0

I am not a system engineer (I am a software developer) and I have the following problem. I have this Linux CentOS 7 server. A collegue told me that he can't ping this server from some specific machine belonging to this subnetwork 10.10.10.0/24. He asked me to check if there are some restriction related this subnet.

The situation is that from other machines this server can be ping but not from inside the 10.10.10.0/24.

So what can I do? I was thinking to check if there are activated some specific rules on the Linux firewall.

So firewalld seems to be active on my CentOS 7 machine:

[centos@prod-zabbix ~]$ sudo -s
[root@prod-zabbix centos]# firewall-cmd --state
running
[root@prod-zabbix centos]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2022-03-04 08:22:09 UTC; 1 weeks 5 days ago
     Docs: man:firewalld(1)
 Main PID: 3125 (firewalld)
   CGroup: /system.slice/firewalld.service
           └─3125 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

then I tried to perform the firewall-cmd --list-all command in order to show some further information (from what I can understand it show info for a specific zone...but it is not clear for me what it means for "zone"), anyway this is the output:

[root@prod-zabbix centos]# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources:
  services: dhcpv6-client ssh
  ports: 10050/tcp 10051/tcp 80/tcp
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

The only thing that maybe it could be related to the ping that I can see is this line icmp-block-inversion: no

So basically how can I check if the firewall is blocking ping from machines belonging to this specific subnet?

Improve this question
1
  • It could be blocked in your router
    – Moab
    Commented Mar 16, 2022 at 17:45

1 Answer 1

Reset to default
0 
  iptables -vnL

will list the firewall rules along with packet and byte counters - you can have a look at what rules are matchong and changing as he pings.

A quick way of checking wpuld be to insert a rule at the top of the firewall and see if it allows traffic -

  iptables -I INPUT -s 10.0.10.0/24 -j ACCEPT

should temporarily (ie until rebooted/firewall is reloaded) allow traffic from that range into your server, assuming there is no NAT involved, and the packets are destined for the server, not just routed through it.

You might also want to add an output rule olincase your server is receiving yje packets but dropping the responses.

  iptables -I OUTPUT -d 10.0.10.0/24 -j ACCEPT

Yo can also use tcpdump to see if you are receiving pacjets and sending them - something like

 tcpdump -I any src or dst 10.0.10.0/24

+Thevtcpdump command is rough, im not at my PC to test. Ypu also need to make sure the package is installed, and the sender is trying tp communicate with you while you run it.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .