| Author |
Message |
kenyee
|
|
|
Post subject: can't traceroute to www.dpreview.com because of bad firehol
 Posted: 19.02.2012, 03:02
|
|
Joined: 2010-09-29
Posts: 75
Status: Offline
|
|
Upgraded from a 3.1 kernel recently and noticed this odd behavior.
The system doesn't seem to know how to route to that site (23.21.209.12) 56 running on amazonaws.com) any more.
When I ping it, I get this cryptic "Operation not permitted" message:
$ ping www.dpreview.com
PING digiphoto-prod-84399190.us-east-1.elb.amazonaws.com (23.21.209.12) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
$ traceroute www.dpreview.com
traceroute to www.dpreview.com (23.21.210.71), 30 hops max, 60 byte packets
send: Operation not permitted
The weird part of this is that I can:
- ping other sites like www.news.com from this system
- from a VM running on the *same* machine, I can traceroute to www.dpreview.com
- dropping the iptables firewall makes no difference nor does reboot
- a wifi router on the network has no problems accessing dpreview.com (it uses the same DSL router)
I googled all over the place and bumped up my nf_conntrack_max value hoping that was it, but it made no difference.
Anyone have any other ideas? 
EDIT: the problem was an old /etc/firehol/RESERVED_IPS that contained 23.0.0.0 (dpreview and amazonws is on this subnet) and also 31.0.0.0 (facebook's content delivery network is on this).
I swear I shut down the firewall to test it but doing an iptables -L made this problem obvious 
This was in the iptables rules dump:
/sbin/iptables -t filter -A in_internet -s 23.0.0.0/8 -j RETURN
which was generated from the RESERVED_IPS file which tries to parse http://www.iana.org/assignments/ipv4-address-space and fails now because firehol is no longer maintained by the firehol developer |
|
|
| |
|
|
|
 |
|
|
|
|
