Basic help needed with remote network access

[tringate]

Background:

While I consider myself a novice, I have been installing and running a server using Red Hat/Fedore now for over 15 years. My current server is Fedora 9 and I am trying to build a new Fedora 11 server.

My problem appears to be something very basic in the way the server is handling connections inbound to it since the few tests I've done using the server itself appear to be working.

My goal is to have a server running several web sites, access using samba on the local network, and have VNCSERVER and SSH access. These are all working just fine on my fedora 9 server, so while I stumbled along getting everything to work on each upgrade, this is the first time I have been completely confused on where to even start.

The Problem:

None of my remote applications can access any servers on my Fedora 11 system.

-- From my windows machines the following clients fail
- TightVNC hangs with "Connection established"
- Putty hangs with a blank screen
- IE hangs with "waiting for connection" when trying to access web site
- Windows does not find the Fedora 11 system for samba shares.

--From the Fedora system the following is noted
- All updates have been applied without any problems
- firefox works fine looking at any web site, even the test site rinning on the Fedora 11 machine
- The VNC server has been configured using different tutorials and is running
- Apache is configured to display a simple one page test screen and works from localhost
- SAMBA is configured to have one user and share one directory and is running
- When looking at the network, it sees the workgroup, but no computers in the workgroup. It does fine itself outside of the workgroup but thinks it's on IP address 192.168.122.1
- SSH is running

In an attempt to figure out what is wrong, I have turned off the firewall and put SELinux into "permissive" mode. (I usually have to have SELinux in this mode on both machines)

Looking in the logs I see my remote system address in the httpd logs and see it looks like it was able to access the page. the error log is empty of any error, but if I intentionally generate an error like trying to display a non existant page I see the error in the error log "403" however the remote PC never sees any error, and the remote computer just hangs and times out.

It's like none of the Fedora services are able to respond out to anything on the network, but it is receiving the requests.

I suspect something wrong in my network setup, but everything looks just fine to me.

I have compared most settings to those I have on my Fedora 9 server, and they match up just fine.

The entire network is using the 192.168.x.x address range.

The Fedora 9 box is 192.168.1.64 and the Fedora 11 box is 192.168.1.65

Ping workis just fine from a remots system to 192.168.1.65, but nothing else works.

I use DYNDNS to us a domain name, so when building a new system I always just use the IP address and not do the final domain name for apache until I go live.

My usualy install and build steps are:
1 - Install Fedora
2 - establish network access
3 - update all applications and core with updates
4 - configure firewall to use SSH WEB Server, SAMBA
5 - Use remote SAMBA access to upload all the data files

at this point I usually do all the configurations of MySQL and upload the full web content from the live machine using one of my windows machine on my local network.

I'm stuck at step 5, but really find that I can't do anything like web, SSH, VNC, or SAMBA.

I don't know where to start looking because things look like they should work.

Any suggestions on how to approach this problem would be greatly appreciated. After seeing ping work, and knowing the Fedora 11 box itself can access the world just fine, other than see my local network and those computers, I'm stumped.

My live system is a dual core AMD and the new system I am building is running on a AMD 64 bit single core machine. It was running Fedora 9 as a backup system until I started this build. The install from the DVD went without any glitches. I would happly do it all over again if I thought it would solve the problem, but obviously I am missing something rather basic here. My assessment is that whatever is wrong is causing the problem with all of my services.

After three days of hitting my head against the wall I am asking for some help. I must not be able to see the trees for the forest.

My initial approach is trying to get SSH and Putty on windows to be able to login remotely. That has to be really a simple process. With the firewall disabled, I would think that would work right out of the box.

Tom

[JEO]

I would install wireshark and maybe wireshark-gnome if you have graphical on the server so you can see what packets are going in and out during the time the a client requests a page. From your web server testing my guess would be it's not sending out proper ipv4 responses. You could also install wireshark-gnome on a fedora client and see what the client sees during the same type of page request.

[tringate]

JOE,

I installed the wireshark-gnome application and ran some traces.

I see the requests being sent, and ai see the answers being sent back, then I see a "retransmission" of the packets for several tries, not of all packets, just of the data carrying packets.

I tried both a web connection and a SSH connection.

