brett_s_r
06-03-2004, 05:19 AM
This post is for those who don't like the way the little ping light on the VPS Control Panel doesn't work after you install a firewall. You may appreciate the explanatory footnote next to the ping light, but better still, you may want to know how to make it work again, whilst still keeping your firewall.
Before you read on, I assume that having installed a firewall on your VPS, that you are qualified to drive it. Use these instructions at your own risk i.e. I won;t be responsible if you run the wrong commands and open a gaping hole in your firewall.
Depending on how you configured iptables (e.g. manually or using Shorewall or some utility), one of two things will stop the ping status working. I use Shorewall http://www.shorewall.net.
1) Your firewall is blocking ICMP echo-requests outright. You can test this by simply pinging your server remotely. If ping is not responding, you need to add a rule to allow it. If configuring manually, something like:
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
will allow pings to the firewall. You would need a return path too.
2) More subtle and Rimu/VPS specific. Many firewall scripting tools such as Shorewall include a (sensible) RFC1918 rule (blocking spoofed private/non-routable addresses, such as 10.0.0.1). If you check your firewall log, you will see the monitoring pings being blocked, because they actually originate from an internal server (the VPS host?) with a private address.
You need a rule to exempt this machine's pings from the RFC1918 block. If you are using Shorewall, adding the following to /etc/shorewall/start will do the trick:
run_iptables --insert rfc1918 --source 192.168.???.??? --match mac --mac-source ??:??:??:??:??:?? --protocol icmp --icmp-type echo-request --jump ACCEPT
... replacing the IP and MAC address ??'s with the machine that you notice is being blocked in the logs. This is a minimal rule, as it is bound to both the IP address and MAC address of the monitoring host. This command can be converted to a generic iptables command by stripping the run_ and replacing rfc1918 with a valid chain name, such as INPUT.
And my ping light is green again 8) .
Brett Randall
Before you read on, I assume that having installed a firewall on your VPS, that you are qualified to drive it. Use these instructions at your own risk i.e. I won;t be responsible if you run the wrong commands and open a gaping hole in your firewall.
Depending on how you configured iptables (e.g. manually or using Shorewall or some utility), one of two things will stop the ping status working. I use Shorewall http://www.shorewall.net.
1) Your firewall is blocking ICMP echo-requests outright. You can test this by simply pinging your server remotely. If ping is not responding, you need to add a rule to allow it. If configuring manually, something like:
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
will allow pings to the firewall. You would need a return path too.
2) More subtle and Rimu/VPS specific. Many firewall scripting tools such as Shorewall include a (sensible) RFC1918 rule (blocking spoofed private/non-routable addresses, such as 10.0.0.1). If you check your firewall log, you will see the monitoring pings being blocked, because they actually originate from an internal server (the VPS host?) with a private address.
You need a rule to exempt this machine's pings from the RFC1918 block. If you are using Shorewall, adding the following to /etc/shorewall/start will do the trick:
run_iptables --insert rfc1918 --source 192.168.???.??? --match mac --mac-source ??:??:??:??:??:?? --protocol icmp --icmp-type echo-request --jump ACCEPT
... replacing the IP and MAC address ??'s with the machine that you notice is being blocked in the logs. This is a minimal rule, as it is bound to both the IP address and MAC address of the monitoring host. This command can be converted to a generic iptables command by stripping the run_ and replacing rfc1918 with a valid chain name, such as INPUT.
And my ping light is green again 8) .
Brett Randall