tunabread | hi | 00:10 |
---|---|---|
tunabread | someone got a minute to help a poor noob with network troubles ? | 00:11 |
stlsaint | tunabread: we can try, just ask the question | 00:11 |
tunabread | its ... complicated | 00:11 |
stlsaint | tunabread: first off did you try google | 00:12 |
tunabread | i have a 10.04 LTS server installation on a vserver | 00:12 |
tunabread | yes, i tried google | 00:12 |
stlsaint | ok | 00:12 |
tunabread | i cant get any network connection in or out from the machine | 00:12 |
tunabread | i have VNC access, so i can access the shell | 00:12 |
stlsaint | does host have net access? | 00:13 |
tunabread | the only thing i did, was change the sshd_config file, and flush iptables | 00:13 |
tunabread | well my ISP management console says, yes. | 00:13 |
stlsaint | tunabread: what did you change wihtin the sshd | 00:13 |
tunabread | i enabled protocol 1 | 00:14 |
tunabread | so i changed the line "protocol 2" to "protcol 2,1" | 00:14 |
stlsaint | have you tried removing that? | 00:14 |
tunabread | i already changed it back | 00:14 |
tunabread | yes, had no effect | 00:14 |
stlsaint | tunabread: what iptables did you flush? | 00:14 |
tunabread | i reloaded the SSH, too | 00:14 |
tunabread | well i used "iptables -F" | 00:14 |
tunabread | so it should flush all rules ? | 00:14 |
tunabread | i used that before on another machine, do disable iptables, for testing | 00:15 |
tunabread | then reloaded the rules, worked. | 00:15 |
tunabread | can you give me a hint what i should check ? | 00:16 |
tunabread | i tried ping, textmode browser, nothing works | 00:16 |
stlsaint | well what rules did you remove | 00:16 |
tunabread | i might mention, it worked before :) | 00:16 |
stlsaint | iptabels -F just flushes the rules, not technically "disabling" them | 00:17 |
stlsaint | tunabread: what do you get when you ping say google? | 00:17 |
tunabread | unknown host | 00:18 |
tunabread | if i try to ping DNS servers, network is unreachable | 00:18 |
stlsaint | tunabread: what is the ipaddress? | 00:19 |
tunabread | 176.31.159.85 | 00:19 |
tunabread | i guess the problem might be in iptables | 00:20 |
tunabread | i'm not that experienced with iptables, a friend of mine set it up and defined the rules | 00:20 |
tunabread | if you know what file you need to see, just tell me | 00:21 |
stlsaint | if he did it right than he should have saved them in a .rules | 00:21 |
stlsaint | hopefull in /etc | 00:21 |
stlsaint | look for something like /etc/iptables.rules | 00:21 |
tunabread | yes, there is a file | 00:21 |
stlsaint | can you paste them here: paste.ubuntu.com | 00:22 |
stlsaint | the rules | 00:23 |
tunabread | i only have VNC, so i can only take a screenshot or type them down manually | 00:24 |
tunabread | http://web219.server-drome.info/web/iptables.png | 00:24 |
tunabread | just say if i shall type them for you | 00:24 |
stlsaint | tunabread: well i couldnt see that screen so do you want to re-enable those rules? | 00:26 |
tunabread | first, i would like to gain network access again | 00:27 |
tunabread | like, at all | 00:27 |
stlsaint | tunabread: did you have access when you had the rules up? | 00:29 |
tunabread | yes. | 00:29 |
tunabread | i changed the sshd config, and reloaded sshd | 00:30 |
stlsaint | well then we should probably put them back. have you tried that yet, re-enabling rules? | 00:30 |
tunabread | no | 00:30 |
stlsaint | tunabread: what is the name of that .rules file? | 00:30 |
tunabread | iptables.rules | 00:31 |
stlsaint | iptables-restore << /etc/iptables.rules | 00:31 |
stlsaint | tunabread: it work? | 00:33 |
tunabread | the VNC is using a very strange keyboard layout, i'm struggeling to find the << | 00:34 |
