source47 | hi guys. anyone here good in NAT? I am trying to add a NAT rule on my AWS instance so it forwards its internal IP (+port) to the lxc container's IP + port. here is what I am trying: https://gist.github.com/developerinlondon/31b4244113373c22b056 | 00:47 |
---|---|---|
Patrickdk | source47, where is the ACCEPT rule? for that nat to work? | 01:03 |
source47 | i didnt know i needed one. i can curl to the IP locally | 01:04 |
source47 | but just added sudo iptables -I FORWARD 1 -p tcp -d 10.0.3.95 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT | 01:05 |
source47 | didnt seem to make any diff... do i have to restart? | 01:05 |
Patrickdk | no | 01:12 |
source47 | added some more info - https://gist.github.com/developerinlondon/31b4244113373c22b056 | 01:13 |
TJ- | source47: The host can otherwise access 10.0.3.95 - ping, etc., ? | 01:15 |
source47 | yes i can run curl from the host | 01:16 |
Patrickdk | wrong dest | 01:16 |
source47 | eg curl 10.0.3.95:80 works | 01:16 |
Patrickdk | your really didn't help it | 01:16 |
source47 | ? | 01:16 |
Patrickdk | iptables -I FORWARD -p tcp -d 10.0.3.95 --dport 80 -j .... | 01:17 |
source47 | oh yes... that seemed to have messed things up now | 01:17 |
source47 | i cant curl anymore | 01:17 |
source47 | from host | 01:17 |
Patrickdk | heh | 01:18 |
source47 | how can i get rid of that rule? | 01:21 |
source47 | Hmm i removed it | 01:27 |
source47 | but still cant go there anymore.. | 01:27 |
Patrickdk | well, your premise that rule was a problem, was wrong | 01:30 |
semiosis | source47: you say you're trying to NAT something? none of your rules are NAT, they're all just ACCEPT/REJECT | 01:31 |
semiosis | source47: can you just tell me here, in plain language, what you want to translate from/to? | 01:31 |
source47 | oh... i took it from here https://github.com/jtopjian/lxc-nat/blob/master/lxc-nat.rb | 01:32 |
source47 | so basically 172.31.23.17:40000 -> 10.0.3.95:80 | 01:32 |
TJ- | semiosis: You're missing "sudo iptables -t nat -A lxc-nat -d 172.31.23.17 -p tcp --dport 40000 -j DNAT --to 10.0.3.95:80" | 01:33 |
semiosis | TJ-: ah right, the list is only the filter table | 01:34 |
TJ- | semiosis: I asked for the iptables-save output; it's in a comment at the end of the gist | 01:34 |
semiosis | source47: can you add to that gist the output of 'iptables -nvL -t nat' please | 01:34 |
semiosis | ok | 01:34 |
semiosis | i see it | 01:34 |
source47 | yea that line was added | 01:35 |
source47 | now i have more copies of the same rule it seems | 01:36 |
source47 | it doesnt dedupe | 01:36 |
source47 | but the rule is the wrong way around it seems.. | 01:36 |
TJ- | source47: I think you need to discriminate on the interface too:"sudo iptables -t nat -A lxc-nat -i <INTERFACE> -d 172.31.23.17 -p tcp --dport 40000 -j DNAT --to 10.0.3.95:80" otherwise packets returning from, I presume, the other end of lxcbr0, will loop back again ? | 01:37 |
source47 | ok let me try that | 01:37 |
source47 | so it would be eth0 i am guessing | 01:38 |
source47 | since thats the external interface | 01:38 |
TJ- | source47: Yes, if that's the external I/F. | 01:38 |
semiosis | in ec2 all you have is eth0 & lo | 01:38 |
TJ- | source47: Also, if you've got multiple rules in there you can delete by using "iptables -t <TABLE> -D <rule-num>", which you can get from listing the table | 01:38 |
semiosis | oh right lxc, never mind my prev stmt | 01:39 |
* semiosis backs away slowly | 01:39 | |
TJ- | source47: I sometimes 'cheat' by doing iptables-save >/tmp/rules; <edit /tmp/rules>; iptables-load </tmp/rules ;p | 01:40 |
source47 | ah... | 01:40 |
source47 | strange its not in --list-rules | 01:40 |
