Home / server / Questions / 372975
Accepted
estol
Asked: 2012-03-25 03:26:45 +0800 CST

Ping: sendmsg: operation not permitted error after installing iptables on Arch GNU/Linux

  • 772

Yesterday I got a new computer as my homeserver, a HP Proliant Microserver. Installed Arch Linux on it, with kernel version 3.2.12.

After installing iptables (1.4.12.2 - the current version AFAIK) and changing the net.ipv4.ip_forward key to 1, and enabling forwarding in the iptables configuration file (and rebooting), the system cannot use any of its network interfaces. Ping fails with

Ping: sendmsg: operation not permitted

If I remove iptables completely, networking is okay, but I need to share the Internet connection to the local network.

eth0 - wan NIC integrated on the motherboard (Broadcom NetXtreme BCM5723).

eth1 - lan NIC in a pci-express slot (Intel 82574L Gigabit Network)

Since it works without iptables(server can access the internet, and I can login with ssh from the internal network), I assume it has something to do with iptables. I do not have much experience with iptables, so I used these as reference (separate from each other of course...):

wiki.archlinux.org/index.php/Simple_stateful_firewall#Setting_up_a_NAT_gateway

revsys.com/writings/quicktips/nat.html

howtoforge.com/nat_iptables

On my previous server, I used the revsys guide to set up nat, worked like a charm.

Anyone experienced anything like this before? What am I doing wrong?

networking nat iptables arch-linux

4 Answers

  1. Best Answer

    The error message:

    Ping: sendmsg: operation not permitted

    means that your server is not allowed to send ICMP packets. You need to allow your server to send traffic via one or more of the configured interfaces. You can do this by:

    1. Set OUTPUT chain policy to ACCEPT to allow all outgoing traffic from your box:

      sudo iptables -P OUTPUT ACCEPT
    2. Set OUTPUT chain policy to DROP and then allow selectively the type of traffic you need.

    This applies to all chains not only the OUTPUT chain. INPUT chain controls the traffic received by your box. FORWARD chain deals with traffic forwarded through the box.

    • 33

  2. To me, on Debian 9, it helped just to reinstall ping:

    apt-get install --reinstall iputils-ping
    • 4

  3. If you maintain a right set of iptables, you need to allow outgoing ping :

    # Allow outgoing ping
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
    • 1

  4. Another option is to reset all of iptable rules.

    Set the default policy on the iptables to ACCEPT:

    iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#Then flush the rules:
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD

    See also How to reset Ubuntu 12.04 iptables to default without locking oneself out?

    • 1