stlsaint | tunabread: if you can find the keys you can just re-enter the rules manually | 00:39 |
tunabread | i found a way, ALT+60 on keypad | 00:40 |
stlsaint | kk, check the rules with iptables -L | 00:40 |
tunabread | iptables seems to hang up when i enter your command | 00:42 |
stlsaint | take away one of the < | 00:43 |
stlsaint | iptables-restore < /etc/iptables.rules | 00:43 |
tunabread | iptables-restore v1.4.4: no command specified | 00:45 |
tunabread | Error occured at line: 16 | 00:45 |
tunabread | Try 'iptables-restore -h' or 'iptables-restore --help' for more information. | 00:46 |
stlsaint | did you enter entire command? | 00:47 |
stlsaint | as it should show: | 00:47 |
tunabread | yes. | 00:47 |
stlsaint | well you entered something wrong | 00:47 |
stlsaint | tunabread: what is the location of that iptables.rules file? | 00:47 |
tunabread | /etc/ | 00:47 |
tunabread | when i cd into /etc/ and enter "cat iptables.rules" i get the right output | 00:49 |
tunabread | i entered: sudo iptables-restore < /etc/iptables.rules | 00:49 |
stlsaint | well since your already in the /etc directory just do: iptables-restore < iptables.rules | 00:50 |
tunabread | i tried, same output | 00:50 |
tunabread | what does error line 16 mean ? doesnt it try to parse the file already ? | 00:50 |
stlsaint | i would need to see the content of the file | 00:51 |
tunabread | yes | 00:51 |
stlsaint | there is an error at line 16 of the rules | 00:51 |
tunabread | i just finished typing | 00:51 |
tunabread | http://pastebin.com/9tYX1qkV | 00:51 |
tunabread | the -ΓΌ in line 10 is a typo, it does not exist in the real file. sorry | 00:52 |
tunabread | http://pastebin.com/rcJxUV0q | 00:54 |
tunabread | two typos corrected | 00:54 |
tunabread | i am pretty sure that these rules were used before | 00:55 |
tunabread | since he noted that in the install-log | 00:55 |
tunabread | we have a log were we both write down everything we change | 00:55 |
stlsaint | tunabread: remove that space underneath the last rules listing in the file | 00:56 |
tunabread | he also noted the name and location of the file (iptables.rules) | 00:56 |
stlsaint | tunabread: also the naming is wrong | 00:57 |
stlsaint | or else you typed it wrong when you typed cat iptabls.rules on the paste | 00:57 |
stlsaint | tunabread: but remove that space under line | 00:57 |
tunabread | yes, i typed it wrong. sorry | 00:57 |
tunabread | what space under line ? | 00:57 |
tunabread | line 17 ? | 00:58 |
stlsaint | no | 00:58 |
stlsaint | you are counting wrong, line 16 is the space, 15 is the rule, according to your paste | 00:58 |
tunabread | there is a blank line, and i shall delete that ? | 00:59 |
tunabread | the line after -A INPUT -j DROP ? | 00:59 |
stlsaint | yes | 01:00 |
tunabread | ok | 01:01 |
tunabread | it worked, no error, and iptables -L shows all the rules | 01:02 |
stlsaint | check net | 01:02 |
tunabread | network is unreachable | 01:03 |
tunabread | do the rules make sense to you ? | 01:03 |
stlsaint | honestly i didn't really look, just looked at the error line | 01:03 |
tunabread | do you know an acceptable picture hosting service ? | 01:04 |
stlsaint | so youve changed the ssh back and readded the rules | 01:04 |
tunabread | yes | 01:04 |
stlsaint | still no net | 01:04 |
tunabread | yes | 01:04 |
tunabread | what would you check ? | 01:04 |
stlsaint | tunabread: what does ifconfig show | 01:05 |
tunabread | http://imageshack.us/photo/my-images/259/ifconfig.png/ | 01:06 |
tunabread | i hope thats acceptable | 01:06 |
tunabread | http://imageshack.us/photo/my-images/208/iptables.png/ | 01:06 |