TJ- | source47: not always a good idea if you rely on the rules to keep up a remote connection though, so only use it locally for hacking about | 01:41 |
source47 | https://gist.github.com/developerinlondon/9f5aedc140fc46937db8 | 01:41 |
TJ- | source47: did you specify the nat table? | 01:41 |
source47 | sudo iptables --list-rules | 01:42 |
source47 | that didnt show it | 01:42 |
semiosis | -t nat | 01:42 |
TJ- | source47: without a table specifier you only see the filter table; that's why I like iptables-save since it shows all tables and the policies, clearly | 01:42 |
source47 | ah | 01:42 |
source47 | ok sudo iptables -D lxc-nat 1 iptables: No chain/target/match by that name. | 01:43 |
source47 | but i have a line with that name | 01:43 |
source47 | well i have 4 | 01:43 |
source47 | hmm... i guess i have to restart.. but strange i cant delete a rule with a name.. | 01:48 |
source47 | semiosis: yea its basically to expose a service from the lxc container to the outside world. in 2 steps, first to expose it to the AWS VPC network, then i can get a proxy to forward external requests to the AWS VPC | 01:51 |
TJ- | source47: "sudo iptables -t lxc-nat -D 1" | 01:56 |
source47 | iptables v1.4.21: can't initialize iptables table `lxc-nat': Table does not exist (do you need to insmod?) | 01:56 |
TJ- | source47: sorry... tired typo! "sudo iptables -t nat -D lxc-nat 1" | 01:59 |
source47 | ah that worked | 01:59 |
source47 | thanks | 01:59 |
source47 | ok we are down to 1 rule | 01:59 |
source47 | TJ- so u think it might be working fine locally and could be an issue with AWS firewall? | 02:13 |
source47 | i opened the port in AWS SG also | 02:13 |
=== CripperZ- is now known as cripperz | ||
TJ- | source47: is the LXC set to block anything not from the host? | 02:16 |
source47 | not that i know of. its a standard ubuntu install | 02:16 |
TJ- | source47: does the LXC have a default route? is forwarding enabled on the LXC's default gateway? | 02:16 |
source47 | how can i get into it using the private IP if it was an issue with the lxc? | 02:16 |
source47 | https://gist.github.com/developerinlondon/a9d6aa72a7822caf1a62 | 02:17 |
source47 | this is the routes in the container | 02:18 |
source47 | it doesnt even have iptables inside | 02:18 |
source47 | i wonder if we can find a log somewhere where it fails | 02:19 |
TJ- | source47: Is the host's lxcbr0 allocated 10.0.3.1 ? | 02:19 |
source47 | it seems iptables might not be the issue | 02:19 |
TJ- | source47: Have you enabled IPv4 forwarding on the host? | 02:20 |
source47 | yep 10.0.3.1 is lxcbr0 | 02:20 |
source47 | i enabled ipv4 yes | 02:20 |
source47 | net.ipv6.conf.all.forwarding=1 | 02:21 |
TJ- | that's ipv6 | 02:21 |
source47 | net.ipv6.conf.all.forwarding=1 | 02:21 |
source47 | strange | 02:21 |
source47 | i am sure i edited ipv4 also | 02:21 |
source47 | net.ipv4.ip_forward=1 | 02:22 |
TJ- | good | 02:23 |
source47 | ah | 02:45 |
source47 | DESTINATION ip-172-31-23-17.ec2.internal | 02:45 |
source47 | that might be the issue TJ- ? | 02:45 |
source47 | https://gist.github.com/developerinlondon/0946497f8729df17a8f5 | 02:45 |
source47 | it shouldnt go there.. i would rather it uses the ip or resolve internally. | 02:46 |
poobutt | hiya, i have a 14.04.01 that keeps crashing and then hang at boot randomly what log is best to track down the reason? thanks. | 04:09 |
poobutt | and weirdly to look at syslog i do not have to be root or use sudo is that normal? | 04:13 |
sarnold | poobutt: indeed, most logs don't require privileges to read | 04:19 |
poobutt | sarnold: ok thanks just on another 14.04.01 server it does so i wonder why one requires sudo and one does not as they have the same set up. | 04:20 |
TJ- | poobutt: if your user is privileged it is likely part of the 'adm' group | 04:20 |
