       3        0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
LOGDROPOUT       4        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
iodisciple
Junior Member
Posts: 33
Joined: 09 Jan 2018, 12:52


Thank you for your reply. I wasn't clear. I can ping with IPv4 to www.google.com etc. but not to a server with CSF / LFD installed.
Code: Select all
root@backup01:~# cat /etc/debian_version 
9.3
root@backup01:~# grep "ICMP_.* =" /etc/csf/csf.conf
ICMP_IN = "1"
ICMP_IN_RATE = "1/s"
ICMP_OUT = "1"
ICMP_OUT_RATE = "0"
IPV6_ICMP_STRICT = "0"
root@backup01:~# csf -g icmp

Chain            num   pkts bytes target     prot opt in     out     source               destination         
INPUT            14       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
INPUT            15       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 0 limit: avg 1/sec burst 5
INPUT            16       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 11
INPUT            17       1    92 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 3

OUTPUT           22       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 0
OUTPUT           23       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 8
OUTPUT           24       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 11
OUTPUT           25       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 3

LOGDROPIN        23       0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "

LOGDROPOUT       3        0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
LOGDROPOUT       4        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable


ip6tables:

Chain            num   pkts bytes target     prot opt in     out     source               destination         
No matches found for icmp in ip6tables
root@backup01:~#
On other servers the same config.
ForumAdmin
Moderator
Posts: 1433
Joined: 01 Oct 2008, 09:24


I'm unable to recreate a problem pinging a remote Debian 9.3 server running csf.

You could try running a trace on the incoming IP address:
Code: Select all
iptables -F -t raw
/sbin/iptables --wait -v -t raw -I PREROUTING --source 11.22.33.44 -j TRACE
# where 11.22.33.44 is the incoming IP address
You can then tail the message log or wherever the kernel is logging iptables and watch where the packets are being dropped in iptables.

You then need to manually flush the raw table afterwards to remove the trace.
Code: Select all
iptables -F -t raw
iodisciple
Junior Member
Posts: 33
Joined: 09 Jan 2018, 12:52


Thank you for your support.

Since you weren't able to reproduce it, I went looking elsewhere. Finally I was able to pinpoint this to a value in sysctl.conf:

net.ipv4.icmp_echo_ignore_all = 1

Which somehow made it into my server template...

Thanks again.
5 posts Page 1 of 1