stlsaint | your not pulling an ipaddress | 01:07 |
tunabread | oh | 01:07 |
tunabread | it is possible that my ISP screwed something up. at least, i would not be suprised by that. | 01:08 |
tunabread | just mentioning | 01:08 |
stlsaint | how does the vserver work? | 01:08 |
stlsaint | host? | 01:08 |
tunabread | they say KVM | 01:08 |
tunabread | what details do you need ? | 01:09 |
stlsaint | so you have a host server providing a kvm virtual machine which you are trying now? | 01:10 |
tunabread | they call it "full kvm", it behaves like a root | 01:10 |
tunabread | i can insert any iso to boot from, and install | 01:10 |
tunabread | i can even install windows, os/2, whatever | 01:10 |
tunabread | its not a shared kernel | 01:10 |
stlsaint | right | 01:10 |
stlsaint | ok | 01:10 |
tunabread | it behaves like a dedicated root | 01:10 |
tunabread | but the hardware is emulated, i think by QEMU | 01:11 |
tunabread | if you can read german, you can look it up here | 01:11 |
tunabread | https://www.filemedia.de/vserver/lightbox | 01:11 |
tunabread | doesnt give that much details, tho | 01:11 |
sandyd | anyone here ask about kvm? | 01:12 |
stlsaint | tunabread: one sec | 01:12 |
tunabread | :D | 01:12 |
stlsaint | sandyd: hey | 01:12 |
stlsaint | sandyd: so here is quick brief: | 01:13 |
stlsaint | op: tunabread , is using a kvm vm but lost net access | 01:13 |
stlsaint | sandyd: he deleted his iptables and changed sshd_config protocol setting | 01:13 |
stlsaint | sandyd: after readding iptables i helped with and changing the sshd back he still does not have access | 01:13 |
stlsaint | sandyd: ifconfig does not show an ip but i could be wrong there | 01:14 |
stlsaint | sandyd: ifconfig output: http://imageshack.us/photo/my-images/259/ifconfig.png/ | 01:14 |
sandyd | If you are using KVM, ifconfig must show an ip | 01:14 |
sandyd | I suspect that the ip is not binding correctly | 01:14 |
sandyd | cat /etc/network/interfaces | 01:14 |
stlsaint | THATS what i was thinking of lol | 01:15 |
stlsaint | dang it | 01:15 |
sandyd | ^^run that and get output | 01:15 |
stlsaint | flipping interfaces, wanting to see if bridge or anything | 01:15 |
stlsaint | tunabread: take all commands from sandyd from here out | 01:15 |
* stlsaint fades into fog..... | 01:15 | |
tunabread | http://imageshack.us/photo/my-images/826/catinterfaces.png/ | 01:16 |
tunabread | all i got left is crappy VNC, cant copy&paste text since output is pixels .. | 01:17 |
sandyd | alright, tunabread, this is the part I am not sure about | 01:17 |
tunabread | thank you for your help stlsaint :) | 01:17 |
sandyd | that VM is supposed to have a static ip right? | 01:17 |
tunabread | yes | 01:17 |
tunabread | the ip was static for ages | 01:17 |
sandyd | well, you have configured the address as dhcp | 01:17 |
tunabread | i can set one in the manager i got. | 01:17 |
sandyd | it will not work like that. | 01:18 |
tunabread | i didnt touch that config, and it worked for months | 01:18 |
tunabread | ok | 01:18 |
sandyd | if you have a static ip, it should say something like | 01:18 |
sandyd | iface eth0 inet static | 01:18 |
tunabread | IP Address176.31.159.85 | 01:19 |
tunabread | Gateway176.31.159.81 | 01:19 |
tunabread | Netmask255.255.255.240 | 01:19 |
tunabread | Nameserver213.186.33.99 | 01:19 |
tunabread | Nameserver134.91.66.55 | 01:19 |
tunabread | thats what my manager says | 01:19 |
tunabread | so, why dont we just configure it correctly ? | 01:19 |
sandyd | pastebining it right now | 01:19 |
sandyd | there are tabs that can't be created in irc :| | 01:20 |
tunabread | ok | 01:20 |
tunabread | you know that i have to type it in manually anyway ? | 01:20 |
sandyd | point | 01:21 |
