20

Yesterday I got a new computer as my homeserver, a HP Proliant Microserver. Installed Arch Linux on it, with kernel version 3.2.12.

After installing iptables (1.4.12.2 - the current version AFAIK) and changing the net.ipv4.ip_forward key to 1, and enabling forwarding in the iptables configuration file (and rebooting), the system cannot use any of its network interfaces. Ping fails with

Ping: sendmsg: operation not permitted

If I remove iptables completely, networking is okay, but I need to share the Internet connection to the local network.

eth0 - wan NIC integrated on the motherboard (Broadcom NetXtreme BCM5723).

eth1 - lan NIC in a pci-express slot (Intel 82574L Gigabit Network)

Since it works without iptables(server can access the internet, and I can login with ssh from the internal network), I assume it has something to do with iptables. I do not have much experience with iptables, so I used these as reference (separate from each other of course...):

wiki.archlinux.org/index.php/Simple_stateful_firewall#Setting_up_a_NAT_gateway

revsys.com/writings/quicktips/nat.html

howtoforge.com/nat_iptables

On my previous server, I used the revsys guide to set up nat, worked like a charm.

Anyone experienced anything like this before? What am I doing wrong?

estol
  • 361
  • 2
  • 4
  • 10

4 Answers4

33

The error message:

Ping: sendmsg: operation not permitted

means that your server is not allowed to send ICMP packets. You need to allow your server to send traffic via one or more of the configured interfaces. You can do this by:

  1. Set OUTPUT chain policy to ACCEPT to allow all outgoing traffic from your box:

    sudo iptables -P OUTPUT ACCEPT
  2. Set OUTPUT chain policy to DROP and then allow selectively the type of traffic you need.

This applies to all chains not only the OUTPUT chain. INPUT chain controls the traffic received by your box. FORWARD chain deals with traffic forwarded through the box.

agc
  • 111
  • 4
Khaled
  • 35,688
  • 8
  • 69
  • 98
  • Ping was just an example, could not send udp packets, nor tcp packets... – estol Mar 24 '12 at 14:17
  • Even though, the same idea applies – Khaled Mar 24 '12 at 14:37
  • Tried what you said, same results. Got the rules from the old server, this partially works. Any client, can lookup domain names, even able to ping them, but cannot browse the web. I installed a proxy as a workaround(since the connection on the server is fine, just like the connection to the server) but a lot of services does not work(Trillian, Skype) this way. – estol Mar 24 '12 at 20:43
  • What is the command to set Output chain policy to accept?? – Joseph Astrahan Jul 26 '16 at 21:01
  • 4
    @JosephAstrahan: `sudo iptables -P OUTPUT ACCEPT` – Khaled Jan 12 '17 at 08:10
4

To me, on Debian 9, it helped just to reinstall ping:

apt-get install --reinstall iputils-ping
David Ferenczy Rogožan
  • 281
  • 2
  • 7
  • Also worked on CentOS 7 (upgrade of the package actually `yum upgrade iputils.x86_64`), after cloning "physical" operating system to a VM - not sure if that matters. – yahol Feb 24 '20 at 13:08
1

If you maintain a right set of iptables, you need to allow outgoing ping :

# Allow outgoing ping
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
secavfr
  • 271
  • 2
  • 6
1

Another option is to reset all of iptable rules.

Set the default policy on the iptables to ACCEPT:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#Then flush the rules:
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

See also How to reset Ubuntu 12.04 iptables to default without locking oneself out?

sunapi386
  • 161
  • 1
  • 3