Unable to ping certain IPs

Issues related to configuring your network
scronline
Posts: 28
Joined: 2005/12/31 21:09:24
Location: Bay Area, CA
Contact:

Unable to ping certain IPs

Postby scronline » 2011/01/31 19:29:08

Ok, this is seriously strange. I have 5 CentOS servers setup and a Windows box. On the windows box I ping perfectly. On the Linux boxes, not a single one of them can route to a small segment of IP space.

[root@ns1 ~]# ping 62.149.24.81
PING 62.149.24.81 (62.149.24.81) 56(84) bytes of data.

--- 62.149.24.81 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1009ms

They are all CentOS 4 except for a recently upgraded box that was upgraded to 5.5 to test a network wide upgrade.

There have been times in the past that I used the route command to deny traffic to certain IP ranges that were maliciously attacking a system but I never set anything up to save those settings through a reboot. This one really has me baffled. Any ideas where I can start looking?

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: Unable to ping certain IPs

Postby pschaff » 2011/01/31 20:15:48

I don't know how to use route to disable IP subnets. Do you mean iptables? Is the behavior the same if you temporarily disable the firewall with "service iptables stop"?

You may want to read How to provide information about your system and provide the output from running ./getinfo.sh network .

scronline
Posts: 28
Joined: 2005/12/31 21:09:24
Location: Bay Area, CA
Contact:

Re: Unable to ping certain IPs

Postby scronline » 2011/01/31 20:34:30

It's just a dirty way to stop a DoS or any other unwanted traffic such as the 10k logon attempts made a day. I've since resolved those issues another way so I don't use it but I suspected there might be pieces of it lying around that I didn't know where the data files were retained. I didn't see /etc/sysconfig/iptables or anything in any of the routes files so I'm really rather lost.

route add -host xxx.xxx.xxx.xxx deny

That's the syntax I used for it. I should have dropped anything from that after any reboots but since it does deny traffic and I didn't keep records of all of the stuff I blocked, I thought I should bring it up... just in case.

Anyway, here's the output you requested. Handy script and good way to handle support questions. :-)

Code: Select all

== BEGIN uname -rmi ==
2.6.9-89.35.1.EL i686 i386
== END   uname -rmi ==

== BEGIN rpm -qa \*-release\* ==
centos-release-4-8
== END   rpm -qa \*-release\* ==

== BEGIN cat /etc/redhat-release ==
CentOS release 4.8 (Final)
== END   cat /etc/redhat-release ==

== BEGIN getenforce ==
Disabled
== END   getenforce ==

== BEGIN lspci ==
00:00.0 Host bridge: nVidia Corporation nForce2 IGP2 (rev c1)
00:00.1 RAM memory: nVidia Corporation nForce2 Memory Controller 1 (rev c1)
00:00.2 RAM memory: nVidia Corporation nForce2 Memory Controller 4 (rev c1)
00:00.3 RAM memory: nVidia Corporation nForce2 Memory Controller 3 (rev c1)
00:00.4 RAM memory: nVidia Corporation nForce2 Memory Controller 2 (rev c1)
00:00.5 RAM memory: nVidia Corporation nForce2 Memory Controller 5 (rev c1)
00:01.0 ISA bridge: nVidia Corporation nForce2 ISA Bridge (rev a4)
00:01.1 SMBus: nVidia Corporation nForce2 SMBus (MCP) (rev a2)
00:02.0 USB Controller: nVidia Corporation nForce2 USB Controller (rev a4)
00:02.1 USB Controller: nVidia Corporation nForce2 USB Controller (rev a4)
00:02.2 USB Controller: nVidia Corporation nForce2 USB Controller (rev a4)
00:04.0 Ethernet controller: nVidia Corporation nForce2 Ethernet Controller (rev a1)
00:08.0 PCI bridge: nVidia Corporation nForce2 External PCI Bridge (rev a3)
00:09.0 IDE interface: nVidia Corporation nForce2 IDE (rev a2)
00:1e.0 PCI bridge: nVidia Corporation nForce2 AGP (rev c1)
02:00.0 VGA compatible controller: nVidia Corporation NV11 [GeForce2 MX/MX 400] (rev b2)
== END   lspci ==

