ping sendto: operation not permitted
Let me start by saying I know just enough about Linux to be dangerous. I
have switched to Debian because I've heard so many wonderful things about
apt. After more than a week trying to get things installed I have to say
it's been a less than satifying experience. Certainly a lot of that had
to do with trying to do the download over a 56k dialup. Still, the
interface to dselect is nowhere near as nice as something like the
InteractiveBastille interface. Not having something like chkconfig is
also a real pain. Nevertheless, I'm almost there but have kind of hit a
wall and decided I needed to get some help.
So, I am trying to install woody as a firewall for my home. I've been a
bit confused about how to do this. I've had success with bastille before
and thought I'd try that again. This seemed to be working out, but I got
confused and am not sure I completed this correctly. I don't really
understand if bastille is enough, or I had to run ipmasq as well or what.
Anyway, I've tried to turn the firewall off so I can just connect. I am
not being successful at this. I got pretty far but after getting an IP
address from my ISP via dhcp I try to do a simple ping to the ISP gateway
and get the message:
ping sendto: operation not permitted
I had thought that this might be a problem with my ISP because for some
stupid reason, they used 192.168.168.0 for their dhcp. I thought that
maybe this was interfering with my internal dhcp server handing out
addresses on 192.168.0.0. So, I changed my internal dhcp to 10.0.0.0
(running on a separate machine). This didn't make any difference. So, I
need some help.
Here are the particulars.
I have two NIC cards, 3c59x PCI and 3c509 ISA. I have installed these
modules and added the following aliases to /etc/modules.conf:
alias eth0 3c59x
alias eth1 3c509
I'm not sure if I have to do something about eth1 since it's ISA. Anywa,
I have the following configuration for /etc/network/interfaces.
auto lo
auto eth0
iface lo inet loopback
iface eth1 inet dhcp
iface eth0 inet static
address 10.0.0.1
netmask 255.0.0.0
network 10.0.0.0
broadcast 10.255.255.255
I have installed bastille firewall but like I said I've turned that off
before trying to connect to my ISP like so:
bastille-firewall stop
(Note, again, I may not have configured this correctly because I get
messages about iptables: Table does not exist (do you need to do insmod?).
I had thought I had used dselect to install iptables. It does exist in
/etc/. I don't understand this. I shut this down to see if I can even
connect.)
I have a PPP connection that works fine as a backup but bring that down
via:
poff
and then bring up eth1 manually like so:
ifconfig eth1 up
I run dhclient manually to connect to my ISP to get an IP address like so.
dhclient -e eth1
This seems to work fine and I get an IP address. I then try to ping the
gateway of my ISP and get the following:
ping sendto: operation not permitted
Here are the results of an ifconfig:
eth0 Link encap:Ethernet HWaddr 00:A0:24:91:05:A9
inet addr:10.0.0.1 Bcast:10.255.255.255 Mask:255.0.0.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:583 errors:0 dropped:0 overruns:0 frame:0
TX packets:448 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:49973 (48.8 KiB) TX bytes:283713 (277.0 KiB)
Interrupt:10 Base address:0xff80
eth1 Link encap:Ethernet HWaddr 00:20:AF:6A:A8:9F
inet addr:192.168.168.120 Bcast:192.168.168.255
Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25 errors:0 dropped:0 overruns:0 frame:0
TX packets:1 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:3088 (3.0 KiB) TX bytes:342 (342.0 b)
Interrupt:3 Base address:0x200
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
Here are the results of netstat -nr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt
Iface
192.168.168.0 0.0.0.0 255.255.255.0 U 40 0 0
eth1
10.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0
eth0
127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0
lo
0.0.0.0 192.168.168.1 0.0.0.0 UG 40 0 0
eth1
Here are the results of dmesg
Linux version 2.4.18-386 (herbert@gondolin) (gcc version 2.95.4 20011002
(Debian prerelease)) #2 Sun Apr 14 10:38:08 EST 2002
BIOS-provided physical RAM map:
BIOS-e820: 0000000000000000 - 000000000009fc00 (usable)
BIOS-e820: 0000000000100000 - 0000000004000000 (usable)
BIOS-e820: 00000000fffc0000 - 0000000100000000 (reserved)
On node 0 totalpages: 16384
zone(0): 4096 pages.
zone(1): 12288 pages.
zone(2): 0 pages.