Both looked like the exact same problem.

On thing I did notice is a lot of IPv6 packets on the LAN.

This machine has IPv6 turned off on eth0, but I did notice that the ipv6 function is running in the services window.

My son has lots of mac stuff like an iphone, and those game things as well as a windows 7 system running on the lan so maybe thos are comming from those boxes. I have no idea for sure because in place of the IP address it has something that lookes more like a MAC address.

In the data packet being sent in the SSH response it does have the protocol set as IPv6.

Is it possible this fedora machine is trying to respond to some things with IPv6?

Remember, I can connect out from it just fine to the web using firefox, and it will download all the updates using yum just fine.

It's only when I try to use it on the lan from another device that nothing works.

SAMBA
SSH
WEB
VNC

all fail when tried to be used from another PC on the LAN.

Is there any reason why I would want IPv6 running at all on this machine?

Can you give me some advice on what to look for in the trace when I connect? It looks like it's actually sending a reply and the packets even have the data I would expect to see displayed on the web page in the case of accessing the web server. But then those same packets are "retransmitted" several times after the original. They appear as a black line in the GUI trace window.

[JEO]

It sounds to me like ipv6 may well be the cause of the problem. There are some methods that you can use to turn ipv6 off. Search the forum for the methods to disable it or if you can't find out how post again and I will search. Do the retransmitted packets in black also show up with ipv6 somewhere in their description?

[tringate]

I decided to install the wireshark-gnome application on my Fedora 9 server and turn off the Fedora 11 new server to see if the IPv6 packets remained and they did. It looks like the stuff my son is running uses them for many things.

However in the responses to my connect using Putty for an SSH connection to just log in, it does send back a packet that says IPv6 in it as the protocol.

My next test will be to try the exact same thing on my Fedora 9 server and see what it does.

Unfortunatly that machine is a headless machine and I use VNC to do everything on it which generates a ton of trace entries.

I checked and the Fedora 9 machine is running the exact same service as the Fedora 11 server and the two have the TH0 port configured exactly the same other than the IP address. However on the Fedora 11 machine I have the "network manager" box checked on that interface. I tried unchecking it and then that interface will not start on boot for some reason. I kind of remember this same issue back on Fedore 5 or 3 but didn't try looking for it in google since that does not have anything to do with this problem of nothing being able to connect. I jusrt left it with the box checked so the interface will start when I boot.

[tringate]

Followed the instructions to disable IPv6 and restarted and tried again with no success.

Here is what I got when I disabled the IPv6

[root@bandit2 ~]# /sbin/service ip6tables stop
ip6tables: Flushing firewall rules: [ OK ]
ip6tables: Setting chains to policy ACCEPT: filter [ OK ]
ip6tables: Unloading modules: [ OK ]
[root@bandit2 ~]# /sbin/chkconfig ip6tables off
[root@bandit2 ~]# /sbin/service network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Disabling IPv4 packet forwarding: net.ipv4.ip_forward = 0
[ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
[root@bandit2 ~]# /sbin/service network restart
Shutting down interface eth0: [ OK ]
Shutting down loopback interface: [ OK ]
Bringing up loopback interface: [ OK ]
Bringing up interface eth0: [ OK ]
You have new mail in /var/spool/mail/root
[root@bandit2 ~]#

I'm actually on the failing machine now and as you can see I have no trouble going out to the web. I just can not connect to this server for any services at all.

If it will help, here is the actual trace of Putty on my windows machine trying to connect to SSH.

The first packets are the connect followed by two "retransmissions" There were many more retransmissions but I figured two were one more than enough.

