Unable to ping certain IPs

Issues related to configuring your network
scronline
Posts: 28
Joined: 2005/12/31 21:09:24
Location: Bay Area, CA
Contact:

Unable to ping certain IPs

Post by scronline » 2011/01/31 19:29:08

Ok, this is seriously strange. I have 5 CentOS servers setup and a Windows box. On the windows box I ping perfectly. On the Linux boxes, not a single one of them can route to a small segment of IP space.

[root@ns1 ~]# ping 62.149.24.81
PING 62.149.24.81 (62.149.24.81) 56(84) bytes of data.

--- 62.149.24.81 ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1009ms

They are all CentOS 4 except for a recently upgraded box that was upgraded to 5.5 to test a network wide upgrade.

There have been times in the past that I used the route command to deny traffic to certain IP ranges that were maliciously attacking a system but I never set anything up to save those settings through a reboot. This one really has me baffled. Any ideas where I can start looking?

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: Unable to ping certain IPs

Post by pschaff » 2011/01/31 20:15:48

I don't know how to use route to disable IP subnets. Do you mean iptables? Is the behavior the same if you temporarily disable the firewall with "service iptables stop"?

You may want to read [url=http://www.centos.org/modules/newbb/viewtopic.php?topic_id=25128&forum=47]How to provide information about your system[/url] and provide the output from running [b]./getinfo.sh network[/b] .

scronline
Posts: 28
Joined: 2005/12/31 21:09:24
Location: Bay Area, CA
Contact:

Re: Unable to ping certain IPs

Post by scronline » 2011/01/31 20:34:30

It's just a dirty way to stop a DoS or any other unwanted traffic such as the 10k logon attempts made a day. I've since resolved those issues another way so I don't use it but I suspected there might be pieces of it lying around that I didn't know where the data files were retained. I didn't see /etc/sysconfig/iptables or anything in any of the routes files so I'm really rather lost.

route add -host xxx.xxx.xxx.xxx deny

That's the syntax I used for it. I should have dropped anything from that after any reboots but since it does deny traffic and I didn't keep records of all of the stuff I blocked, I thought I should bring it up... just in case.

Anyway, here's the output you requested. Handy script and good way to handle support questions. :-)

[code]
== BEGIN uname -rmi ==
2.6.9-89.35.1.EL i686 i386
== END uname -rmi ==

== BEGIN rpm -qa \*-release\* ==
centos-release-4-8
== END rpm -qa \*-release\* ==

== BEGIN cat /etc/redhat-release ==
CentOS release 4.8 (Final)
== END cat /etc/redhat-release ==

== BEGIN getenforce ==
Disabled
== END getenforce ==

== BEGIN lspci ==
00:00.0 Host bridge: nVidia Corporation nForce2 IGP2 (rev c1)
00:00.1 RAM memory: nVidia Corporation nForce2 Memory Controller 1 (rev c1)
00:00.2 RAM memory: nVidia Corporation nForce2 Memory Controller 4 (rev c1)
00:00.3 RAM memory: nVidia Corporation nForce2 Memory Controller 3 (rev c1)
00:00.4 RAM memory: nVidia Corporation nForce2 Memory Controller 2 (rev c1)
00:00.5 RAM memory: nVidia Corporation nForce2 Memory Controller 5 (rev c1)
00:01.0 ISA bridge: nVidia Corporation nForce2 ISA Bridge (rev a4)
00:01.1 SMBus: nVidia Corporation nForce2 SMBus (MCP) (rev a2)
00:02.0 USB Controller: nVidia Corporation nForce2 USB Controller (rev a4)
00:02.1 USB Controller: nVidia Corporation nForce2 USB Controller (rev a4)
00:02.2 USB Controller: nVidia Corporation nForce2 USB Controller (rev a4)
00:04.0 Ethernet controller: nVidia Corporation nForce2 Ethernet Controller (rev a1)
00:08.0 PCI bridge: nVidia Corporation nForce2 External PCI Bridge (rev a3)
00:09.0 IDE interface: nVidia Corporation nForce2 IDE (rev a2)
00:1e.0 PCI bridge: nVidia Corporation nForce2 AGP (rev c1)
02:00.0 VGA compatible controller: nVidia Corporation NV11 [GeForce2 MX/MX 400] (rev b2)
== END lspci ==

