/srv/irclogs.ubuntu.com/2014/08/19/#ubuntu-server.txt

source47hi guys. anyone here good in NAT? I am trying to add a NAT rule on my AWS instance so it forwards its internal IP (+port) to the lxc container's IP + port. here is what I am trying: https://gist.github.com/developerinlondon/31b4244113373c22b05600:47
Patrickdksource47, where is the ACCEPT rule? for that nat to work?01:03
source47i didnt know i needed one. i can curl to the IP locally01:04
source47but just added sudo iptables -I FORWARD 1 -p tcp -d 10.0.3.95 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT01:05
source47didnt seem to make any diff... do i have to restart?01:05
Patrickdkno01:12
source47added some more info - https://gist.github.com/developerinlondon/31b4244113373c22b05601:13
TJ-source47: The host can otherwise access 10.0.3.95 - ping, etc., ?01:15
source47yes i can run curl from the host01:16
Patrickdkwrong dest01:16
source47eg curl 10.0.3.95:80 works01:16
Patrickdkyour really didn't help it01:16
source47?01:16
Patrickdkiptables -I FORWARD -p tcp -d 10.0.3.95 --dport 80 -j ....01:17
source47oh yes... that seemed to have messed things up now01:17
source47i cant curl anymore01:17
source47from host01:17
Patrickdkheh01:18
source47how can i get rid of that rule?01:21
source47Hmm i removed it01:27
source47but still cant go there anymore..01:27
Patrickdkwell, your premise that rule was a problem, was wrong01:30
semiosissource47: you say you're trying to NAT something?  none of your rules are NAT, they're all just ACCEPT/REJECT01:31
semiosissource47: can you just tell me here, in plain language, what you want to translate from/to?01:31
source47oh... i took it from here https://github.com/jtopjian/lxc-nat/blob/master/lxc-nat.rb01:32
source47so basically 172.31.23.17:40000 -> 10.0.3.95:8001:32
TJ-semiosis: You're missing "sudo iptables -t nat -A lxc-nat -d 172.31.23.17 -p tcp --dport 40000 -j DNAT --to 10.0.3.95:80"01:33
semiosisTJ-: ah right, the list is only the filter table01:34
TJ-semiosis: I asked for the iptables-save output; it's in a comment at the end of the gist01:34
semiosissource47: can you add to that gist the output of 'iptables -nvL -t nat' please01:34
semiosisok01:34
semiosisi see it01:34
source47yea that line was added01:35
source47now i have more copies of the same rule it seems01:36
source47it doesnt dedupe01:36
source47but the rule is the wrong way around it seems..01:36
TJ-source47: I think you need to discriminate on the interface too:"sudo iptables -t nat -A lxc-nat -i <INTERFACE> -d 172.31.23.17 -p tcp --dport 40000 -j DNAT --to 10.0.3.95:80" otherwise packets returning from, I presume, the other end of lxcbr0, will loop back again ?01:37
source47ok let me try that01:37
source47so it would be eth0 i am guessing01:38
source47since thats the external interface01:38
TJ-source47: Yes, if that's the external I/F.01:38
semiosisin ec2 all you have is eth0 & lo01:38
TJ-source47: Also, if you've got multiple rules in there you can delete by using "iptables -t <TABLE> -D <rule-num>", which you can get from listing the table01:38
semiosisoh right lxc, never mind my prev stmt01:39
* semiosis backs away slowly01:39
TJ-source47: I sometimes 'cheat' by doing iptables-save >/tmp/rules; <edit /tmp/rules>; iptables-load </tmp/rules ;p01:40
source47ah...01:40
source47strange its not in --list-rules01:40
TJ-source47: not always a good idea if you rely on the rules to keep up a remote connection though, so only use it locally for hacking about01:41
source47https://gist.github.com/developerinlondon/9f5aedc140fc46937db801:41
TJ-source47: did you specify the nat table?01:41
source47sudo iptables --list-rules01:42
source47that didnt show it01:42
semiosis-t nat01:42
TJ-source47: without a table specifier you only see the filter table; that's why I like iptables-save since it shows all tables and the policies, clearly01:42
source47ah01:42
source47ok sudo iptables -D lxc-nat 1 iptables: No chain/target/match by that name.01:43
source47but i have a line with that name01:43
source47well i have 401:43
source47hmm... i guess i have to restart.. but strange i cant delete a rule with a name..01:48
source47semiosis: yea its basically to expose a service from the lxc container to the outside world. in 2 steps, first to expose it to the AWS VPC network, then i can get a proxy to forward external requests to the AWS VPC01:51