----------------- Trace -----------------

No. Time Source Destination Protocol Info
199 125.890070 192.168.1.105 192.168.1.65 TCP di-msg > ssh [SYN] Seq=0 Win=65535 Len=0 MSS=1460

Frame 199 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: Giga-Byt_61:3f:49 (00:0f:ea:61:3f:49), Dst: AsustekC_1d:b6:3f (00:1b:fc:1d:b6:3f)
Internet Protocol, Src: 192.168.1.105 (192.168.1.105), Dst: 192.168.1.65 (192.168.1.65)
Transmission Control Protocol, Src Port: di-msg (2227), Dst Port: ssh (22), Seq: 0, Len: 0

No. Time Source Destination Protocol Info
200 125.890182 192.168.1.65 192.168.1.105 TCP ssh > di-msg [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460

Frame 200 (62 bytes on wire, 62 bytes captured)
Ethernet II, Src: AsustekC_1d:b6:3f (00:1b:fc:1d:b6:3f), Dst: Cisco-Li_1a:97:36 (00:13:10:1a:97:36)
Internet Protocol, Src: 192.168.1.65 (192.168.1.65), Dst: 192.168.1.105 (192.168.1.105)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: di-msg (2227), Seq: 0, Ack: 1, Len: 0

No. Time Source Destination Protocol Info
201 125.890932 192.168.1.105 192.168.1.65 TCP di-msg > ssh [ACK] Seq=1 Ack=1 Win=65535 Len=0

Frame 201 (60 bytes on wire, 60 bytes captured)
Ethernet II, Src: Giga-Byt_61:3f:49 (00:0f:ea:61:3f:49), Dst: AsustekC_1d:b6:3f (00:1b:fc:1d:b6:3f)
Internet Protocol, Src: 192.168.1.105 (192.168.1.105), Dst: 192.168.1.65 (192.168.1.65)
Transmission Control Protocol, Src Port: di-msg (2227), Dst Port: ssh (22), Seq: 1, Ack: 1, Len: 0

No. Time Source Destination Protocol Info
202 125.911502 192.168.1.65 192.168.1.105 SSH Server Protocol: SSH-2.0-OpenSSH_5.2\r

Frame 202 (75 bytes on wire, 75 bytes captured)
Ethernet II, Src: AsustekC_1d:b6:3f (00:1b:fc:1d:b6:3f), Dst: Cisco-Li_1a:97:36 (00:13:10:1a:97:36)
Internet Protocol, Src: 192.168.1.65 (192.168.1.65), Dst: 192.168.1.105 (192.168.1.105)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: di-msg (2227), Seq: 1, Ack: 1, Len: 21
SSH Protocol


No. Time Source Destination Protocol Info
205 128.910726 192.168.1.65 192.168.1.105 SSH [TCP Retransmission] Encrypted response packet len=21

Frame 205 (75 bytes on wire, 75 bytes captured)
Ethernet II, Src: AsustekC_1d:b6:3f (00:1b:fc:1d:b6:3f), Dst: Cisco-Li_1a:97:36 (00:13:10:1a:97:36)
Internet Protocol, Src: 192.168.1.65 (192.168.1.65), Dst: 192.168.1.105 (192.168.1.105)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: di-msg (2227), Seq: 1, Ack: 1, Len: 21
SSH Protocol


No. Time Source Destination Protocol Info
211 134.910740 192.168.1.65 192.168.1.105 SSH [TCP Retransmission] Encrypted response packet len=21

Frame 211 (75 bytes on wire, 75 bytes captured)
Ethernet II, Src: AsustekC_1d:b6:3f (00:1b:fc:1d:b6:3f), Dst: Cisco-Li_1a:97:36 (00:13:10:1a:97:36)
Internet Protocol, Src: 192.168.1.65 (192.168.1.65), Dst: 192.168.1.105 (192.168.1.105)
Transmission Control Protocol, Src Port: ssh (22), Dst Port: di-msg (2227), Seq: 1, Ack: 1, Len: 21
SSH Protocol

----------------------- end trace ------------------------

After doing this trace, I traced a good connection to my Fedora 9 machine and the packets up to where it does the re-transmissions are identical except for one thing.

On the machine it is working on the port is is sending to is hao (2245) and on the failing system you can see it is di-msg (2227)

Not sure if that is any problem or not. I think that is the windows end of the connection.

For some reason windows never gets that packet, or if it does, it does not respond like it does on the good machine.

[JEO]

You did not mention how you disabled ipv6. I just disabled it on my own machine to try it out. Here are the steps.

1) I disabled the ip6tables service

2) I created a file called /etc/modprobe.d/ipv6_disable.conf which contains the following line:
options ipv6 disable=1

3) Rebooted. dmesg |grep -i ipv6 shows:
IPv6: Loaded, but administratively disabled, reboot required to enable

and ifconfig shows that all network interfaces do not have ipv6 addresses, also lsmod |grep ipv6 shows it loaded but 0 in the usage count.

