All Products
Search

This Product

    :Solution to Linux ECS instances that do not allow ping but cannot ping

    Document Center

    :Solution to Linux ECS instances that do not allow ping but cannot ping

    Last Updated:Dec 17, 2020

    Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.

    Problem description

    If the server's kernel does not block ping, the client cannot ping the server.

    Possible cause

    ban is set for clients by the internal firewall policy of the server system.

    Solution

    Start troubleshooting

    1. Log on to the server and run the following command to prepare for packet capture. 
      tcpdump -i eth0 host [$Eth0_IP] | grep ICMP
      Note: [$Eth0_IP] is the IP address of ethnetwork interface controller.
    2. Log on to the client and run the following commands to test the connectivity between the client and the server: 
      ping [$Server_IP]
      Note:[$Server_IP] is the public IP address of the server.

    Analysis of troubleshooting results

    1. The following packet capture result is displayed on the server. You can see that the client sends data packets every 5 seconds, but the server does not send any response packet.

    2. The analysis may be that the server's firewall or third-party security software has ban settings.
    3. Log on to the server and run the following command to view the firewall configuration information: 
      iptables -nL --line-number
      The following shows the detailed configuration. You can see that the firewall adopts a DROP policy for the client data packets, so the server cannot respond to the client data packets.

    Fixes

    This topic describes how to disable the firewall and delete the corresponding masking rules.

    Disable the firewall.

    Log on to the server. If environmental conditions permit, run the following command to temporarily disable the firewall:

    systemctl stop firewalld

    Delete masking rule

    Log on to the server and run the following commands to delete the corresponding blocking rule in the firewall:

    iptables -D INPUT -s [$Client_IP] -j DROP

    Note:[$Client_IP] is the IP address of the client.

    Verify the result.

    1. Log on to the client and run the following command to make sure that the client can successfully ping the server: 
      ping [$Server_IP]
    2. Log on to the server and obtain the following packet capture information. Verify that the server has returned a response.

    Application scope

    • Elastic Compute Service