== BEGIN lspci -n ==
00:00.0 Class 0600: 10de:01e0 (rev c1)
00:00.1 Class 0500: 10de:01eb (rev c1)
00:00.2 Class 0500: 10de:01ee (rev c1)
00:00.3 Class 0500: 10de:01ed (rev c1)
00:00.4 Class 0500: 10de:01ec (rev c1)
00:00.5 Class 0500: 10de:01ef (rev c1)
00:01.0 Class 0601: 10de:0060 (rev a4)
00:01.1 Class 0c05: 10de:0064 (rev a2)
00:02.0 Class 0c03: 10de:0067 (rev a4)
00:02.1 Class 0c03: 10de:0067 (rev a4)
00:02.2 Class 0c03: 10de:0068 (rev a4)
00:04.0 Class 0200: 10de:0066 (rev a1)
00:08.0 Class 0604: 10de:006c (rev a3)
00:09.0 Class 0101: 10de:0065 (rev a2)
00:1e.0 Class 0604: 10de:01e8 (rev c1)
02:00.0 Class 0300: 10de:0110 (rev b2)
== END   lspci -n ==

== BEGIN ifconfig -a ==
eth0      Link encap:Ethernet  HWaddr 00:0C:6E:2E:D4:BA
          inet addr:38.108.185.6  Bcast:38.108.185.127  Mask:255.255.255.128
          inet6 addr: fe80::20c:6eff:fe2e:d4ba/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1734465 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1723689 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:203867057 (194.4 MiB)  TX bytes:307460176 (293.2 MiB)
          Interrupt:185 Base address:0x6000

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2356 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2356 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:305597 (298.4 KiB)  TX bytes:305597 (298.4 KiB)

sit0      Link encap:IPv6-in-IPv4
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

== END   ifconfig -a ==

== BEGIN route -n ==
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
38.108.185.0    0.0.0.0         255.255.255.128 U     0      0        0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U     0      0        0 eth0
0.0.0.0         38.108.185.1    0.0.0.0         UG    0      0        0 eth0
== END   route -n ==

== BEGIN cat /etc/resolv.conf ==
nameserver 38.108.185.6
nameserver 38.108.185.8
== END   cat /etc/resolv.conf ==

== BEGIN grep net /etc/nsswitch.conf ==
#networks:  ldap [NOTFOUND=return] files
netmasks:   files
networks:   files
netgroup:   files
== END   grep net /etc/nsswitch.conf ==

== BEGIN chkconfig --list | grep -Ei 'network|wpa' ==
network         0:off   1:off   2:on    3:on    4:on    5:on    6:off
NetworkManager  0:off   1:off   2:off   3:off   4:off   5:off   6:off
== END   chkconfig --list | grep -Ei 'network|wpa' ==


pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: Unable to ping certain IPs

Postby pschaff » 2011/01/31 20:47:16

Thanks for the explanation. I can't spot anything in the script output. Did you try disabling iptables?

scronline
Posts: 28
Joined: 2005/12/31 21:09:24
Location: Bay Area, CA
Contact:

Re: Unable to ping certain IPs

Postby scronline » 2011/01/31 20:50:31

Yes, I disabled iptables with the same result.

Code: Select all

[root@ns1 ~]# service iptables stop
[root@ns1 ~]# ping 62.149.24.81
PING 62.149.24.81 (62.149.24.81) 56(84) bytes of data.

--- 62.149.24.81 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2010ms

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: Unable to ping certain IPs

Postby pschaff » 2011/01/31 22:02:56

Is there an upstream router common to the CentOS machines, but not the Windows box, that could be blocking?

scronline
Posts: 28
Joined: 2005/12/31 21:09:24
Location: Bay Area, CA
Contact:

Re: Unable to ping certain IPs

Postby scronline » 2011/01/31 22:23:20

They are all connected to the same switch and they all go through the same router for internet access.

