8

I have a CentOS release 5.4 linux box on Amazon EC2 that I'm trying to set up to be monitored via Nagios. The machine is in the same security group as the nagios server, but it seems to be unresponsive to pings or NRPE checks, although apparently port 22 is open.

The CentOS box can ping itself using it's internal IP address, and it can ping the Nagios server, but the server can not ping the CentOS box.

I know the CentOS box is using iptables, here are the contents of the /etc/sysconfig/iptables file (some ips changed for security):

# Generated by iptables-save v1.3.5 on May 16 11:28:45 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [56:6601]
-A INPUT -s 149.15.0.0/255.255.0.0 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 72.14.1.153 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 184.119.28.174 -p tcp -m tcp --dport 5666 -j ACCEPT
COMMIT
# Completed on May 16 11:28:45 2012

The part that really gets me is that even after I do /etc/init.d/iptables stop:

Flushing firewall rules:                                   [  OK  ]
Setting chains to policy ACCEPT: filter                    [  OK  ]
Unloading iptables modules:                                [  OK  ]

I am still unable to ping the box or do NRPE checks on it.

What else could be preventing ping or other connections? I'm not sure what else to try.

Here is a list of processes found with sudo ps -A:

aio/0
atd
bash
cqueue/0
crond
dbus-daemon
dhclient
events/0
hald
hald-runner
init
kauditd
kblockd/0
khelper
khubd
kjournald
kmirrord
kmpathd/0
kpsmoused
kseriod
ksoftirqd/0
kswapd0
kthread
master
migration/0
mingetty
nscd
pdflush
pickup
qmgr
sshd
su
syslog-ng
udevd
watchdog/0
xenbus
xenwatch
xinetd
cwd
  • 44,479
  • 71
  • 146
  • 167
  • pings aren't done on a specific port, they are done using ICMP packets. To reply to a ping, your firewall must allow it. Maybe something like "-p icmp --icmp-type echo-request -j ACCEPT" – woliveirajr Aug 02 '12 at 18:49
  • 1
    so if the firewall is off (`/etc/init.d/iptables stop`, also ufw is not installed) then it should work. but it doesn't... – cwd Aug 02 '12 at 18:50
  • 1
    Also check to see if SELinux is blocking you somehow. I vaguely remember cases where I had to tweak SELinux even after shutting down the firewall. – Tim Aug 02 '12 at 18:57
  • 7
    sorry, missed the "stop". Doing some research, I found that there's a /proc/sys/net/ipv4/icmp_echo_ignore_all that should be set to 0. So, "cat /proc....", and if it gives you 1, do a "echo 0 > /proc...." – woliveirajr Aug 02 '12 at 19:01
  • @woliveirajr - that is very good to know. it gives me a `0` right now, also remember that it does respond when I `ping localhost`, and it looks like if I set that to `1` it no longer responds even to itself... hmmm. i guess that's not my fix but thank you for telling me about this! :) – cwd Aug 02 '12 at 19:15
  • stop the firewall with the service command `service iptables stop` and to disable it at boot time use `chkconfig iptables off` – tombolinux Aug 02 '12 at 20:44

4 Answers4

4

I dont' think that it's related to ping problem, but if you want to put selinux temporary off, you have this option:

setenforce 0

it put selinux from enforcing to permissive mode, to check its condition run

sestatus

to diable selinux permanently you can use system-config-securitylevel or edit with nano or vi /etc/selinux/config and change the parameter from SELINUX=enforcing to SELINUX=disabled.

for me there is a rule in Amazon EC2 that prevent to allow the ping traffic between your machines...

tombolinux
  • 437
  • 3
  • 8
  • if those files and commands are missing is it possible they have been deleted to prevent changes? I'm coming into this system second-hand. What's the best way to get them back? – cwd Aug 02 '12 at 20:28
  • 1
    check if you have installed the policycoreutils package – tombolinux Aug 02 '12 at 20:53
  • and libselinux-utils (for setenforce)... – tombolinux Aug 02 '12 at 21:02
  • 1
    woo hoo! installing `policycoreutils` which includes `libselinux-utils`, then doing `setenforce 0` and then running `system-config-securitylevel-tui` allows me to save changes correctly. thanks!! – cwd Aug 02 '12 at 21:09
2

It can be a setting in the kernel or iptables.

To check kernel config:

cat /proc/sys/net/ipv4/icmp_echo_ignore_all

Enable ICMP reply (temporal):

echo 0> /proc/sys/net/ipv4/icmp_echo_ignore_all

Enable ICMP reply (permanent):

Edit /etc/sysctl.conf

net.ipv4.icmp_echo_ignore_all=0

Extracted from: http://www.sysadmit.com/2016/03/linux-respuesta-ping-habilitar-o-deshabilitar.html

tomasfreide
  • 29
  • 1
1

I think your ping is not working because of SELinux. Try the following command as root:

$ system-config-securitylevel-tui

Change the Security Level to disable and change the SELinux to disable also.

Now try to ping, I think now it shud work if there is no network problem.

pradeepchhetri
  • 9,859
  • 12
  • 51
  • 59
  • Awesome! It is set to `Enable` and `Enforcing`. I can use the keyboard and the space key to select `Disabled` for the security level, but I don't know how to "select" `Disabled` for SELinux. It looks like I have set it but then when I hit OK and come back the Security Level is set but no the SELinux - http://img708.imageshack.us/img708/6703/pictureyc.png – cwd Aug 02 '12 at 19:23
  • @cwd: You have to use arrow key to change the SELinux value.. – pradeepchhetri Aug 02 '12 at 19:25
  • I think it may be something else because I'm seeing that /selinux/disable has permissions of `--w-------`. If I chmod u+r and open it with `vi` it says there is a read error... – cwd Aug 02 '12 at 19:32
  • That is not the problem ..permissions are like that only in mine also..whether ur arrows keys (up arrow and down arrow ) dont move the option to disable.. – pradeepchhetri Aug 02 '12 at 19:39
  • hmm, i can change the options to look like this - http://img841.imageshack.us/img841/7052/picturejp.png. then i use the space bar to press OK. When I run the utility again it reverts. – cwd Aug 02 '12 at 20:00
  • maybe i should open another question on how to disable selinux, but i have read some of the questions and i don't seem to have `/etc/sysconfig/selinux` or `/boot/grub/grub.conf`. Also echo 1 >/selinux/disable gives me `-bash: echo: write error: Invalid argument` – cwd Aug 02 '12 at 20:08
0

sysctl.conf file also prevents ping response. Please have a look at http://www.trickylinux.net/disable-ping-response-linux/

This will may help you.

Harish Nischal
  • 1
  • 1