[lug] ping: sendto operation not permitted

Ben Luey lueyb at jilau1.Colorado.EDU
Mon Mar 22 17:09:42 MST 2004 

I must be doing something very dumb -- I'm getting an intermitent problem
connecting to my internal network, it seems like a routing problem:

ping 10.0.0.1
ping: sento: Operation not Permitted
ping: wrote: 10.0.0.1 64 chars, ret=-1

I just setup up debian stable as a firewall, with eth0 a static ip to the
internet, and eth1 a static ip for my internal network with ip 10.0.0.1.
During the configuration I'd sometimes get this problem where the firewall
ignores all internet network stuff. I can't ping anything and ip masq
fails etc. But at other times it works fine. It looks like a route
problem, but my route setup is:

route -n
Destination	Gateway	Genmask	Flags	Metric	Ref	Use	Iface
128.138.107.0	0.0.0.0	255.255.255.0 U 0	0	0	eth0
10.0.0.0	0.0.0.0	255.255.255.0 U 0	0	0	eth1
0.0.0.0		128.138.107.1	0.0.0.0.0  UG 0 0	0	eth0

I don't think this has to do with my iptables configuration, but I've
attached it in case. Any ideas on what do look for? I can't explain why
sometimes everything works fine, and just when I'm done with the
configuration, I get this problem.

Thanks,

Ben






Ben Luey
lueyb at jilau1.colorado.edu
-------------- next part --------------
#!/bin/sh
myip=128.138.107.165

IPTABLES=/sbin/iptables

##Default route, deny input, and forward, allow outgoing

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING DROP

$IPTABLES -F INPUT
$IPTABLES -F FORWARD
$IPTABLES -F OUTPUT
$IPTABLES -F -t nat

$IPTABLES -A FORWARD -i eth1 -s ! 10.0.0.1/24 -j DROP
$IPTABLES -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
$IPTABLES -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
$IPTABLES -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP


$IPTABLES -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
#$IPTABLES -A FORWARD -i eth1 -j LOG

#$IPTABLES -A FORWARD -i eth1 -o eth0 -j LOG 
$IPTABLES -A FORWARD -i eth1 -o eth0 -j ACCEPT

$IPTABLES -A INPUT -i eth0 -d $myip -m state --state ESTABLISHED,RELATED -j ACCEPT


#$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j LOG
$IPTABLES -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

More information about the LUG mailing list