I have a new SUSE server installation pretty much up and working with one problem. When configured to use a dynamic IP address, I was able to ping the server and connect to the Apache web server over the network from another machine. I have a static IP, gateway IP, net mask and name server IPs assigned by my ISP and have entered them through YaST. I can ping that IP ok from the server itself, but I get “Request timed out” when trying to ping from another machine on the network.
Post the network information from this machine and that one. From this
machine (or any old Linux machine) the following should work:
ip addr
ip route
and just for fun:
cat /etc/resolv.conf
sudo /usr/sbin/iptables-save
Get the same data from the other box.
Good luck.
On 05/05/2010 03:46 PM, drhansenjr wrote:
>
> I have a new SUSE server installation pretty much up and working with
> one problem. When configured to use a dynamic IP address, I was able to
> ping the server and connect to the Apache web server over the network
> from another machine. I have a static IP, gateway IP, net mask and name
> server IPs assigned by my ISP and have entered them through YaST. I can
> ping that IP ok from the server itself, but I get “Request timed out”
> when trying to ping from another machine on the network.
>
> Any idea what I might be doing wrong?
>
> Thanks!
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
If you are trying to place a Web server from an internal network on to the external internet using your ISP provided IP address, you will need to do an IP forwarding in your local router from external IP to internal IP. In one case I found that the external IP address provided by the ISP (in this case AT&T) was still shielded from the internet. You have to be able to ping your external ISP provided IP address from another PC on a different internet connected network, otherwise you are not going to use Web server on the internet.
Here’s what I dumped from the server I’m trying to access. The “from” box is running Windows. What commands should I run from there to get the equivalent info?
ALSO - I noticed that when I set the static IP on the SuSE box I cannot see anything FROM it either – can’t access the Internet, etc.
===============
linux-pags:/bin # ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
inet 127.0.0.2/8 brd 127.255.255.255 scope host secondary lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
link/ether d8:d3:85:ff:46:74 brd ff:ff:ff:ff:ff:ff
inet 173.165.78.185/30 brd 173.165.78.187 scope global eth0
inet6 fe80::dad3:85ff:feff:4674/64 scope link
valid_lft forever preferred_lft forever
linux-pags:/bin # ip route
173.165.78.184/30 dev eth0 proto kernel scope link src 173.165.78.185
169.254.0.0/16 dev eth0 scope link
127.0.0.0/8 dev lo scope link
default via 173.165.78.186 dev eth0
linux-pags:/bin # cat /etc/resolv.conf
/etc/resolv.conf file autogenerated by netconfig!
Before you change this file manually, consider to define the
static DNS configuration using the following variables in the
/etc/sysconfig/network/config file:
NETCONFIG_DNS_STATIC_SEARCHLIST
NETCONFIG_DNS_STATIC_SERVERS
NETCONFIG_DNS_FORWARDER
or disable DNS configuration updates via netconfig by setting:
NETCONFIG_DNS_POLICY=’’
See also the netconfig(8) manual page and other documentation.
Note: Manual change of this file disables netconfig too, but
may get lost when this file contains comments or empty lines
only, the netconfig settings are same with settings in this
file and in case of a “netconfig update -f” call.
Please remove (at least) this line when you modify the file!
nameserver 68.87.72.130
nameserver 68.87.77.130
linux-pags:/bin # sudo /usr/sbin/iptables-save
Generated by iptables-save v1.4.4 on Wed May 5 17:28:21 2010
*raw
:PREROUTING ACCEPT [58830:81656754]
:OUTPUT ACCEPT [42860:2798181]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
Completed on Wed May 5 17:28:21 2010
Generated by iptables-save v1.4.4 on Wed May 5 17:28:21 2010
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:forward_ext - [0:0]
:input_ext - [0:0]
:reject_func - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 80 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 443 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 443 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -p udp -m udp --dport 443 -j ACCEPT
-A input_ext -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-ACC " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
As for IP forwarding, I do not know what router that you are using. The first step would be to download the full manual for the router. Also, searching on the router model number and the subject of IP forwarding on the internet. I have done it a couple of times, but the procedure is very hardware specific and since I don’t have the menus down by memory, it would be hard to give a step by step procedure.
Based on your other message, it sounds like you have other problems as well. When you setup a static IP on a local network, you have to make sure the IP is not in the DHCP range. For instance, my router hands out IP’s ending with 100 to 254 and does not give out 0 through 99. So, any static IP you use internally, must not be usable for DHCP, or below 100 in my case, but your router may differ. This is another router setting you must look at. Once this is working properly, the server IP should allow you to get out to the internet from the server. The next step will be going from the internet back to the server, using router IP forwarding.
I presume all works when you plug in and use DHCP. Do you have the same
IP/route/netmask settings when you do things that way? I’ll presume no.
If you really are getting IPs from your ISP then there should be no router
between your machine with this public IP address and your ISP; if there is
then that is what is not working since the network behind your router will
be (usually) privately addressed and NAT’d while the network on the
outside will have the IP address you provided.
Switch your Linux box back to DHCP and post the output of those same
commands from before to see what your network looks like when things work.
Good luck.
On 05/05/2010 04:46 PM, drhansenjr wrote:
>
> to ab@novell.com…
>
> Here’s what I dumped from the server I’m trying to access. The “from”
> box is running Windows. What commands should I run from there to get
> the equivalent info?