Kernel command line: BOOT_IMAGE=Linux ro root=301
Initializing CPU#0
Detected 165.791 MHz processor.
Console: colour VGA+ 80x25
Calibrating delay loop... 330.95 BogoMIPS
Memory: 59880k/65536k available (895k kernel code, 5268k reserved, 233k
data, 192k init, 0k highmem)
Dentry-cache hash table entries: 8192 (order: 4, 65536 bytes)
Inode-cache hash table entries: 4096 (order: 3, 32768 bytes)
Mount-cache hash table entries: 1024 (order: 1, 8192 bytes)
Buffer-cache hash table entries: 4096 (order: 2, 16384 bytes)
Page-cache hash table entries: 16384 (order: 4, 65536 bytes)
CPU: Before vendor init, caps: 000001bf 00000000 00000000, vendor = 0
Intel Pentium with F0 0F bug - workaround enabled.
CPU: After vendor init, caps: 000001bf 00000000 00000000 00000000
CPU: After generic, caps: 000001bf 00000000 00000000 00000000
CPU: Common caps: 000001bf 00000000 00000000 00000000
CPU: Intel Pentium 75 - 200 stepping 0c
Checking 'hlt' instruction... OK.
Checking for popad bug... OK.
POSIX conformance testing by UNIFIX
PCI: PCI BIOS revision 2.10 entry at 0xfc7b1, last bus=0
PCI: Using configuration type 1
PCI: Probing PCI hardware
Limiting direct PCI/PCI transfers.
Linux NET4.0 for Linux 2.4
Based upon Swansea University Computer Society NET3.039
Initializing RT netlink socket
Starting kswapd
VFS: Diskquotas version dquot_6.4.0 initialized
devfs: v1.10 (20020120) Richard Gooch (rgooch@atnf.csiro.au)
devfs: boot_options: 0x0
pty: 256 Unix98 ptys configured
Serial driver version 5.05c (2001-07-08) with HUB-6 MANY_PORTS MULTIPORT
SHARE_IRQ SERIAL_PCI enabled
ttyS00 at 0x03f8 (irq = 4) is a 16550A
ttyS01 at 0x02f8 (irq = 3) is a 16550A
block: 128 slots per queue, batch=32
RAMDISK driver initialized: 16 RAM disks of 4096K size 1024 blocksize
Cronyx Ltd, Synchronous PPP and CISCO HDLC (c) 1994
Linux port (c) 1998 Building Number Three Ltd & Jan "Yenya" Kasprzak.
NET4: Linux TCP/IP 1.0 for NET4.0
IP Protocols: ICMP, UDP, TCP, IGMP
IP: routing cache hash table of 512 buckets, 4Kbytes
TCP: Hash tables configured (established 4096 bind 4096)
Linux IP multicast router 0.06 plus PIM-SM
RAMDISK: cramfs filesystem found at block 0
RAMDISK: Loading 2660 blocks [1 disk] into ram disk... |done.
Freeing initrd memory: 2660k freed
VFS: Mounted root (cramfs filesystem).
Journalled Block Device driver loaded
Uniform Multi-Platform E-IDE driver Revision: 6.31
ide: Assuming 33MHz system bus speed for PIO modes; override with
idebus=xx
PIIX: IDE controller on PCI bus 00 dev 38
PIIX: chipset revision 2
PIIX: not 100% native mode: will probe irqs later
PIIX: neither IDE port enabled (BIOS)
hda: WDC AC25100L, ATA DISK drive
hdc: WEARNES CDD-820, ATAPI CD/DVD-ROM drive
ide0 at 0x1f0-0x1f7,0x3f6 on irq 14
ide1 at 0x170-0x177,0x376 on irq 15
hda: 10085040 sectors (5164 MB) w/256KiB Cache, CHS=10672/15/63
Partition check:
/dev/ide/host0/bus0/target0/lun0: [PTBL] [627/255/63] p1 p2
VFS: Mounted root (ext2 filesystem) readonly.
change_root: old root has d_count=2
Freeing unused kernel memory: 192k freed
NET4: Unix domain sockets 1.0/SMP for Linux NET4.0.