TJ-source47: "sudo iptables -t lxc-nat -D 1"01:56
source47iptables v1.4.21: can't initialize iptables table `lxc-nat': Table does not exist (do you need to insmod?)01:56
TJ-source47: sorry... tired typo! "sudo iptables -t nat -D lxc-nat 1"01:59
source47ah that worked01:59
source47thanks01:59
source47ok we are down to 1 rule01:59
source47TJ- so u think it might be working fine locally and could be an issue with AWS firewall?02:13
source47i opened the port in AWS SG also02:13
=== CripperZ- is now known as cripperz
TJ-source47: is the LXC set to block anything not from the host?02:16
source47not that i know of. its a standard ubuntu install02:16
TJ-source47: does the LXC have a default route? is forwarding enabled on the LXC's default gateway?02:16
source47how can i get into it using the private IP if it was an issue with the lxc?02:16
source47https://gist.github.com/developerinlondon/a9d6aa72a7822caf1a6202:17
source47this is the routes in the container02:18
source47it doesnt even have iptables inside02:18
source47i wonder if we can find a log somewhere where it fails02:19
TJ-source47: Is the host's lxcbr0 allocated 10.0.3.1 ?02:19
source47it seems iptables might not be the issue02:19
TJ-source47: Have you enabled IPv4 forwarding on the host?02:20
source47yep 10.0.3.1 is lxcbr002:20
source47i enabled ipv4 yes02:20
source47net.ipv6.conf.all.forwarding=102:21
TJ-that's ipv602:21
source47net.ipv6.conf.all.forwarding=102:21
source47strange02:21
source47i am sure i edited ipv4 also02:21
source47net.ipv4.ip_forward=102:22
TJ-good02:23
source47ah02:45
source47DESTINATION ip-172-31-23-17.ec2.internal02:45
source47that might be the issue TJ- ?02:45
source47https://gist.github.com/developerinlondon/0946497f8729df17a8f502:45
source47it shouldnt go there..  i would rather it uses the ip or resolve internally.02:46
poobutthiya, i have a 14.04.01 that keeps crashing and then hang at boot randomly what log is best to track down the reason? thanks.04:09
poobuttand weirdly to look at syslog i do not have to be root or use sudo is that normal?04:13
sarnoldpoobutt: indeed, most logs don't require privileges to read04:19
poobuttsarnold: ok thanks just on another 14.04.01 server it does so i wonder why one requires sudo and one does not as they have the same set up.04:20
TJ-poobutt: if your user is privileged it is likely part of the 'adm' group04:20
poobuttsarnold: do you know where i would find out if the reboot was down to a power cut?04:21
poobuttTJ: thanks one is a digital ocean server so they may have different core rules compared to a stand alone install.04:21
sarnoldpoobutt: could be if some files were deleted they may have been recreated with different permissions perhaps..04:22
sarnoldoh, I like TJ-'s explanation04:22
sarnoldpoobutt: if the power is yanked, most systems won't survive long enough to write to the logs about it..04:23
poobuttsarnold: we do have frequent power cuts here (Thailand) so that is most probably the main reason04:24
TJ-Power cuts in a data-center?04:24
sarnoldpoobutt: can you add a UPS to your system? if you get a smart enough model you could have it power down your system gracefully if the mains are cut for more than thirty seconds, for example..04:25
poobuttno this is a 14.04.01 server at an office with no UPS that runs zoneminder cctv set up on it04:25
poobuttyes UPS will be the answer but i work with NGO so always finance issues try to get best results with no budget ;)04:25
TJ-poobutt: ahhh I misread; thought you meant the failing server was at DO04:26
TJ-poobutt: Make sure to disable disk write caching and make sure the disk sync quickly04:26
poobuttTJ: tahnks for the tip will implement that now04:27
Kalki-how can i update my users files from /etc/skell so that they come with right ownerships ?05:01
Kalki-like .bashrc and things like that05:01
sarnoldsed -i~kalki 's/foo/bar/g'/ /home/*/.bashrc05:02
sarnoldthen re-chmod as needed05:02
sarnoldor chown rather05:02
sarnoldmust be bedtime05:02
Abhijit i set root login to true and set password in preseed file. used cobbler to install ubuntu. still can not login with username root and the set password. help05:04
jpdsAbhijit: With SSH or?05:23
Abhijitno ssh. directa access. kvm05:23
