1

CentOS 4.x

I've got several old CentOS 4.x systems and have configured iptables to allow ICMP traffic.

Originally, I had an iptables rule that looked like: 

-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

That seemed to work fine for awhile but one of our monitoring solutions has a requirement to ping more often than once a second (long story but in short, it's a requirement).

To accommodate this, I changed the rule to: 

-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j ACCEPT

The strange part is that I have this same rule on multiple CentOS 4.x servers and most are handling this fine but one of them is still intermittently not sending echo ping replies.

I've confirmed that the IPTables rule is the same between all servers. Any thoughts on what could be going on here?

For good measure, I collected a packet capture on the CentOS server side but all I'm seeing is the server intermittently sending back an ICMP Type 3 / Code 1 message about the destination and host being unreachable (which seems strange to me considering that it's the box itself that is responding with this message).

Any ideas?

Mike B
  • 11,871
  • 42
  • 107
  • 168
  • 2
    Maybe ICMP is rate limited on one of your servers. Can you check cat /proc/sys/net/ipv6/icmp/ratelimit and cat /proc/sys/net/ipv4/icmp_ratelimit ? – flashnode Sep 13 '12 at 19:08
  • @flashnode /proc/sys/net/ipv4/icmp_ratelimit is set to 1000 on all 3 servers. – Mike B Sep 14 '12 at 15:29
  • 1
    If you want to be sure that it's iptables causing problems you can enable logging. Copy the icmp rule exactly as you have above and add it to your file, but replace ACCEPT with LOG. Then iptables will fill your messages file with rejected packets. If you don't see them you can exclude iptables as the culprit. – flashnode Sep 14 '12 at 19:16
  • @flashnode So `-A RH-Firewall-1-INPUT -p icmp --icmp-type echo-request -j LOG` ? – Mike B Sep 14 '12 at 20:45
  • 1
    Yes, but make sure you have *both*: one with LOG and one with ACCEPT – flashnode Sep 14 '12 at 21:02
  • @flashnode Does it matter which comes first? – Mike B Sep 14 '12 at 21:08
  • I don't think that's quite working... When I enable the log, it only logs the incoming requests and I don't see any difference in the log events (other than incrementing times and sequence number). – Mike B Sep 14 '12 at 23:57

0 Answers0