The reason I am posting this is because I could not find a clear guide to disable ipv6 on F11.

[tringate]

JOE,

The way I disabled it was nearly the same as you. The command in the file is different, so I will change it to what you have to see if it makes any difference. I'll edit this post after I test making that change.

I'm thinking this is not my problem, but want to follow your guidance exactly because I am lost on where to start looking.

I can't believe I have improperly configured every server application on this machine since I have configured them all many times before on other releases without any difficulty. I am sure this is one common problem and has something to do with the network which is the only thing common that I can think of. Remember, I have disabled SELinux, and turned off the firewall to get them out of the way. This has got to be something really basic.

Here is the results I get from ifconfig:

-------------- IFCONFIG --------------------

eth0 Link encap:Ethernet HWaddr 00:1B:FC:1D:B6:3F
inet addr:192.168.1.65 Bcast:192.168.1.65 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:41 errors:0 dropped:0 overruns:0 frame:0
TX packets:53 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:10901 (10.6 KiB) TX bytes:7020 (6.8 KiB)
Interrupt:25 Base address:0xe000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:52 errors:0 dropped:0 overruns:0 frame:0
TX packets:52 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4338 (4.2 KiB) TX bytes:4338 (4.2 KiB)

virbr0 Link encap:Ethernet HWaddr 9E:12:10:5E4:FA
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:18 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:4524 (4.4 KiB)

----------- end IFCONFIG ---------------------

Not sure what that virbr0 interface is for. It's not on my Fedora 9 machine.

I don't see anything that looks like an IPv6 address, but then I really do not know what it would look like if it was there.

IP6tables does show as "stopped".

Just to be sure it wasn't something in windows, I tried connecting to the web server on Fedora 11 with:
Windows vista
Windows XP
Fedora 9

All fail the same way with "Waiting for connection".

On the Fedora 11 machine if I connect to the web server on itself, it works perfectly. I just type in 192.168.1.65 in the address bar of firefox. Same as I do on the other machines that fail.

I think the simplest way to approach this is to figure out why Putty can not connect to SSH since it is so basic and is a service I most need to get other things working.

I really need to run as a headless machine like I do on the Fedora 9 box. Space is precious in my small home computer room.

[tringate]

JOE,

I think I might be getting close to what might be wrong.

I noticed in the "IFCONFIG" output that the system mask for the eth0 is 255.255.255.255 I am sure it should be 255.255.255.0

I then saw I had made a typo in the network GUI configuration and had typed the submask in as 255.255.255.1

I changed that to 255.255.255.0 abd rebooted but the "IFCONFIG" output still shows the submask to be 255.255.255.255

Can that possible work?

If not, why does it not change to what I have put in the network configuration?

Where can I look to see how it is actually being set by the system at boot?

-------------- new IFCONFIG output ----------------

eth0 Link encap:Ethernet HWaddr 00:1B:FC:1D:B6:3F
inet addr:192.168.1.65 Bcast:192.168.1.65 Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1254 errors:0 dropped:0 overruns:0 frame:0
TX packets:990 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:1446878 (1.3 MiB) TX bytes:135460 (132.2 KiB)
Interrupt:25 Base address:0x8000

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:52 errors:0 dropped:0 overruns:0 frame:0
TX packets:52 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:4338 (4.2 KiB) TX bytes:4338 (4.2 KiB)

virbr0 Link encap:Ethernet HWaddr 1A2D:A9:976
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:60 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:10555 (10.3 KiB)

------------ end IFCONFIG ---------------

As you can see it is still what I think is a wrong value.

[tringate]

Ok, the problem is the netmask of 255.255.255.255

Using ifconfig to change it allows things to work, however, it does not stay changed even though it has been corrected in the network GUI function and does remain changed in that function during a reboot.

How do I change it for the real system rather than for some GUI presentation which appears to not do anything to the real system configuration files?

[tringate]

This problem has been solved in that I know what is causing it. I am opening a new problem on how to actually fix it.

Thanks for the guidance in finding what the problem actually is.