 
| Subject: | |
| From: | |
| Reply To: | |
| Date: | Thu, 10 Nov 2016 08:09:25 -0600 |
| Content-Type: | multipart/mixed |
| Parts/Attachments: |
|
|
I'm trying to isolate a network problem and I need some debugging help. Frustrating when I am not fluent in the new sys admin tools.
Symptom is as follows: I have a machine running Fedora 24 with its firewall zone set to work. I cannot ping the machine except from the same subnet. I don't have this problem with a second machine running the same OS/rev with the same firewall setup. I'm not sure where to look.
I've dumped out both machines iptables. See attachment. I did a diff -y and they look almost identical. The machine that does not work has 2 nics, one which is connected to a 192.168 network. It has additional rules in the various chains but they are all "from anywhere to anywhere". I'm assuming the additional rules come from the second interface.
I've put a query to my networking folks to see if the problem is further upstream. But I thought I'd ask if I have missed something obvious.
I know it's not SL7 but they use the same tools: nmcli and firewall-cmd.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_work all -- anywhere anywhere [goto]
FWDI_work all -- anywhere anywhere [goto]
FWDI_work all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_work all -- anywhere anywhere [goto]
FWDO_work all -- anywhere anywhere [goto]
FWDO_work all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_work (3 references)
target prot opt source destination
FWDI_work_log all -- anywhere anywhere
FWDI_work_deny all -- anywhere anywhere
FWDI_work_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_work_allow (1 references)
target prot opt source destination
Chain FWDI_work_deny (1 references)
target prot opt source destination
Chain FWDI_work_log (1 references)
target prot opt source destination
Chain FWDO_work (3 references)
target prot opt source destination
FWDO_work_log all -- anywhere anywhere
FWDO_work_deny all -- anywhere anywhere
FWDO_work_allow all -- anywhere anywhere
Chain FWDO_work_allow (1 references)
target prot opt source destination
Chain FWDO_work_deny (1 references)
target prot opt source destination
Chain FWDO_work_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_work all -- anywhere anywhere [goto]
IN_work all -- anywhere anywhere [goto]
IN_work all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_work (3 references)
target prot opt source destination
IN_work_log all -- anywhere anywhere
IN_work_deny all -- anywhere anywhere
IN_work_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_work_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ctstate NEW
Chain IN_work_deny (1 references)
target prot opt source destination
Chain IN_work_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
INPUT_direct all -- anywhere anywhere
INPUT_ZONES_SOURCE all -- anywhere anywhere
INPUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
FORWARD_direct all -- anywhere anywhere
FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere
FORWARD_IN_ZONES all -- anywhere anywhere
FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere
FORWARD_OUT_ZONES all -- anywhere anywhere
DROP all -- anywhere anywhere ctstate INVALID
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
OUTPUT_direct all -- anywhere anywhere
Chain FORWARD_IN_ZONES (1 references)
target prot opt source destination
FWDI_work all -- anywhere anywhere [goto]
FWDI_work all -- anywhere anywhere [goto]
Chain FORWARD_IN_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_OUT_ZONES (1 references)
target prot opt source destination
FWDO_work all -- anywhere anywhere [goto]
FWDO_work all -- anywhere anywhere [goto]
Chain FORWARD_OUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain FORWARD_direct (1 references)
target prot opt source destination
Chain FWDI_work (2 references)
target prot opt source destination
FWDI_work_log all -- anywhere anywhere
FWDI_work_deny all -- anywhere anywhere
FWDI_work_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain FWDI_work_allow (1 references)
target prot opt source destination
Chain FWDI_work_deny (1 references)
target prot opt source destination
Chain FWDI_work_log (1 references)
target prot opt source destination
Chain FWDO_work (2 references)
target prot opt source destination
FWDO_work_log all -- anywhere anywhere
FWDO_work_deny all -- anywhere anywhere
FWDO_work_allow all -- anywhere anywhere
Chain FWDO_work_allow (1 references)
target prot opt source destination
Chain FWDO_work_deny (1 references)
target prot opt source destination
Chain FWDO_work_log (1 references)
target prot opt source destination
Chain INPUT_ZONES (1 references)
target prot opt source destination
IN_work all -- anywhere anywhere [goto]
IN_work all -- anywhere anywhere [goto]
Chain INPUT_ZONES_SOURCE (1 references)
target prot opt source destination
Chain INPUT_direct (1 references)
target prot opt source destination
Chain IN_work (2 references)
target prot opt source destination
IN_work_log all -- anywhere anywhere
IN_work_deny all -- anywhere anywhere
IN_work_allow all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
Chain IN_work_allow (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ctstate NEW
Chain IN_work_deny (1 references)
target prot opt source destination
Chain IN_work_log (1 references)
target prot opt source destination
Chain OUTPUT_direct (1 references)
target prot opt source destination
|
|
|