sandyd | let see... | 01:21 |
sandyd | type this in. AFter the second line, there is a tab for everything | 01:21 |
sandyd | iface eth0 inet static | 01:21 |
sandyd | address 176.31.159.85 | 01:21 |
sandyd | netmask 255.255.255.240 | 01:21 |
tunabread | got that | 01:22 |
sandyd | dns-nameservers 213.186.33.99 134.91.66.55 | 01:22 |
sandyd | I think that is it, becuase you don't have any broadcast/network | 01:23 |
tunabread | its nameserver1 and nameserver2, right ? | 01:23 |
sandyd | sudo /etc/init.d/networking restart | 01:23 |
sandyd | yes | 01:23 |
sandyd | you might lose connection with the last command | 01:23 |
sandyd | so you replace everything under auto eth0 with the stuff I typed above | 01:23 |
tunabread | they do the VNC with some other machine, one level above | 01:24 |
sandyd | add the pre-up iptables-restore | 01:24 |
tunabread | you can even enter the virtual BIOS over the VNC thingy | 01:24 |
tunabread | so, no issue there | 01:24 |
sandyd | at the last line | 01:24 |
tunabread | done | 01:24 |
sandyd | try restarting the network using the command | 01:25 |
tunabread | i did | 01:25 |
sandyd | check ifconfig | 01:25 |
sandyd | the ip should be there | 01:25 |
tunabread | it says *reconfiguring network interfaces ... | 01:25 |
tunabread | don't seem to be have all the variables for eth0/inet. | 01:25 |
tunabread | failed to bring up eth0 | 01:25 |
sandyd | lemme check. might have made a typo | 01:26 |
sandyd | can you post a screenshot of the new network/interfaces? | 01:26 |
tunabread | if you have a VNC client, you could connect to the VNC server and look over my shoulder live ? | 01:26 |
tunabread | but i can do that, too | 01:26 |
sandyd | oops | 01:26 |
sandyd | I forgot the gateway | 01:26 |
tunabread | yes. | 01:27 |
sandyd | gateway 76.31.159.8 | 01:27 |
sandyd | place that before the pre-up iptables-restore | 01:27 |
sandyd | its configured differently in fedora lol | 01:27 |
sandyd | try restarting and see if the interface comes back up | 01:28 |
tunabread | same output for network restart | 01:28 |
tunabread | same error | 01:28 |
sandyd | post the output of cat /etc/network/interfaces | 01:29 |
tunabread | http://imageshack.us/photo/my-images/694/newinterfaces.png/ | 01:29 |
sandyd | you mispelled address | 01:30 |
sandyd | there is an extra d | 01:30 |
sandyd | or maybe i did | 01:30 |
sandyd | nah. just add the d in, remove the 1 from the nameserver | 01:31 |
sandyd | in fact, remove both lines | 01:31 |
tunabread | my fault | 01:31 |
sandyd | it should just be | 01:31 |
sandyd | dns-nameservers 213.186.33.99 134.91.66.55 | 01:31 |
tunabread | oh. ok | 01:31 |
tunabread | SIOCADDRT: No such process | 01:32 |
tunabread | Failed to bring up eth0. | 01:32 |
tunabread | (help) :C | 01:32 |
sandyd | add a 1 in front of the gateway | 01:33 |
sandyd | i mean in front of the 7 where it says gateway | 01:33 |
sandyd | so that its 176 | 01:33 |
sandyd | .*** | 01:33 |
sandyd | and restart | 01:33 |
tunabread | http://imageshack.us/photo/my-images/96/siocaddrt.png/ | 01:33 |
tunabread | same output. | 01:34 |
tunabread | ha ! | 01:34 |
tunabread | i found it | 01:34 |
tunabread | the gateway's last byte is 81 | 01:35 |
tunabread | not 8 | 01:35 |
tunabread | reconfig says OK | 01:35 |
sandyd | lol. more of my typos. | 01:35 |
sandyd | typical me | 01:35 |
stlsaint | hehe | 01:35 |
tunabread | i'm incredible tired. | 01:35 |
sandyd | working now? | 01:35 |
sandyd | check the ping, tracert, .etc .etc | 01:35 |
tunabread | was too busy celebrating | 01:35 |
tunabread | yay ! | 01:36 |
sandyd | stlsaint, these are typos that usually lead people astray in the UF | 01:36 |