poobutt | sarnold: do you know where i would find out if the reboot was down to a power cut? | 04:21 |
poobutt | TJ: thanks one is a digital ocean server so they may have different core rules compared to a stand alone install. | 04:21 |
sarnold | poobutt: could be if some files were deleted they may have been recreated with different permissions perhaps.. | 04:22 |
sarnold | oh, I like TJ-'s explanation | 04:22 |
sarnold | poobutt: if the power is yanked, most systems won't survive long enough to write to the logs about it.. | 04:23 |
poobutt | sarnold: we do have frequent power cuts here (Thailand) so that is most probably the main reason | 04:24 |
TJ- | Power cuts in a data-center? | 04:24 |
sarnold | poobutt: can you add a UPS to your system? if you get a smart enough model you could have it power down your system gracefully if the mains are cut for more than thirty seconds, for example.. | 04:25 |
poobutt | no this is a 14.04.01 server at an office with no UPS that runs zoneminder cctv set up on it | 04:25 |
poobutt | yes UPS will be the answer but i work with NGO so always finance issues try to get best results with no budget ;) | 04:25 |
TJ- | poobutt: ahhh I misread; thought you meant the failing server was at DO | 04:26 |
TJ- | poobutt: Make sure to disable disk write caching and make sure the disk sync quickly | 04:26 |
poobutt | TJ: tahnks for the tip will implement that now | 04:27 |
Kalki- | how can i update my users files from /etc/skell so that they come with right ownerships ? | 05:01 |
Kalki- | like .bashrc and things like that | 05:01 |
sarnold | sed -i~kalki 's/foo/bar/g'/ /home/*/.bashrc | 05:02 |
sarnold | then re-chmod as needed | 05:02 |
sarnold | or chown rather | 05:02 |
sarnold | must be bedtime | 05:02 |
Abhijit | i set root login to true and set password in preseed file. used cobbler to install ubuntu. still can not login with username root and the set password. help | 05:04 |
jpds | Abhijit: With SSH or? | 05:23 |
Abhijit | no ssh. directa access. kvm | 05:23 |
Abhijit | jpds, ^ | 05:25 |
=== cripperz is now known as CripperZ | ||
=== kaitanya_ is now known as pokkos | ||
=== pokkos is now known as neurotus | ||
Abhijit | how can i make apache to server /var/www/html/server when user enters "ip"address/server? | 05:53 |
=== Lcawte|Away is now known as Lcawte | ||
=== yofel_ is now known as yofel | ||
rostam | HI I would like to test udev creation of 70-persistent-net.rules. I know the file can be created during reboot, but I like to test it without reboot. Is this possible? I am using ubuntu 14.04. Thanks | 10:43 |
lordievader | Good afternoon. | 10:55 |
ikonia | rostam: udevadm | 10:55 |
rostam | ikonia: thanks | 11:00 |
zoidberg- | Hello all, I have setup a little ubuntu server as a deivce that sits in between my adsl modem and router.. so that anything that connnets to the router gets routed through the ubuntu box out throught he modem to the internet. The reason being, i would like to setup an vpn (openvpn) server on the ubuntu box one for incomming vpn connections (so that i can connect to my home network when away) and one for outgoing vpn so that i can tunnel all my tr | 11:12 |
zoidberg- | The question i have is, i setup simple iptables for masquerading and forwarding, does however my router is the dns server.. for dns to go through the ubuntu server should i setup soemthing like dnsmasq or will iptables handle that and just forward it over to the router and back? | 11:12 |
zoidberg- | at the moment i have 3 iptables masquerading rules/forwarding rules, it all works but i wonder if dns is being routed directly to the router rather than the ubuntu box | 11:12 |
=== chmurifree is now known as chmuri | ||
jpds | zoidberg-: DNS should work fine... | 11:27 |
