Forums » Linux

Still cant connect to server

Apr 17, 2003 Tcide link
Timeout connecting to server, need help, I didnt have this issue last time I played on my last box several months ago.. any ideas anyone?
Apr 17, 2003 romikq link
post output of:

1)ping -c 10 majikthise.guildsoftware.com
2)traceroute majikthise.guildsoftware.com
3)iptables -L -t filter
Apr 24, 2003 Vordark link
Well, since Tcide didn't reply and I seem to be experiencing the same problem, let's see if this helps *me*...

Here's the ping, no surprises...

PING majikthise.guildsoftware.com (204.29.203.105) from 64.223.178.188 : 56(84) bytes of data.
64 bytes from majikthise.guildsoftware.com (204.29.203.105): icmp_seq=1 ttl=239 time=48.8 ms
64 bytes from majikthise.guildsoftware.com (204.29.203.105): icmp_seq=2 ttl=239 time=48.0 ms
64 bytes from majikthise.guildsoftware.com (204.29.203.105): icmp_seq=3 ttl=239 time=47.8 ms
64 bytes from majikthise.guildsoftware.com (204.29.203.105): icmp_seq=4 ttl=239 time=47.4 ms
64 bytes from majikthise.guildsoftware.com (204.29.203.105): icmp_seq=5 ttl=239 time=49.2 ms
64 bytes from majikthise.guildsoftware.com (204.29.203.105): icmp_seq=6 ttl=239 time=50.5 ms
64 bytes from majikthise.guildsoftware.com (204.29.203.105): icmp_seq=7 ttl=239 time=48.9 ms
64 bytes from majikthise.guildsoftware.com (204.29.203.105): icmp_seq=8 ttl=239 time=45.3 ms
64 bytes from majikthise.guildsoftware.com (204.29.203.105): icmp_seq=9 ttl=239 time=47.3 ms

--- majikthise.guildsoftware.com ping statistics ---
9 packets transmitted, 9 received, 0% loss, time 8022ms
rtt min/avg/max/mdev = 45.351/48.199/50.569/1.414 ms


Traceroute starts dying after a while...


traceroute to majikthise.guildsoftware.com (204.29.203.105), 30 hops max, 38 byte packets
1 10.20.1.1 (10.20.1.1) 15.272 ms 15.742 ms 14.504 ms
2 A5-0-0-1710.Q-RTR1.MAN.verizon-gni.net (64.222.132.194) 15.173 ms 19.628 ms 43.393 ms
3 at-0-1-0-632.CORE-RTR1.MAN.verizon-gni.net (130.81.5.129) 41.865 ms 21.941 ms 44.621 ms
4 so-0-0-2-0.CORE-RTR1.BOS.verizon-gni.net (130.81.4.197) 43.506 ms 21.738 ms 44.039 ms
5 so-0-3-0-0.PEER-RTR2.BOS.verizon-gni.net (130.81.7.246) 42.322 ms 18.761 ms 42.114 ms
6 p6-0.bstnma1-cr8.bbnplanet.net (4.24.94.81) 42.798 ms 21.164 ms 18.197 ms 7 so-3-1-0.bstnma1-nbr2.bbnplanet.net (4.24.5.125) 42.343 ms 19.270 ms 18.949 ms
8 so-7-0-0.bstnma1-nbr1.bbnplanet.net (4.24.10.217) 42.540 ms 20.268 ms 24.090 ms
9 so-0-0-0.chcgil2-br1.bbnplanet.net (4.24.9.53) 67.975 ms 44.151 ms 43.836 ms
10 p1-0.chcgil2-cr9.bbnplanet.net (4.24.8.110) 67.703 ms 43.694 ms 41.854 ms11 p2-0.nchicago2-cr2.bbnplanet.net (4.0.5.242) 67.225 ms 42.931 ms 41.369 ms
12 p8-0-0.nchicago2-core0.bbnplanet.net (4.0.6.2) 69.131 ms 44.107 ms 42.412 ms
13 e0.corecomm.bbnplanet.net (207.112.240.178) 67.752 ms 44.640 ms 41.858 ms14 446.at-0-2-0.rtr0.milw.wi.voyager.net (169.207.224.110) 70.200 ms 44.713 ms 71.965 ms
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 *
^C

iptables has no idea what the hell I'm talking about with I give it the options suggested, so here's my /etc/sysconfig/iptables file...


# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Lokkit-0-50-INPUT - [0:0]
-A INPUT -j RH-Lokkit-0-50-INPUT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 4201 --syn -j ACCEPT
-A RH-Lokkit-0-50-INPUT -i lo -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 151.203.0.85 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -s 151.202.0.85 --sport 53 -d 0/0 -j ACCEPT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT
COMMIT

My exact symptoms are...

1. Installation worked fine
2. Patching at launch time seems to go a-okay
3. Program starts, I hit connect, feed in my username and password (both verified as accurate)
4. See "Connecting" (or similar verbage) for about a minute
5. Get a timeout message and no Vendetta love action.

Please help.
Apr 24, 2003 a1k0n link
That's because your iptables packet filter is rejecting all UDP that isn't DNS traffic to your name server. At least, that's what it looks like to me, not being familiar with iptables. There should be some iptables recipe for stateful firewalling.(i.e. the firewall remembers which connections you started and allows packets on those connections, but blocks everything else. Your firewall just blocks all incoming TCP SYNs and all non-DNS UDP.)

Is that Redhat 7.1, by chance?
Apr 25, 2003 Vordark link
RedHat 8.0. I probably shouldn't be surprised by this, but I haven't looked at any sort of firewall in about a year and a half. Will investigate.

Thanks.
Apr 25, 2003 Vordark link
Aha! After a few minutes of screwing around with my setup (which appears at first glance to be convoluted and obscure, but turns out to be only moderately kludgy and half-assed) I've discovered the magic required to connect to the server.

What follows is probably useful only to me, but I figured I'd throw it up for the hell of it, partially to blow off some steam.

RedHat 8.0 by default uses iptables as it's firewall package. Ooops! I mean it uses something called "Lokkit" which is a firewall configurator. Ooops! I mean it uses a shell script (/etc/rc.d/init.d/iptables) to read in a file filled with config commands (/etc/sysconfig/iptables) which is edited by lokkit (/sbin/lokkit) which is almost totally useless.

a1k0n pointed out that iptables was rejecting all UDP traffic apart from DNS and it ought not to be doing that. Rather, iptables should be knowing about UDP connections I establish from my end and allow that traffic.

After the usual goosechase through the docs available on the 'net, I discovered the following incantation which I placed in /etc/sysconfig/iptables (against the stern warning that only Lokkit edit that file, given that I cannot imagine ever having to inflict that thing on myself again)...

-A RH-Lokkit-0-50-INPUT -p udp -m state --state ESTABLISHED -j ACCEPT

However, it might be best that you place this *before* the line...

-A RH-Lokkit-0-50-INPUT -p udp -m udp -j REJECT

Which drops all udp packets to the floor.

And might I say how thoughtful it was for the iptables dev team to include code designed to tell the user ("Hey! You've just established a rule that does *nothing* because it will never ever see udp packets because a previously defined rule says to throw them all away!")

Note also the reason for "RH-Lokkit-0-50-INPUT" is because this is the ruleset automagically configured by lokkit and it appears that it's a good thing to keep things there. If you're not possessed by lokkit, this should do just fine...

iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT

Placed wherever it's expected and before you throw your udp packets away.

Much thanks to a1k0n for pointing out my default config lameness.