tunabread | ping to google DNS works | 01:36 |
sandyd | excelent :) | 01:36 |
sandyd | good to see that it works | 01:36 |
tunabread | i thank you very, very much | 01:36 |
sandyd | I advise you to back the file up | 01:36 |
tunabread | yes | 01:37 |
sandyd | your welcome :) | 01:37 |
tunabread | any idea how it got lost in the first place ? | 01:37 |
stlsaint | sandyd: thank | 01:37 |
tunabread | thank you too, stlsaint :) | 01:37 |
stlsaint | tunabread: stop changing stuff ;) | 01:37 |
tunabread | but :C | 01:37 |
sandyd | nope. There is nothing much that will change something from static to dhcp mysteriously | 01:37 |
sandyd | lol | 01:37 |
tunabread | i didnt touch network config | 01:38 |
sandyd | maybe someone else touched it? | 01:38 |
tunabread | no | 01:38 |
sandyd | most servers (if configured properly) have security logs | 01:38 |
tunabread | there are only two people with root access, me and a very, very good friend. who is on vacation in the wildness of norway without even cellphone. | 01:38 |
tunabread | i checked the logs | 01:38 |
sandyd | or rather, mine does. If you edit the interfaces, the warnings immediatlye sound | 01:39 |
tunabread | there is very, very few software running on this server | 01:39 |
sandyd | not sure what could cause that. ive never seen that before | 01:39 |
tunabread | we got another server, and my friend set up the logging so that the log is written to that server, too | 01:40 |
tunabread | and there is munin monitoring installed, and it showed nothing special | 01:40 |
tunabread | i restarted the server ? | 01:40 |
tunabread | and my ISP tends to do random changes to everything for no reason | 01:40 |
tunabread | maybe it was on dhcp first, but worked magically ? | 01:40 |
stlsaint | tunabread: naw, i think something reverted it back to dhcp from static | 01:41 |
tunabread | well the reason i started changeing stuff in the first place: i need someone to connect to the server via SSH with an encryption of less than 128 bit | 01:41 |
tunabread | he lives in france, and encryption above 128bit is illegal there | 01:42 |
tunabread | so i thought, i give him a restricted user account and allow ssh protocol 1 for his account | 01:42 |
tunabread | not sure if thats a good idea | 01:42 |
stlsaint | tunabread: simple temp password probably would not have sufficed? | 01:42 |
escott | tunabread, for all that is holy. WHO CARES. if he really wants to obey the law just email his password to the government | 01:43 |
sandyd | gen a ssh key at 64bit | 01:43 |
sandyd | send it over, and let him have fun | 01:43 |
tunabread | its still illegal, he isnt even allowed to download an SSH client capable of protocol 2 as far as i understood | 01:43 |
tunabread | how do i do that ? | 01:43 |
escott | tunabread, telnet? | 01:43 |
tunabread | hum | 01:44 |
escott | tunabread, i would not reduce security for all your other users just because the french are morons | 01:44 |
tunabread | he does not need root, he does only need access to his home dir | 01:44 |
tunabread | is there any _save_ way to do that ? | 01:44 |
sandyd | http://www.guyrutenberg.com/2007/10/05/ssh-keygen-tutorial-generating-rsa-and-dsa-keys/ | 01:45 |
sandyd | use DSA keys | 01:45 |
tunabread | ok | 01:45 |
tunabread | well it CAN be 128bit | 01:45 |
tunabread | just not above | 01:45 |
sandyd | then use dsa at 128bit | 01:45 |
sandyd | or use openvpn at 128bit | 01:45 |
tunabread | see, i'm not really experienced | 01:46 |
tunabread | so i try to keep the stuff on the server limited | 01:46 |
tunabread | i now know how to configure SSH and i know the bascis because i read thru them, and i think i did it safe | 01:46 |
