Troubleshooting “Ping: sendmsg: operation not permitted” Error After iptables Installation on Arch Linux


1 views

When setting up a new HP Proliant Microserver with Arch Linux (kernel 3.2.12), network functionality breaks immediately after installing iptables 1.4.12.2 and enabling IP forwarding. The specific symptom is ping failing with the sendmsg: operation not permitted error, while complete iptables removal restores normal network operation.

Network Interfaces:
- eth0: Broadcom NetXtreme BCM5723 (WAN)
- eth1: Intel 82574L (LAN)

Kernel Parameters:
net.ipv4.ip_forward = 1

From analyzing similar cases, these are the most frequent misconfigurations when setting up NAT with iptables:

  1. Missing MASQUERADE rule for outgoing traffic
  2. Incorrect chain traversal order
  3. Overly restrictive OUTPUT chain policies
  4. Failure to allow established/related connections

Here's a working configuration that maintains both NAT functionality and basic network operations:

# Flush existing rules
iptables -F
iptables -t nat -F
iptables -t mangle -F

# Set default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow established/related connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# NAT configuration
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow ICMP (ping)
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

To make these rules survive reboots:

# Save rules
iptables-save > /etc/iptables/iptables.rules

# Enable service
systemctl enable iptables
systemctl start iptables

When troubleshooting, these commands help identify the issue:

# Check current rules
iptables -L -v -n
iptables -t nat -L -v -n

# Verify packet flow
iptables -t raw -A PREROUTING -j TRACE
iptables -t raw -A OUTPUT -j TRACE

# Check kernel parameters
sysctl -a | grep net.ipv4.ip_forward

For newer systems, consider migrating to nftables:

# Basic NAT configuration with nftables
table ip nat {
    chain postrouting {
        type nat hook postrouting priority srcnat;
        oifname "eth0" masquerade
    }
}

table inet filter {
    chain input {
        type filter hook input priority 0;
        policy drop;
        ct state established,related accept
        iifname "lo" accept
        icmp type echo-request accept
    }

    chain forward {
        type filter hook forward priority 0;
        policy drop;
        ct state established,related accept
        iifname "eth1" oifname "eth0" accept
    }
}

When setting up a new Arch Linux server with iptables for NAT functionality, the sudden appearance of the Ping: sendmsg: operation not permitted error typically indicates one of several common configuration issues:

  • Missing or incorrect OUTPUT chain rules
  • Overly restrictive default policies
  • Incorrect interface assignments
  • Missing ICMP protocol permissions

First, verify your current iptables configuration:

# Check current rules
sudo iptables -L -v -n

# Check NAT table rules
sudo iptables -t nat -L -v -n

# Check filter table policies
sudo iptables -t filter -L -v -n | grep policy

The most likely cause is overly restrictive OUTPUT chain rules or policies. Here's a minimal working configuration that maintains security while allowing basic connectivity:

# Flush existing rules
sudo iptables -F
sudo iptables -t nat -F

# Set default policies (DROP for input, ACCEPT for output/forward)
sudo iptables -P INPUT DROP
sudo iptables -P OUTPUT ACCEPT
sudo iptables -P FORWARD ACCEPT

# Allow established/related connections
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Allow loopback interface
sudo iptables -A INPUT -i lo -j ACCEPT

# Allow ICMP (ping)
sudo iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

# NAT configuration for internet sharing
sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
sudo iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o eth1 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

# Save rules (may require additional package)
sudo iptables-save > /etc/iptables/iptables.rules

For Arch Linux specifically, ensure the iptables service is enabled:

sudo systemctl enable iptables
sudo systemctl start iptables

Verify the rules are loaded at boot by checking:

sudo iptables -L -v -n

Confirm your interface assignments match your physical configuration:

ip link show
ip addr show

If your interfaces appear as different names (common with newer systemd versions), adjust your iptables rules accordingly or create udev rules to maintain consistent naming.

After applying these changes, test both incoming and outgoing connectivity:

# Test outgoing connectivity
ping -c 4 8.8.8.8

# Test incoming connectivity (from another machine)
ping -c 4 your_server_ip