I can do an mtr to that IP and it will get all the way to the IP just before the actual host. Of course on the windows machine a tracert gets it all the way to the actual host IP.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: Unable to ping certain IPs

Postby pschaff » 2011/01/31 22:39:00

Out of suggestions. Hopefully someone else will have an idea, or at least a relevant question.

foxb
Posts: 1921
Joined: 2006/04/20 19:03:33
Location: Montreal/QC

Re: Unable to ping certain IPs

Postby foxb » 2011/02/02 15:34:21

It is really strange, but somewhere there is a firewall that blocks ICMP

Just try:

Code: Select all

iptables -L
ping centos.org
traceroute centos.org

scronline
Posts: 28
Joined: 2005/12/31 21:09:24
Location: Bay Area, CA
Contact:

Re: Unable to ping certain IPs

Postby scronline » 2011/02/02 15:52:33

Yeah, that's what I'm thinking. I'm just at a loss as to where it might be. The only firewalls would be on the boxes themselves as there is no other firewall between the boxes and the web.

Code: Select all

[root@ns1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
[root@ns1 ~]# ping centos.org
PING centos.org (72.232.194.162) 56(84) bytes of data.
64 bytes from 162.194.232.72.static.reverse.ltdomains.com (72.232.194.162): icmp_seq=0 ttl=51 time=50.0 ms
64 bytes from 162.194.232.72.static.reverse.ltdomains.com (72.232.194.162): icmp_seq=1 ttl=51 time=58.7 ms

--- centos.org ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 50.048/54.417/58.787/4.375 ms, pipe 2
[root@ns1 ~]# traceroute centos.org
traceroute to centos.org (72.232.194.162), 30 hops max, 38 byte packets
 1  main (38.108.185.1)  0.576 ms  0.477 ms  0.427 ms
 2  fa0-10.na01.b001848-1.sjc05.atlas.cogentco.com (38.104.134.145)  1.091 ms  1.305 ms  1.069 ms
 3  gi3-48.3510.mpd01.sjc05.atlas.cogentco.com (66.250.12.5)  1.719 ms  1.115 ms  1.123 ms
 4  te8-4.mpd01.sjc01.atlas.cogentco.com (154.54.6.73)  1.300 ms  1.072 ms  1.121 ms
 5  te4-4.mpd01.sjc03.atlas.cogentco.com (154.54.6.238)  1.584 ms  1.565 ms  20.280 ms
 6  te-3-3.car3.SanJose1.Level3.net (4.68.110.137)  1.622 ms  1.634 ms  1.612 ms
 7  vlan99.csw4.SanJose1.Level3.net (4.68.18.254)  2.281 ms  12.283 ms  2.245 ms
 8  ae-94-94.ebr4.SanJose1.Level3.net (4.69.134.253)  8.175 ms  2.662 ms  2.755 ms
 9  ae-5-5.ebr2.SanJose5.Level3.net (4.69.148.141)  3.264 ms  3.584 ms  3.249 ms
10  ae-6-6.ebr2.LosAngeles1.Level3.net (4.69.148.201)  12.600 ms  14.057 ms  13.087 ms
11  ae-3-3.ebr3.Dallas1.Level3.net (4.69.132.78)  48.260 ms  47.832 ms  53.772 ms
12  ae-32-80.car2.Dallas1.Level3.net (4.69.145.132)  48.460 ms  48.221 ms  48.412 ms
13  DATABANK-HO.car2.Dallas1.Level3.net (4.71.170.2)  59.469 ms  49.080 ms  54.162 ms
14  10.0.0.14 (10.0.0.14)  48.937 ms  48.709 ms  54.689 ms
15  10.200.222.6 (10.200.222.6)  50.577 ms  48.609 ms  49.843 ms
16  162.194.232.72.static.reverse.ltdomains.com (72.232.194.162)  48.638 ms !<10>  48.935 ms !<10>  49.874 ms !<10>