zoidberg- | jpds: i'm not sure what you mean by that it does work fine if i simply setup forwarding and masquerading on my linux box - but dns does no go through it, dns requests go straight to the router.. which is giving out by dhcp.. i want, to give out the ip of my linux box and have that forward requests to and from the router | 11:31 |
zoidberg- | so _ALL_ traffic goes through this linux box | 11:31 |
zoidberg- | as i want to eventually tunnel all traffic out over a vpn | 11:31 |
zoidberg- | including dns | 11:31 |
=== a1berto_ is now known as a1berto | ||
rostam | hi how would I know the network interface eth0 is binded to which driver? thanks | 11:53 |
=== CripperZ is now known as CripperZ- | ||
webfox | Could someone help me locate the httpd.conf file from Apache2 please? | 12:45 |
webfox | I think it should be positioned at /etc/apache2/ dir but it is not. | 12:45 |
ikonia | webfox: the config file is now modular | 12:45 |
ikonia | so there isn't much in the httpd.conf | 12:45 |
webfox | ikonia: I just need to activate php | 12:46 |
ikonia | then use the aenmod command | 12:46 |
ikonia | have you read the ubuntu docs on using apache ? | 12:46 |
webfox | not yet. | 12:46 |
webfox | Still reading https://help.ubuntu.com/14.04/serverguide/php5.html | 12:47 |
webfox | I think thats old now. | 12:47 |
=== Pici` is now known as Pici | ||
webfox | Apache is working, just not php | 12:50 |
ikonia | webfox: why do you think it's old | 12:51 |
ikonia | it's listed as the current doc | 12:52 |
webfox | yes, exactly. | 12:52 |
webfox | Well, he files /etc/apache2/mods-enabled/php5.conf and /etc/apache2/mods-enabled/php5.load exists | 12:54 |
webfox | the* | 12:54 |
webfox | I already retarted Apache but still not executing the php inside the doc. | 12:55 |
ikonia | webfox: what is the name of the file | 12:56 |
ikonia | as in the php web page | 12:57 |
webfox | ikonia you are good! I was using an incorrect file extension! | 12:57 |
webfox | Thank you ! | 12:57 |
ikonia | no problem | 12:57 |
webfox | Got it workiing now. | 12:57 |
webfox | o/ | 12:57 |
=== CripperZ- is now known as cripperz | ||
henk | hi, I’m trying to set up a webapp in tomcat6. This webapp needs the jdbc connector for mysql, so I installed libmysql-java. Now I’m looking for a way to make this webapp find this lib without having to copy the jar files to its lib directory, to make sure the jars are updated by package updates. I tried symlinking but that does not seem to work. Does anyone know what the proper way is? I found | 14:14 |
henk | https://scottlinux.com/2014/02/20/tomcat-on-debian-and-ubuntu-linux-fix-broken-com-mysql-jdbc-driver-connection/ which suggests changing /etc/tomcat*/catalina.properties to search /usr/share/java/*.jar in addition to the default places. Can anyone comment whether this is a good idea? | 14:14 |
rtg | smoser, https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-intel/+bug/1355196/comments/46 | 15:03 |
uvirtbot | Launchpad bug 1355196 in linux "compiz fails with intel_do_flush_locked failed: Invalid argument" [High,Confirmed] | 15:03 |
smoser | rtg, i knew i should not have clicked "i'm willing to bisect" :) | 15:03 |
rtg | smwe'll build the bisects, but you have to do the testing | 15:04 |
rtg | smoser, ^^ | 15:04 |
smoser | yeah. its just a matter of dedicating time to that. thanks for the poitner. | 15:05 |
rostam | Hi I have two network interface on my system eth0 & eth1. I need eth0 to bind to igb driver not e1000e. So I black list the igb and e1000 then I added those drivers in /etc/modules so the kernel tries to load igb first then e1000e. It does not work, any help greatlly appreciate. Thanks | 16:19 |
ikonia | youv'e blacklisted the igb driver when you want it to use the igb driver ? | 16:20 |
