[SLL] Good Netfilter/BIND stumper -- more details
Brad Willson
bwil150n at u.washington.edu
Wed Jan 2 09:06:56 PST 2008
> Hello all,
>
> Background: two machines in HA/LB configuration using heartbeat,
> ldirectord, ipvsadm, and an iptables firewall. The configuration files
> were hijacked from a working installation wherein this condition does
> not exist...
>
> The problem: I can ping from outside the firewalls to any machine behind
> them however pings from inside fail with 100% packet loss to systems
> outside the intranet, (i.e. ping google.com).
>
> The only rules governing icmp read as follows:
> -A INPUT -p icmp -m icmp --icmp-type any -j ACCEPT (at the beginning of
> the chain)
> -A INPUT -j REJECT --reject-with icmp-host-prohibited (at the end of the
> chain followed by COMMIT)
>
> I have cross-referenced all the normal files; /etc/hosts,
> /etc/resolv.conf, /etc/nsswitch.conf, etc. to known working
> configurations. Aside from dig, host, nslookup, nmap, and tcpdump; what
> other tools might help me? Obviously I've missed something so I'm
> asking for help, please.
>
> Thank you!!!
The ping issue persists... I am almost convinced there is a problem with
icmp somewhere in the path from the internal machine to the outside
world. Name resolution fails outright for anything outside the subnet,
but stranger still is the failure of 'ping 64.233.187.99'
Port scan results
More information about the linux-list
mailing list