tunabread | if its not installed, it cant cause problems | 01:47 |
sandyd | so use the ssh tutorial above | 01:47 |
tunabread | yes | 01:47 |
tunabread | thank you, i will try that | 01:47 |
sandyd | replace RSA with DSA, and you can generate under 1024 | 01:47 |
tunabread | would that encryption still need serious time to crack ? | 01:47 |
sandyd | not as secure. mind you, but it would be fine | 01:47 |
escott | tunabread, the problem is that even if your key is 128bit your stream cipher would probably be illegal | 01:47 |
tunabread | hum | 01:48 |
tunabread | i guess the proper way would be, not grant him access at all | 01:48 |
tunabread | i think i know what you mean, escott | 01:49 |
tunabread | does anyone have experience how it is handled in france ? not in theory, practically ? | 01:50 |
sandyd | you want the direct papers? | 01:51 |
tunabread | ? | 01:51 |
tunabread | i dont get that | 01:56 |
tunabread | ssh working again | 01:58 |
tunabread | actually, everything working again | 01:58 |
escott | tunabread, if your client already has the 256bit encryption libraries i would think he is already in breach of the law, and i dont see how you could get in trouble for letting his programs do the default thing | 01:58 |
escott | assuming you are not in france | 01:58 |
tunabread | i'm in germany | 01:59 |
tunabread | i have no troubles, but my friend in france has | 01:59 |
tunabread | i think its no big issue, too, but | 01:59 |
escott | tunabread, so check out the louve and the eiffel tower now, just in case you arent allowed to enter the country, but i really doubt they care. its not like they seize laptops at the border? | 02:00 |
tunabread | haha | 02:00 |
tunabread | well, he LIVES in france | 02:00 |
escott | tunabread, which means that every tourist visiting paris is violating the law every time they check facebook | 02:00 |
tunabread | isnt SSL 128 bit ? | 02:01 |
tunabread | i thought about that, too | 02:01 |
tunabread | many programs use encryption | 02:01 |
tunabread | without people even noticeing | 02:01 |
tunabread | *sigh* | 02:01 |
escott | tunabread, i cant imagine they have any ability to enforce this. its probably just something they throw at people who have already been arrested for some other computer crime | 02:02 |
tunabread | yeah i dont think they scan the french internet for encrypted data streams | 02:02 |
escott | tunabread, most ssl uses 128bit RC4 for the stream, but the key is going to be at least a 1024 bit public key | 02:04 |
tunabread | :@ i'm among crypto experts | 02:07 |
tunabread | you are all from NSA, arent you | 02:07 |
escott | tunabread, im just looking at what the web browser tells me | 02:08 |
escott | tunabread, this seems to be accurate http://rechten.uvt.nl/koops/cryptolaw/cls2.htm#fr | 02:13 |
escott | tunabread, which would suggest that as long as you keep your server out of france you should be in the clear | 02:14 |
tunabread | oh, nice | 02:15 |
tunabread | thank you very much | 02:15 |
primeg1 | im trying to set up irc on empathy but cant join the group. do you use the hash infront of ubuntu? | 04:38 |
Unit193 | To join the channel, yes so it would be #ubuntu (or whatever else you'd want, say a local groupd as well) | 04:39 |
primeg1 | ok thanks | 04:42 |
=== yofel_ is now known as yofel | ||
=== SkippersBoss_ is now known as skippersboss | ||
luzil | hi, just set up 12.04, while installing jedit editor in software center I saw download size is 40 Mb compared to 4 Mb .deb file on the home page, same with many other programs, why are they so large on ubuntu? Even when i install jedit fresh on windows its never 40 Mb | 22:20 |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!