Abhijitjpds, ^05:25
=== cripperz is now known as CripperZ
=== kaitanya_ is now known as pokkos
=== pokkos is now known as neurotus
Abhijithow can i make apache to server /var/www/html/server when user enters "ip"address/server?05:53
=== Lcawte|Away is now known as Lcawte
=== yofel_ is now known as yofel
rostamHI I would like to test udev creation of 70-persistent-net.rules. I know the file can be created during reboot, but I like to test it without reboot. Is this possible? I am using ubuntu 14.04. Thanks10:43
lordievaderGood afternoon.10:55
ikoniarostam: udevadm10:55
rostamikonia: thanks11:00
zoidberg-Hello all, I have setup a little ubuntu server as a deivce that sits in between my adsl modem and router.. so that anything that connnets to the router gets routed through the ubuntu box out throught he modem to the internet.  The reason being, i would like to setup an vpn (openvpn) server on the ubuntu box one for incomming vpn connections (so that i can connect to my home network when away) and one for outgoing vpn so that i can tunnel all my tr11:12
zoidberg-The question i have is, i setup simple iptables for masquerading and forwarding, does however my router is the dns server.. for dns to go through the ubuntu server should i setup soemthing like dnsmasq or will iptables handle that and just forward it over to the router and back?11:12
zoidberg-at the moment i have 3 iptables masquerading rules/forwarding rules, it all works but i wonder if dns is being routed directly to the router rather than the ubuntu box11:12
=== chmurifree is now known as chmuri
jpdszoidberg-: DNS should work fine...11:27
zoidberg-jpds: i'm not sure what you mean by that it does work fine if i simply setup forwarding and masquerading on my linux box - but dns does no go through it, dns requests go straight to the router.. which is giving out by dhcp.. i want, to give out the ip of my linux box and have that forward requests to and from the router11:31
zoidberg-so _ALL_ traffic goes through this linux box11:31
zoidberg-as i want to eventually tunnel all traffic out over a vpn11:31
zoidberg-including dns11:31
=== a1berto_ is now known as a1berto
rostamhi how would I know the network interface eth0 is binded to which driver? thanks11:53
=== CripperZ is now known as CripperZ-
webfoxCould someone help me locate the httpd.conf file from Apache2 please?12:45
webfoxI think it should be positioned at /etc/apache2/ dir but it is not.12:45
ikoniawebfox: the config file is now modular12:45
ikoniaso there isn't much in the httpd.conf12:45
webfoxikonia: I just need to activate php12:46
ikoniathen use the aenmod command12:46
ikoniahave you read the ubuntu docs on using apache ?12:46
webfoxnot yet.12:46
webfoxStill reading https://help.ubuntu.com/14.04/serverguide/php5.html12:47
webfoxI think thats old now.12:47
=== Pici` is now known as Pici
webfoxApache is working, just not php12:50
ikoniawebfox: why do you think it's old12:51
ikoniait's listed as the current doc12:52
webfoxyes, exactly.12:52
webfoxWell, he files /etc/apache2/mods-enabled/php5.conf and /etc/apache2/mods-enabled/php5.load exists12:54
webfoxthe*12:54
webfoxI already retarted Apache but still not executing the php inside the doc.12:55
ikoniawebfox: what is the name of the file12:56
ikoniaas in the php web page12:57
webfoxikonia you are good! I was using an incorrect file extension!12:57
webfoxThank you !12:57
ikoniano problem12:57
webfoxGot it workiing now.12:57
webfoxo/12:57
=== CripperZ- is now known as cripperz
henkhi, I’m trying to set up a webapp in tomcat6. This webapp needs the jdbc connector for mysql, so I installed libmysql-java. Now I’m looking for a way to make this webapp find this lib without having to copy the jar files to its lib directory, to make sure the jars are updated by package updates. I tried symlinking but that does not seem to work. Does anyone know what the proper way is? I found14:14
henkhttps://scottlinux.com/2014/02/20/tomcat-on-debian-and-ubuntu-linux-fix-broken-com-mysql-jdbc-driver-connection/ which suggests changing /etc/tomcat*/catalina.properties to search /usr/share/java/*.jar in addition to the default places. Can anyone comment whether this is a good idea?14:14
rtgsmoser, https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-intel/+bug/1355196/comments/4615:03