rostam | ikonia, I have placed it in /etc/modules so the auto loading (I think) is disabled but this way I control which driver gets loaded first (or I think it gets). | 16:23 |
ikonia | but you've already blacklisted it | 16:23 |
rostam | ikonia, okay I see your point... thx | 16:26 |
=== Ursinha is now known as Ursinha-afk | ||
=== Ursinha-afk is now known as Ursinha | ||
=== arrrghhhAWAY is now known as arrrghhh | ||
=== mjohnson151 is now known as mjohnson15 | ||
RobC207 | Alright, having just completed two rounds of do-release-upgrade, I am having a mild reaction to cron.d/php5 emailing me twice an hour with a message concerning invalid argument. I determined the cause of this is a missing value in the response from /usr/lib/php5/maxlifetime. Changing the she-bang to -x instead of -e leads me to allow_call_time_pass_reference being no longer available. How to fix it? | 18:19 |
rostam | HI please help I am stuck with this for last 2 days. I am using ubuntu 14.04 update 1. My system has two network interfaces , eth0 and eth1. I see sometimes eth0 bind to hardware interface where eth1 was previously bind to it. The system generates /etc/udev/rules.d/70-persistent file. I have modified the bus but it overright it, any idea why please? thx | 18:34 |
=== Guest64178 is now known as med_ | ||
=== med_ is now known as medberry | ||
=== Ursinha is now known as Ursinha-afk | ||
qman__ | When running dpkg-reconfigure postfix and setting where root's mail goes, where is this setting stored? Its not in /etc/aliases and grepping around hasn't found it | 19:35 |
=== Ursinha-afk is now known as Ursinha | ||
=== Ursinha is now known as Ursinha-afk | ||
=== Ursinha-afk is now known as Ursinha | ||
=== cripperz is now known as CripperZ- | ||
lamont | qman__: that _should_ update /etc/aliases | 20:35 |
lamont | if not, please file a bug with details | 20:35 |
plm | Hi all | 20:42 |
plm | Is possible to know if a connection are using ssl or not? netstat -an show me many and I would like to know what that connections are secure( using ssl). | 20:42 |
genii | plm: Maybe use -nt | 20:47 |
sarnold | I know of no such tool; you could probably write a pcap thing that recovers a few kilobytes of data from each active connection and runs some simple statistics on it to ensure the data looks 'random'.. | 20:49 |
qman__ | lamont: it didn't, will do | 20:54 |
qman__ | On two 14.04 servers | 20:54 |
plm | genii: -nt show just tcp (with or not ssl) | 20:54 |
plm | genii: dont need to be netstat. Any other app/method to kwno if that connection are using ssl or not | 20:55 |
genii | To actually test the traffic you'd need to set something up on another machine like for instance mitmproxy | 20:56 |
genii | !info mitmproxy | 20:56 |
ubottu | mitmproxy (source: mitmproxy): SSL-capable man-in-the-middle HTTP proxy. In component universe, is optional. Version 0.9.2-2 (trusty), package size 150 kB, installed size 800 kB | 20:56 |
qman__ | lamont: bug 1358925 | 21:07 |
uvirtbot | Launchpad bug 1358925 in postfix "root alias does not get set" [Undecided,New] https://launchpad.net/bugs/1358925 | 21:07 |
lamont | qman__: ta | 21:07 |
lamont | it may take me a day or 7 to look at it, feel free to pester me if I haven't done anything with it by next week. Likewise, someone server-teamish is likely to beat me to it. | 21:08 |
qman__ | No problem, I just thought I was crazy for not being able to find it, utrns out its broken | 21:09 |
=== _ruben_ is now known as _ruben | ||
plm | genii: I'm using tcpdump but I not see difference between a tcp connection with and without ssl | 21:34 |
=== mjohnson151 is now known as mjohnson15 | ||
=== Lcawte is now known as Lcawte|Away |
Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!