Adding Swap: 136544k swap-space (priority -1)
Real Time Clock Driver v1.10e
3c59x: Donald Becker and others. www.scyld.com/network/vortex.html
00:0e.0: 3Com PCI 3c595 Vortex 100baseTx at 0xff80. Vers LK1.1.16
00:0e.0: Overriding PCI latency timer (CFLT) setting of 64, new value is
248.
CSLIP: code copyright 1989 Regents of the University of California
PPP generic driver version 2.4.1
PPP BSD Compression module registered
PPP Deflate Compression module registered
ip_tables: (C) 2000-2002 Netfilter core team
ip_conntrack (512 buckets, 4096 max)
PPP: VJ decompression error
PPP: VJ decompression error
isapnp: Scanning for PnP cards...
isapnp: No Plug & Play device found
eth1: 3c5x9 at 0x200, 10baseT port, address 00 20 af 6a a8 9f, IRQ 3.
3c509.c:1.18a 17Nov2001becker@scyld.com
http://www.scyld.com/network/3c509.html
eth1: Setting Rx mode to 1 addresses.
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:e0:18:7d:76:87:08:00
SRC=192.168.168.137 DST=192.168.168.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=48181 PROTO=UDP SPT=137 DPT=137 LEN=58
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:e0:18:7d:76:87:08:00
SRC=192.168.168.137 DST=192.168.168.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=48184 PROTO=UDP SPT=137 DPT=137 LEN=58
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:d0:b7:b1:8c:c6:08:00
SRC=192.168.168.4 DST=192.168.168.255 LEN=242 TOS=0x00 PREC=0x00 TTL=128
ID=63059 PROTO=UDP SPT=138 DPT=138 LEN=222
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:d0:b7:b1:8c:c6:08:00
SRC=192.168.168.4 DST=255.255.255.255 LEN=276 TOS=0x00 PREC=0x00 TTL=128
ID=63102 PROTO=UDP SPT=68 DPT=67 LEN=256
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:4a:0d:a3:08:00
SRC=192.168.168.225 DST=192.168.168.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128
ID=54170 PROTO=UDP SPT=138 DPT=138 LEN=182
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:4a:0d:a3:08:00
SRC=192.168.168.225 DST=192.168.168.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=54171 PROTO=UDP SPT=137 DPT=137 LEN=58
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:4a:0d:a3:08:00
SRC=192.168.168.225 DST=192.168.168.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=54172 PROTO=UDP SPT=137 DPT=137 LEN=58
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:4a:0d:a3:08:00
SRC=192.168.168.225 DST=192.168.168.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=54173 PROTO=UDP SPT=137 DPT=137 LEN=58
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:4a:0d:a3:08:00
SRC=192.168.168.225 DST=192.168.168.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128
ID=54174 PROTO=UDP SPT=138 DPT=138 LEN=182
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:4a:0d:a3:08:00
SRC=192.168.168.225 DST=192.168.168.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=54175 PROTO=UDP SPT=137 DPT=137 LEN=58
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:4a:0d:a3:08:00
SRC=192.168.168.225 DST=192.168.168.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=54176 PROTO=UDP SPT=137 DPT=137 LEN=58
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:4a:0d:a3:08:00
SRC=192.168.168.225 DST=192.168.168.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=54177 PROTO=UDP SPT=137 DPT=137 LEN=58
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:04:5a:77:3f:6f:08:00
SRC=192.168.168.89 DST=192.168.168.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=673 PROTO=UDP SPT=137 DPT=137 LEN=58
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:4a:0d:a3:08:00
