I'm trying to isolate a network problem and I need some debugging help. Frustrating when I am not fluent in the new sys admin tools.
Symptom is as follows: I have a machine running Fedora 24 with its firewall zone set to work. I cannot ping the machine except from the same subnet. I don't have this problem with a second machine running the same OS/rev with the same firewall setup. I'm not sure where to look. I've dumped out both machines iptables. See attachment. I did a diff -y and they look almost identical. The machine that does not work has 2 nics, one which is connected to a 192.168 network. It has additional rules in the various chains but they are all "from anywhere to anywhere". I'm assuming the additional rules come from the second interface. I've put a query to my networking folks to see if the problem is further upstream. But I thought I'd ask if I have missed something obvious. I know it's not SL7 but they use the same tools: nmcli and firewall-cmd.
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere INPUT_direct all -- anywhere anywhere INPUT_ZONES_SOURCE all -- anywhere anywhere INPUT_ZONES all -- anywhere anywhere DROP all -- anywhere anywhere ctstate INVALID REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere FORWARD_direct all -- anywhere anywhere FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere FORWARD_IN_ZONES all -- anywhere anywhere FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere FORWARD_OUT_ZONES all -- anywhere anywhere DROP all -- anywhere anywhere ctstate INVALID REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination OUTPUT_direct all -- anywhere anywhere Chain FORWARD_IN_ZONES (1 references) target prot opt source destination FWDI_work all -- anywhere anywhere [goto] FWDI_work all -- anywhere anywhere [goto] FWDI_work all -- anywhere anywhere [goto] Chain FORWARD_IN_ZONES_SOURCE (1 references) target prot opt source destination Chain FORWARD_OUT_ZONES (1 references) target prot opt source destination FWDO_work all -- anywhere anywhere [goto] FWDO_work all -- anywhere anywhere [goto] FWDO_work all -- anywhere anywhere [goto] Chain FORWARD_OUT_ZONES_SOURCE (1 references) target prot opt source destination Chain FORWARD_direct (1 references) target prot opt source destination Chain FWDI_work (3 references) target prot opt source destination FWDI_work_log all -- anywhere anywhere FWDI_work_deny all -- anywhere anywhere FWDI_work_allow all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere Chain FWDI_work_allow (1 references) target prot opt source destination Chain FWDI_work_deny (1 references) target prot opt source destination Chain FWDI_work_log (1 references) target prot opt source destination Chain FWDO_work (3 references) target prot opt source destination FWDO_work_log all -- anywhere anywhere FWDO_work_deny all -- anywhere anywhere FWDO_work_allow all -- anywhere anywhere Chain FWDO_work_allow (1 references) target prot opt source destination Chain FWDO_work_deny (1 references) target prot opt source destination Chain FWDO_work_log (1 references) target prot opt source destination Chain INPUT_ZONES (1 references) target prot opt source destination IN_work all -- anywhere anywhere [goto] IN_work all -- anywhere anywhere [goto] IN_work all -- anywhere anywhere [goto] Chain INPUT_ZONES_SOURCE (1 references) target prot opt source destination Chain INPUT_direct (1 references) target prot opt source destination Chain IN_work (3 references) target prot opt source destination IN_work_log all -- anywhere anywhere IN_work_deny all -- anywhere anywhere IN_work_allow all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere Chain IN_work_allow (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ctstate NEW Chain IN_work_deny (1 references) target prot opt source destination Chain IN_work_log (1 references) target prot opt source destination Chain OUTPUT_direct (1 references) target prot opt source destination
Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere INPUT_direct all -- anywhere anywhere INPUT_ZONES_SOURCE all -- anywhere anywhere INPUT_ZONES all -- anywhere anywhere DROP all -- anywhere anywhere ctstate INVALID REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere FORWARD_direct all -- anywhere anywhere FORWARD_IN_ZONES_SOURCE all -- anywhere anywhere FORWARD_IN_ZONES all -- anywhere anywhere FORWARD_OUT_ZONES_SOURCE all -- anywhere anywhere FORWARD_OUT_ZONES all -- anywhere anywhere DROP all -- anywhere anywhere ctstate INVALID REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination OUTPUT_direct all -- anywhere anywhere Chain FORWARD_IN_ZONES (1 references) target prot opt source destination FWDI_work all -- anywhere anywhere [goto] FWDI_work all -- anywhere anywhere [goto] Chain FORWARD_IN_ZONES_SOURCE (1 references) target prot opt source destination Chain FORWARD_OUT_ZONES (1 references) target prot opt source destination FWDO_work all -- anywhere anywhere [goto] FWDO_work all -- anywhere anywhere [goto] Chain FORWARD_OUT_ZONES_SOURCE (1 references) target prot opt source destination Chain FORWARD_direct (1 references) target prot opt source destination Chain FWDI_work (2 references) target prot opt source destination FWDI_work_log all -- anywhere anywhere FWDI_work_deny all -- anywhere anywhere FWDI_work_allow all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere Chain FWDI_work_allow (1 references) target prot opt source destination Chain FWDI_work_deny (1 references) target prot opt source destination Chain FWDI_work_log (1 references) target prot opt source destination Chain FWDO_work (2 references) target prot opt source destination FWDO_work_log all -- anywhere anywhere FWDO_work_deny all -- anywhere anywhere FWDO_work_allow all -- anywhere anywhere Chain FWDO_work_allow (1 references) target prot opt source destination Chain FWDO_work_deny (1 references) target prot opt source destination Chain FWDO_work_log (1 references) target prot opt source destination Chain INPUT_ZONES (1 references) target prot opt source destination IN_work all -- anywhere anywhere [goto] IN_work all -- anywhere anywhere [goto] Chain INPUT_ZONES_SOURCE (1 references) target prot opt source destination Chain INPUT_direct (1 references) target prot opt source destination Chain IN_work (2 references) target prot opt source destination IN_work_log all -- anywhere anywhere IN_work_deny all -- anywhere anywhere IN_work_allow all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere Chain IN_work_allow (1 references) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ctstate NEW ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ctstate NEW Chain IN_work_deny (1 references) target prot opt source destination Chain IN_work_log (1 references) target prot opt source destination Chain OUTPUT_direct (1 references) target prot opt source destination