>
> ALSO - I noticed that when I set the static IP on the SuSE box I cannot
> see anything FROM it either – can’t access the Internet, etc.
>
> ===============
> linux-pags:/bin # ip addr
> 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
>
> link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
>
> inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
>
> inet 127.0.0.2/8 brd 127.255.255.255 scope host secondary lo
>
> inet6 ::1/128 scope host
>
> valid_lft forever preferred_lft forever
>
> 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
> state UP qlen 1000
>
> link/ether d8:d3:85:ff:46:74 brd ff:ff:ff:ff:ff:ff
>
> inet 173.165.78.185/30 brd 173.165.78.187 scope global eth0
>
> inet6 fe80::dad3:85ff:feff:4674/64 scope link
>
> valid_lft forever preferred_lft forever
>
> ===============================================
>
> linux-pags:/bin # ip route
>
> 173.165.78.184/30 dev eth0 proto kernel scope link src
> 173.165.78.185
> 169.254.0.0/16 dev eth0 scope link
>
> 127.0.0.0/8 dev lo scope link
>
> default via 173.165.78.186 dev eth0
>
> ===============================================
>
> linux-pags:/bin # cat /etc/resolv.conf
>
> ### /etc/resolv.conf file autogenerated by netconfig!
>
> #
>
> # Before you change this file manually, consider to define the
>
> # static DNS configuration using the following variables in the
>
> # /etc/sysconfig/network/config file:
>
> # NETCONFIG_DNS_STATIC_SEARCHLIST
>
> # NETCONFIG_DNS_STATIC_SERVERS
>
> # NETCONFIG_DNS_FORWARDER
>
> # or disable DNS configuration updates via netconfig by setting:
>
> # NETCONFIG_DNS_POLICY=’’
>
> #
>
> # See also the netconfig(8) manual page and other documentation.
>
> #
>
> # Note: Manual change of this file disables netconfig too, but
>
> # may get lost when this file contains comments or empty lines
>
> # only, the netconfig settings are same with settings in this
>
> # file and in case of a “netconfig update -f” call.
>
> #
>
> ### Please remove (at least) this line when you modify the file!
>
> nameserver 68.87.72.130
>
> nameserver 68.87.77.130
>
> ===================================================
>
> linux-pags:/bin # sudo /usr/sbin/iptables-save
>
> # Generated by iptables-save v1.4.4 on Wed May 5 17:28:21 2010
>
> *raw
>
> :PREROUTING ACCEPT [58830:81656754]
>
> :OUTPUT ACCEPT [42860:2798181]
>
> -A PREROUTING -i lo -j NOTRACK
>
> -A OUTPUT -o lo -j NOTRACK
>
> COMMIT
>
> # Completed on Wed May 5 17:28:21 2010
>
> # Generated by iptables-save v1.4.4 on Wed May 5 17:28:21 2010
>
> *filter
>
> :INPUT DROP [0:0]
>
> :FORWARD DROP [0:0]
>
> :OUTPUT ACCEPT [0:0]
>
> :forward_ext - [0:0]
>
> :input_ext - [0:0]
>
> :reject_func - [0:0]
>
> -A INPUT -i lo -j ACCEPT
>
> -A INPUT -m state --state ESTABLISHED -j ACCEPT
>
> -A INPUT -p icmp -m state --state RELATED -j ACCEPT
>
> -A INPUT -i eth0 -j input_ext
>
> -A INPUT -j input_ext
>
> -A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET
> " --log-tcp-options --log-ip-options
>
> -A INPUT -j DROP
>
> -A FORWARD -m limit --limit 3/min -j LOG --log-prefix
> "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
>
> -A OUTPUT -o lo -j ACCEPT
>
> -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR "
> --log-tcp-options --log-ip-options
> -A input_ext -m pkttype --pkt-type broadcast -j DROP
> -A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
> -A input_ext -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22
> --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP
> " --log-tcp-options --log-ip-options
> -A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
> -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 80
> --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP
> " --log-tcp-options --log-ip-options
> -A input_ext -p tcp -m tcp --dport 80 -j ACCEPT
> -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 443
> --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP
> " --log-tcp-options --log-ip-options
> -A input_ext -p tcp -m tcp --dport 443 -j ACCEPT
> -A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 22
> --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP
> " --log-tcp-options --log-ip-options
> -A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
> -A input_ext -p udp -m udp --dport 443 -j ACCEPT
> -A input_ext -p tcp -m tcp --dport 22 -m state --state NEW -m limit
> --limit 3/min -j LOG --log-prefix "SFW2-INext-ACC " --log-tcp-options
> --log-ip-options
> -A input_ext -p tcp -m tcp --dport 22 -j ACCEPT
> -A input_ext -m pkttype --pkt-type multicast -j DROP
> -A input_ext -m pkttype --pkt-type broadcast -j DROP
> -A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags
> FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT "
> --log-tcp-options --log-ip-options
> -A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix
> "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
> -A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG
> --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options
> --log-ip-options
> -A input_ext -j DROP
> -A reject_func -p tcp -j REJECT --reject-with tcp-reset
> -A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
> -A reject_func -j REJECT --reject-with icmp-proto-unreachable
> COMMIT
> # Completed on Wed May 5 17:28:21 2010
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/