[tclug-list] strange network problem

Sun Aug 14 11:13:27 CDT 2005

You might have a firewall that's allowing ICMP but not TCP, but you 
can't conclude much from the tests below.

Tom Penney wrote:
> I have new fedora core 3 box which I am having a strange network problem with.
> 
> I can not get out to the net while logged in. I can get to the machine
> via ssh and apache is serving pages to the outside world but while
> logged into the machine I can not get this page:
> 
> [tomp at highwire ~]$ wget http://localhost
> --16:38:59--  http://localhost/
>           => `index.html'
> Resolving localhost... 127.0.0.1
> Connecting to localhost[127.0.0.1]:80... failed: Permission denied.
> Retrying.

Try using wget with the hostname the rest of the world uses. Also, 
Apache may be set up to reject requests from localhost.

> Names resolve, ping works but I cant get out:
> 
> [root at highwire ~]# ping google.com
> PING google.com (216.239.57.99) 56(84) bytes of data.
> 64 bytes from 216.239.57.99: icmp_seq=0 ttl=242 time=78.1 ms
> 64 bytes from 216.239.57.99: icmp_seq=1 ttl=242 time=77.9 ms
> 64 bytes from 216.239.57.99: icmp_seq=2 ttl=242 time=77.9 ms
> 
> --- google.com ping statistics ---
> 3 packets transmitted, 3 received, 0% packet loss, time 2001ms
> rtt min/avg/max/mdev = 77.912/78.019/78.194/0.345 ms, pipe 2
> 
> [root at highwire ~]# telnet 216.239.57.99 80
> Trying 216.239.57.99...
> telnet: connect to address 216.239.57.99: Permission denied
> telnet: Unable to connect to remote host: Permission denied

I'm pretty sure www.google.com will only respond on port 80; try a wget 
with www.google.com. (Unless I'm having a brain fart, "Permission 
denied" means there's nothing listening on the port.) nmap will also 
give you a lot of info.

> I get the same type of error when I ssh out. although I can ssh into
> the box fine.
> [root at highwire ~]# ssh samba.circussoftware.com
> ssh: connect to host samba.circussoftware.com port 22: Permission denied

Do you know sshd is running on that host? If it is, I'd look again for a 
firewall blocking outbound TCP traffic. Traceroute is your friend.

> I don't think it's a local firewall but it sure seems like it:
> [root at highwire ~]# iptables -L
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> 
> Does anyone have any Idea what could be going on here?

Do you have a cable/DSL router? I'd check the settings in there. If the 
machine connects directly to the Internet, try exploring with traceroute 
and nmap.

Hope this helps, if you haven't fixed it already.

Nick