== BEGIN lspci -n ==
00:00.0 Class 0600: 10de:01e0 (rev c1)
00:00.1 Class 0500: 10de:01eb (rev c1)
00:00.2 Class 0500: 10de:01ee (rev c1)
00:00.3 Class 0500: 10de:01ed (rev c1)
00:00.4 Class 0500: 10de:01ec (rev c1)
00:00.5 Class 0500: 10de:01ef (rev c1)
00:01.0 Class 0601: 10de:0060 (rev a4)
00:01.1 Class 0c05: 10de:0064 (rev a2)
00:02.0 Class 0c03: 10de:0067 (rev a4)
00:02.1 Class 0c03: 10de:0067 (rev a4)
00:02.2 Class 0c03: 10de:0068 (rev a4)
00:04.0 Class 0200: 10de:0066 (rev a1)
00:08.0 Class 0604: 10de:006c (rev a3)
00:09.0 Class 0101: 10de:0065 (rev a2)
00:1e.0 Class 0604: 10de:01e8 (rev c1)
02:00.0 Class 0300: 10de:0110 (rev b2)
== END lspci -n ==

== BEGIN ifconfig -a ==
eth0 Link encap:Ethernet HWaddr 00:0C:6E:2E:D4:BA
inet addr:38.108.185.6 Bcast:38.108.185.127 Mask:255.255.255.128
inet6 addr: fe80::20c:6eff:fe2e:d4ba/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1734465 errors:0 dropped:0 overruns:0 frame:0
TX packets:1723689 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:203867057 (194.4 MiB) TX bytes:307460176 (293.2 MiB)
Interrupt:185 Base address:0x6000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:2356 errors:0 dropped:0 overruns:0 frame:0
TX packets:2356 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:305597 (298.4 KiB) TX bytes:305597 (298.4 KiB)

sit0 Link encap:IPv6-in-IPv4
NOARP MTU:1480 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

== END ifconfig -a ==

== BEGIN route -n ==
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
38.108.185.0 0.0.0.0 255.255.255.128 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
0.0.0.0 38.108.185.1 0.0.0.0 UG 0 0 0 eth0
== END route -n ==

== BEGIN cat /etc/resolv.conf ==
nameserver 38.108.185.6
nameserver 38.108.185.8
== END cat /etc/resolv.conf ==

== BEGIN grep net /etc/nsswitch.conf ==
#networks: ldap [NOTFOUND=return] files
netmasks: files
networks: files
netgroup: files
== END grep net /etc/nsswitch.conf ==

== BEGIN chkconfig --list | grep -Ei 'network|wpa' ==
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
NetworkManager 0:off 1:off 2:off 3:off 4:off 5:off 6:off
== END chkconfig --list | grep -Ei 'network|wpa' ==

[/code]

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: Unable to ping certain IPs

Post by pschaff » 2011/01/31 20:47:16

Thanks for the explanation. I can't spot anything in the script output. Did you try disabling iptables?

scronline
Posts: 28
Joined: 2005/12/31 21:09:24
Location: Bay Area, CA
Contact:

Re: Unable to ping certain IPs

Post by scronline » 2011/01/31 20:50:31

Yes, I disabled iptables with the same result.

[code]
[root@ns1 ~]# service iptables stop
[root@ns1 ~]# ping 62.149.24.81
PING 62.149.24.81 (62.149.24.81) 56(84) bytes of data.

--- 62.149.24.81 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2010ms
[/code]

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: Unable to ping certain IPs

Post by pschaff » 2011/01/31 22:02:56

Is there an upstream router common to the CentOS machines, but not the Windows box, that could be blocking?

scronline
Posts: 28
Joined: 2005/12/31 21:09:24
Location: Bay Area, CA
Contact:

Re: Unable to ping certain IPs

Post by scronline » 2011/01/31 22:23:20

They are all connected to the same switch and they all go through the same router for internet access.