SRC=192.168.168.225 DST=192.168.168.255 LEN=202 TOS=0x00 PREC=0x00 TTL=128
ID=54178 PROTO=UDP SPT=138 DPT=138 LEN=182
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:4a:0d:a3:08:00
SRC=192.168.168.225 DST=192.168.168.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=54179 PROTO=UDP SPT=137 DPT=137 LEN=58
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:4a:0d:a3:08:00
SRC=192.168.168.225 DST=192.168.168.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=54180 PROTO=UDP SPT=137 DPT=137 LEN=58
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:4a:0d:a3:08:00
SRC=192.168.168.225 DST=192.168.168.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=54181 PROTO=UDP SPT=137 DPT=137 LEN=58
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:4a:0d:a3:08:00
SRC=192.168.168.225 DST=192.168.168.255 LEN=211 TOS=0x00 PREC=0x00 TTL=128
ID=54182 PROTO=UDP SPT=138 DPT=138 LEN=191
IN=eth0 OUT=eth1 SRC=10.0.0.2 DST=208.245.212.108 LEN=53 TOS=0x00
PREC=0x00 TTL=63 ID=8809 DF PROTO=TCP SPT=2974 DPT=5222 WINDOW=31856
RES=0x00 ACK PSH URGP=0
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:02:e3:06:d2:76:08:00
SRC=192.168.168.108 DST=192.168.168.255 LEN=207 TOS=0x00 PREC=0x00 TTL=128
ID=16171 PROTO=UDP SPT=138 DPT=138 LEN=187
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:20:78:12:2d:3c:08:00
SRC=192.168.168.75 DST=192.168.168.255 LEN=239 TOS=0x00 PREC=0x00 TTL=128
ID=34290 PROTO=UDP SPT=138 DPT=138 LEN=219
IN= OUT=eth1 SRC=192.168.168.120 DST=192.168.168.1 LEN=84 TOS=0x00
PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=47145 SEQ=0
IN= OUT=eth1 SRC=192.168.168.120 DST=192.168.168.1 LEN=84 TOS=0x00
PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=47145 SEQ=256
IN=eth0 OUT=eth1 SRC=10.0.0.10 DST=207.182.160.16 LEN=44 TOS=0x00
PREC=0x00 TTL=31 ID=311 PROTO=UDP SPT=1028 DPT=38293 LEN=24
IN=eth0 OUT=eth1 SRC=10.0.0.10 DST=207.182.160.16 LEN=44 TOS=0x00
PREC=0x00 TTL=31 ID=312 PROTO=UDP SPT=1028 DPT=38293 LEN=24
IN=eth0 OUT=eth1 SRC=10.0.0.10 DST=207.182.160.16 LEN=44 TOS=0x00
PREC=0x00 TTL=31 ID=313 PROTO=UDP SPT=1028 DPT=38293 LEN=24
IN=eth0 OUT=eth1 SRC=10.0.0.10 DST=207.182.160.16 LEN=44 TOS=0x00
PREC=0x00 TTL=31 ID=314 PROTO=UDP SPT=1028 DPT=38293 LEN=24
IN=eth0 OUT=eth1 SRC=10.0.0.10 DST=207.182.160.16 LEN=44 TOS=0x00
PREC=0x00 TTL=31 ID=315 PROTO=UDP SPT=1028 DPT=38293 LEN=24
IN= OUT=eth1 SRC=192.168.168.120 DST=192.168.168.1 LEN=84 TOS=0x00
PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=47401 SEQ=0
IN= OUT=eth1 SRC=192.168.168.120 DST=192.168.168.1 LEN=84 TOS=0x00
PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=47401 SEQ=256
IN=eth0 OUT=eth1 SRC=10.0.0.2 DST=208.245.212.108 LEN=53 TOS=0x00
PREC=0x00 TTL=63 ID=8812 DF PROTO=TCP SPT=2974 DPT=5222 WINDOW=31856
RES=0x00 ACK PSH URGP=0
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:06:5b:4a:0d:a3:08:00
SRC=192.168.168.225 DST=192.168.168.255 LEN=229 TOS=0x00 PREC=0x00 TTL=128
ID=54183 PROTO=UDP SPT=138 DPT=138 LEN=209
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:d0:b7:1e:11:df:08:00
SRC=65.169.221.1 DST=255.255.255.255 LEN=36 TOS=0x00 PREC=0x00 TTL=64
ID=6054 PROTO=ICMP TYPE=9 CODE=0
IN=eth1 OUT= MAC=ff:ff:ff:ff:ff:ff:00:03:47:e7:cc:e9:08:00
SRC=192.168.168.86 DST=192.168.168.255 LEN=78 TOS=0x00 PREC=0x00 TTL=128
ID=19114 PROTO=UDP SPT=137 DPT=137 LEN=58
--
--------------------------------------------------------------------------
Michael Bauer bauer@michaelbauer.com http://www.michaelbauer.com
--
To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: