Ping: sendmsg: operation not permitted error after installing iptables on Arch GNU/Linux

networking iptables nat arch-linux

Yesterday I got a new computer as my homeserver, a HP Proliant Microserver. Installed Arch Linux on it, with kernel version 3.2.12.

After installing iptables (1.4.12.2 - the current version AFAIK) and changing the net.ipv4.ip_forward key to 1, and enabling forwarding in the iptables configuration file (and rebooting), the system cannot use any of its network interfaces. Ping fails with

Ping: sendmsg: operation not permitted

If I remove iptables completely, networking is okay, but I need to share the Internet connection to the local network.

eth0 - wan NIC integrated on the motherboard (Broadcom NetXtreme BCM5723).

eth1 - lan NIC in a pci-express slot (Intel 82574L Gigabit Network)

Since it works without iptables(server can access the internet, and I can login with ssh from the internal network), I assume it has something to do with iptables. I do not have much experience with iptables, so I used these as reference (separate from each other of course...):

wiki.archlinux.org/index.php/Simple_stateful_firewall#Setting_up_a_NAT_gateway

revsys.com/writings/quicktips/nat.html

howtoforge.com/nat_iptables

On my previous server, I used the revsys guide to set up nat, worked like a charm.

Anyone experienced anything like this before? What am I doing wrong?


Solution 1:

The error message:

Ping: sendmsg: operation not permitted

means that your server is not allowed to send ICMP packets. You need to allow your server to send traffic via one or more of the configured interfaces. You can do this by:

  1. Set OUTPUT chain policy to ACCEPT to allow all outgoing traffic from your box:

    sudo iptables -P OUTPUT ACCEPT
  2. Set OUTPUT chain policy to DROP and then allow selectively the type of traffic you need.

This applies to all chains not only the OUTPUT chain. INPUT chain controls the traffic received by your box. FORWARD chain deals with traffic forwarded through the box.

Solution 2:

To me, on Debian 9, it helped just to reinstall ping:

apt-get install --reinstall iputils-ping

Solution 3:

If you maintain a right set of iptables, you need to allow outgoing ping :

# Allow outgoing ping
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

Solution 4:

Another option is to reset all of iptable rules.

Set the default policy on the iptables to ACCEPT:

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#Then flush the rules:
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

See also How to reset Ubuntu 12.04 iptables to default without locking oneself out?

Related

How do I disable the Animations in Microsoft Server 2012?
Docker exec/run shell command nesting
Dedicated server provider lying about servers location?
roaming profile vs folder redirection
Get total files size from a file containing a file list
Usermin, Webmin and Virtualmin - What are the Differences? [closed]
How to run a cron job only once?
MegaCli: Get the /dev/sd* device name for a logical drive
Getting cron logs to add to file, not override it
How to totally remove a certbot-created SSL certificate?
Shell = Check if variable begins with #
Apache 2.4 proxy_balancer and lbmethod_byrequest