I can do an mtr to that IP and it will get all the way to the IP just before the actual host. Of course on the windows machine a tracert gets it all the way to the actual host IP.

pschaff
Retired Moderator
Posts: 18276
Joined: 2006/12/13 20:15:34
Location: Tidewater, Virginia, North America
Contact:

Re: Unable to ping certain IPs

Post by pschaff » 2011/01/31 22:39:00

Out of suggestions. Hopefully someone else will have an idea, or at least a relevant question.

foxb
Posts: 1921
Joined: 2006/04/20 19:03:33
Location: Montreal/QC

Re: Unable to ping certain IPs

Post by foxb » 2011/02/02 15:34:21

It is really strange, but somewhere there is a firewall that blocks ICMP

Just try:
[code]
iptables -L
ping centos.org
traceroute centos.org
[/code]

scronline
Posts: 28
Joined: 2005/12/31 21:09:24
Location: Bay Area, CA
Contact:

Re: Unable to ping certain IPs

Post by scronline » 2011/02/02 15:52:33

Yeah, that's what I'm thinking. I'm just at a loss as to where it might be. The only firewalls would be on the boxes themselves as there is no other firewall between the boxes and the web.

[code]
[root@ns1 ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
[root@ns1 ~]# ping centos.org
PING centos.org (72.232.194.162) 56(84) bytes of data.
64 bytes from 162.194.232.72.static.reverse.ltdomains.com (72.232.194.162): icmp_seq=0 ttl=51 time=50.0 ms
64 bytes from 162.194.232.72.static.reverse.ltdomains.com (72.232.194.162): icmp_seq=1 ttl=51 time=58.7 ms

--- centos.org ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1000ms
rtt min/avg/max/mdev = 50.048/54.417/58.787/4.375 ms, pipe 2
[root@ns1 ~]# traceroute centos.org
traceroute to centos.org (72.232.194.162), 30 hops max, 38 byte packets
1 main (38.108.185.1) 0.576 ms 0.477 ms 0.427 ms
2 fa0-10.na01.b001848-1.sjc05.atlas.cogentco.com (38.104.134.145) 1.091 ms 1.305 ms 1.069 ms
3 gi3-48.3510.mpd01.sjc05.atlas.cogentco.com (66.250.12.5) 1.719 ms 1.115 ms 1.123 ms
4 te8-4.mpd01.sjc01.atlas.cogentco.com (154.54.6.73) 1.300 ms 1.072 ms 1.121 ms
5 te4-4.mpd01.sjc03.atlas.cogentco.com (154.54.6.238) 1.584 ms 1.565 ms 20.280 ms
6 te-3-3.car3.SanJose1.Level3.net (4.68.110.137) 1.622 ms 1.634 ms 1.612 ms
7 vlan99.csw4.SanJose1.Level3.net (4.68.18.254) 2.281 ms 12.283 ms 2.245 ms
8 ae-94-94.ebr4.SanJose1.Level3.net (4.69.134.253) 8.175 ms 2.662 ms 2.755 ms
9 ae-5-5.ebr2.SanJose5.Level3.net (4.69.148.141) 3.264 ms 3.584 ms 3.249 ms
10 ae-6-6.ebr2.LosAngeles1.Level3.net (4.69.148.201) 12.600 ms 14.057 ms 13.087 ms
11 ae-3-3.ebr3.Dallas1.Level3.net (4.69.132.78) 48.260 ms 47.832 ms 53.772 ms
12 ae-32-80.car2.Dallas1.Level3.net (4.69.145.132) 48.460 ms 48.221 ms 48.412 ms
13 DATABANK-HO.car2.Dallas1.Level3.net (4.71.170.2) 59.469 ms 49.080 ms 54.162 ms
14 10.0.0.14 (10.0.0.14) 48.937 ms 48.709 ms 54.689 ms
15 10.200.222.6 (10.200.222.6) 50.577 ms 48.609 ms 49.843 ms
16 162.194.232.72.static.reverse.ltdomains.com (72.232.194.162) 48.638 ms !<10> 48.935 ms !<10> 49.874 ms !<10>
[/code]

Post Reply