uvirtbotLaunchpad bug 1355196 in linux "compiz fails with intel_do_flush_locked failed: Invalid argument" [High,Confirmed]15:03
smoserrtg, i knew i should not have clicked "i'm willing to bisect" :)15:03
rtgsmwe'll build the bisects, but you have to do the testing15:04
rtgsmoser, ^^15:04
smoseryeah. its just a matter of dedicating time to that. thanks for the poitner.15:05
rostamHi I have two network interface on my system eth0 & eth1. I need eth0 to bind to igb driver not e1000e. So I black list the igb and e1000 then I added those drivers in /etc/modules so the kernel tries to load igb first then e1000e. It does not work, any help greatlly appreciate. Thanks16:19
ikoniayouv'e blacklisted the igb driver when you want it to use the igb driver ?16:20
rostamikonia, I have placed it in /etc/modules so the auto loading (I think) is disabled but this way I control which driver gets loaded first (or I think it gets).16:23
ikoniabut you've already blacklisted it16:23
rostamikonia, okay I see your point... thx16:26
=== Ursinha is now known as Ursinha-afk
=== Ursinha-afk is now known as Ursinha
=== arrrghhhAWAY is now known as arrrghhh
=== mjohnson151 is now known as mjohnson15
RobC207Alright, having just completed two rounds of do-release-upgrade, I am having a mild reaction to cron.d/php5 emailing me twice an hour with a message concerning invalid argument. I determined the cause of this is a missing value in the response from /usr/lib/php5/maxlifetime. Changing the she-bang to -x instead of -e leads me to allow_call_time_pass_reference being no longer available.  How to fix it?18:19
rostamHI please help I am stuck with this for last 2 days. I am using ubuntu 14.04 update 1. My system has two network interfaces , eth0 and eth1. I see sometimes eth0 bind to hardware interface where eth1 was previously bind to it.  The system generates /etc/udev/rules.d/70-persistent   file. I have modified the bus but it overright it, any idea why please? thx18:34
=== Guest64178 is now known as med_
=== med_ is now known as medberry
=== Ursinha is now known as Ursinha-afk
qman__When running dpkg-reconfigure postfix and setting where root's mail goes, where is this setting stored? Its not in /etc/aliases and grepping around hasn't found it19:35
=== Ursinha-afk is now known as Ursinha
=== Ursinha is now known as Ursinha-afk
=== Ursinha-afk is now known as Ursinha
=== cripperz is now known as CripperZ-
lamontqman__: that _should_ update /etc/aliases20:35
lamontif not, please file a bug with details20:35
plmHi all20:42
plmIs possible to know if a connection are using ssl or not? netstat -an show me many and I would like to know what that connections are secure( using ssl).20:42
geniiplm: Maybe use -nt20:47
sarnoldI know of no such tool; you could probably write a pcap thing that recovers a few kilobytes of data from each active connection and runs some simple statistics on it to ensure the data looks 'random'..20:49
qman__lamont: it didn't, will do20:54
qman__On two 14.04 servers20:54
plmgenii: -nt show just tcp (with or not ssl)20:54
plmgenii: dont need to be netstat. Any other app/method to kwno if that connection are using ssl or not20:55
geniiTo actually test the traffic you'd need to set something up on another machine like for instance mitmproxy20:56
genii!info mitmproxy20:56
ubottumitmproxy (source: mitmproxy): SSL-capable man-in-the-middle HTTP proxy. In component universe, is optional. Version 0.9.2-2 (trusty), package size 150 kB, installed size 800 kB20:56
qman__lamont: bug 135892521:07
uvirtbotLaunchpad bug 1358925 in postfix "root alias does not get set" [Undecided,New] https://launchpad.net/bugs/135892521:07
lamontqman__: ta21:07
lamontit may take me a day or 7 to look at it, feel free to pester me if I haven't done anything with it by next week.  Likewise, someone server-teamish is likely to beat me to it.21:08
qman__No problem, I just thought I was crazy for not being able to find it, utrns out its broken21:09
=== _ruben_ is now known as _ruben
plmgenii: I'm using tcpdump but I not see difference between a tcp connection with and without ssl21:34
=== mjohnson151 is now known as mjohnson15
=== Lcawte is now known as Lcawte|Away

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!