Page 1 of 1

Can't ping IPv4

Posted: 09 Mar 2018, 15:10
by iodisciple
Hi all,

I've discovered a strange problem with all my Debian 9.3 servers with CSF/LFD latest version. I cannot ping via IPv4. It does ping via IPv6 though. Settings are as below. I also still can't ping when both servers are in the csf.allow and csf.deny files.

ICMP_IN = "1"
ICMP_IN_RATE = "1/s" (also tried other variables)
ICMP_OUT = "1"
ICMP_OUT_RATE = "0"
IPV6_ICMP_STRICT = "0"

What am I doing wrong?

Edit: see also ping localhost

Code: Select all

root@backup01:~# ping 127.0.0.1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
^C
--- 127.0.0.1 ping statistics ---
6 packets transmitted, 0 received, 100% packet loss, time 5126ms

root@backup01:~# ping ::1
PING ::1(::1) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.078 ms
64 bytes from ::1: icmp_seq=2 ttl=64 time=0.046 ms
64 bytes from ::1: icmp_seq=3 ttl=64 time=0.053 ms

--- ::1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2040ms
rtt min/avg/max/mdev = 0.046/0.059/0.078/0.013 ms
root@backup01:~# 

Re: Can't ping IPv4

Posted: 09 Mar 2018, 15:22
by ForumAdmin
I'm unable to recreate a problem, so do not know where on your system might be causing one:

Code: Select all

root@debian:~# cat /etc/debian_version 
9.3

Code: Select all

root@debian:~# grep "ICMP_.* =" /etc/csf/csf.conf 
ICMP_IN = "1"
ICMP_IN_RATE = "1/s"
ICMP_OUT = "1"
ICMP_OUT_RATE = "0"
IPV6_ICMP_STRICT = "0"

Code: Select all

root@debian:~# ping google.com -c 5
PING google.com (216.58.213.110) 56(84) bytes of data.
64 bytes from lhr25s02-in-f110.1e100.net (216.58.213.110): icmp_seq=1 ttl=52 time=19.0 ms
64 bytes from lhr25s02-in-f110.1e100.net (216.58.213.110): icmp_seq=2 ttl=52 time=29.2 ms
64 bytes from lhr25s02-in-f110.1e100.net (216.58.213.110): icmp_seq=3 ttl=52 time=21.6 ms
64 bytes from lhr25s02-in-f110.1e100.net (216.58.213.110): icmp_seq=4 ttl=52 time=21.4 ms
64 bytes from lhr25s02-in-f110.1e100.net (216.58.213.110): icmp_seq=5 ttl=52 time=23.1 ms

--- google.com ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 19.025/22.912/29.271/3.449 ms

Code: Select all

root@debian:~# csf -g icmp

Chain            num   pkts bytes target     prot opt in     out     source               destination         
INPUT            29       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
INPUT            30       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 0 limit: avg 1/sec burst 5
INPUT            31       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 11
INPUT            32       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 3

OUTPUT           35       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 0
OUTPUT           36       2   168 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 8
OUTPUT           37       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 11
OUTPUT           38       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 3

LOGDROPIN        23       0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "

LOGDROPOUT       3        0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
LOGDROPOUT       4        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable

Re: Can't ping IPv4

Posted: 09 Mar 2018, 15:42
by iodisciple
Thank you for your reply. I wasn't clear. I can ping with IPv4 to www.google.com etc. but not to a server with CSF / LFD installed.

Code: Select all

root@backup01:~# cat /etc/debian_version 
9.3
root@backup01:~# grep "ICMP_.* =" /etc/csf/csf.conf
ICMP_IN = "1"
ICMP_IN_RATE = "1/s"
ICMP_OUT = "1"
ICMP_OUT_RATE = "0"
IPV6_ICMP_STRICT = "0"
root@backup01:~# csf -g icmp

Chain            num   pkts bytes target     prot opt in     out     source               destination         
INPUT            14       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
INPUT            15       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 0 limit: avg 1/sec burst 5
INPUT            16       0     0 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 11
INPUT            17       1    92 ACCEPT     icmp --  !lo    *       0.0.0.0/0            0.0.0.0/0            icmptype 3

OUTPUT           22       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 0
OUTPUT           23       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 8
OUTPUT           24       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 11
OUTPUT           25       0     0 ACCEPT     icmp --  *      !lo     0.0.0.0/0            0.0.0.0/0            icmptype 3

LOGDROPIN        23       0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 0 level 4 prefix "Firewall: *ICMP_IN Blocked* "

LOGDROPOUT       3        0     0 LOG        icmp --  *      *       0.0.0.0/0            0.0.0.0/0            limit: avg 30/min burst 5 LOG flags 8 level 4 prefix "Firewall: *ICMP_OUT Blocked* "
LOGDROPOUT       4        0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable


ip6tables:

Chain            num   pkts bytes target     prot opt in     out     source               destination         
No matches found for icmp in ip6tables
root@backup01:~#
On other servers the same config.

Re: Can't ping IPv4

Posted: 10 Mar 2018, 10:14
by ForumAdmin
I'm unable to recreate a problem pinging a remote Debian 9.3 server running csf.

You could try running a trace on the incoming IP address:

Code: Select all

iptables -F -t raw
/sbin/iptables --wait -v -t raw -I PREROUTING --source 11.22.33.44 -j TRACE
# where 11.22.33.44 is the incoming IP address
You can then tail the message log or wherever the kernel is logging iptables and watch where the packets are being dropped in iptables.

You then need to manually flush the raw table afterwards to remove the trace.

Code: Select all

iptables -F -t raw

Re: Can't ping IPv4

Posted: 10 Mar 2018, 18:24
by iodisciple
Thank you for your support.

Since you weren't able to reproduce it, I went looking elsewhere. Finally I was able to pinpoint this to a value in sysctl.conf:

net.ipv4.icmp_echo_ignore_all = 1

Which somehow made it into my server template...

Thanks again.