[00:31] <R2D2Warrior> Hello, i am getting a connection reset error when trying to connect to my apache server (running on an ubuntu machine next to me) from outside my of LAN but works fine locally. port 80 is open and dns is set up and working. netstat lists apache as tcp6 on port 80. i've researched this a ton with no luck. what else can i try?
[00:32] <patdk-lap> what does open mean?
[00:32] <patdk-lap> if it's reset it is not open
[00:33] <R2D2Warrior> forwarded in my router's control panel to the ubuntu pc
[00:33] <patdk-lap> what does tcpdump show on your machine?
[00:33] <R2D2Warrior> reset?
[00:33] <patdk-lap> you are the one that said connection reset
[00:33] <patdk-lap> connection reset != open
[00:34] <R2D2Warrior> oh really? odd
[00:34] <R2D2Warrior> sorry, how do i use tcpdump?
[00:35] <R2D2Warrior> still new, long time windows user
[00:35] <sarnold> R2D2Warrior: are you trying to forward tcp6 port 80 to tcp6 80? or tcp 80 to tcp6 80?
[00:36] <R2D2Warrior> i didn't forward anything with tcp6
[00:36] <patdk-lap> most likely it's the dual bind ipv6 port 80 he sees
[00:37] <patdk-lap> not ipv6 specific
[00:37] <R2D2Warrior> yes that's what i read
[00:38] <sarnold> ahh
[08:19] <lordievader> Good morning.
[08:25] <jonah> Hi I wondered if anyone could please advise. I've been in and out of here a few times as I've just built my own server. I'm looking at using it as LAMP apache server mainly to host a few sites, set up some user accounts for them to host a few and also run owncloud. Currently I managed to set up ubuntu 14.04.3 with a RAID10 across 4 x 1tb hard drives. But I couldn't include grub in the raid so that had to be on its own partition on each drive.
[08:25] <jonah>  This boots fine, but I've not really partitioned anything as I would like to for security. I also have a spare SSD which I could use (maybe for Grub?) or could get another SSD later and somehow then add a RAID1 over the two. I just need advice on how to partition everything properly and partition sizes. I though maybe re-do the raid10 as just the /home and put everything else on the SSD with automatic guided partitioning from the installer.
[08:25] <jonah> Or should I do something else? Anyone that can please help, I've read all sorts but in the end you just get more confused and unsure!!
[08:28] <lordievader> jonah: The way you partition your disks really depend on what you want to do with them. This is one of the reasons I like LVM so much it gives you the flexibility to start out with some kind of configuration that may change a lot in the future. Normal partitions are rather static in comparison.
[08:29] <jonah> ok, so from the ubuntu installer would I just partition the SSD for grub (with bootable flag), do a 1 big massive RAID10 across the other discs then click to install LVM? Is it safe in terms of drive failure and also security for a web server?
[08:31] <lordievader> I'd let lvm do the raid stuff too. How does security come into play with raid setups?\
[08:31] <bekks> Wouldnt you need a dedicated log volume for persistent mirroring via LVM?
[08:32] <lordievader> It creates a metadata volume for your raid, if that is what you mean.
[08:33] <bekks> Yeah.
[08:34] <lordievader> For my raid1 over two disks I get two _image volumes and two _meta images. These are normally hidden, but they are there.
[08:41] <jonah> thanks but I'm not really sure on LVM... Do I just choose it at install instead of raid then and it can set up raid still or do I still have to make the raid arrays and partitions first?
[08:47] <lordievader> jonah: https://wiki.gentoo.org/wiki/LVM If you skip the Gentoo specifics it is great documentation, for Ubuntu too.
[09:23] <mripguru_> lordievader :)
[09:26] <jonah> lordievader: thanks but although LVM sounds very good for future adjustments to parition sizes etc, I'm still not sure what my initial steps should be with the drives I have to get ubuntu server running. From the installer what do I need to partition, raid or make bootable etc. Or can I just add LVM to what I have already running with my raid10 setup?
[09:31] <lordievader> jonah: The way I have it for my raid drives is two partitions on the drives. The first /boot (raid1 using mdadm), the second is the pv for lvm.
[11:49] <subvhome> hello all… I'm having a bit of a problem with my ubuntu server and IPTABLES. so my server is public facing with 2 network cards. one for LAN and one for WAN. I configured my WAN with 2 IP's lets just say they are 67.1.1.1 and 67.1.1.2 … both are pingable from the internet and I have port 22 open .. this being done via IPTABLES. What I am trying to achieve is when 67.1.1.2:3001 gets accessed from the WAN side, traffic should
[11:49] <subvhome> translate to 10.0.0.231:3001 on my LAN side.  I must say that I did not create this server and who ever set it up has been using webmin for tweaking IPTABLES.. so I have been just making manual changes to the IPTABLES rules file located /etc/iptables.up.rules since webmin interface confuses me.
[11:50] <lordievader> !webmin
[11:50] <lordievader> subvhome: See ^. How are your nat tables configured?
[11:50] <subvhome> i agree.. so lets just leave it out of the equation..
[11:53] <subvhome> accept all and postrouting i have masquerade from my wan iface.. please excuse if i sound like i don't know what I am talking about.. this happens to be true :)
[11:54] <subvhome> http://pastebin.com/tF74v9nb
[11:54] <lordievader> subvhome: So you are missing the forward rule for 10.0.0.231:3001.
[11:55] <subvhome> from inside mynetwork if i telnet 10.0.0.231:3001 the connection is created.. when i tried the forwarding rule and attempt to connect to 67.1.1.2:3001 I get a timeout..
[11:55] <lordievader> For example I have "-A PREROUTING -i br-ext -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.1.21:443" to forward traffic from the 443 port.
[11:55] <subvhome> let me show you what i have tried so far
[11:56] <subvhome> let me play with that
[11:56] <subvhome> this would go right in between line 35 and 36 right?
[11:56] <subvhome> in my paste
[11:56] <subvhome> im sorry
[11:56] <subvhome> above 7
[11:57] <subvhome> ?
[11:58] <lordievader> subvhome: Your prerouting table is empty, it will be the first rule in that table.
[12:00] <subvhome> I don't have a prerouting table.. do i create one?
[12:00] <subvhome> i just have nat mangle and filter…
[12:01] <lordievader> subvhome: It should be there. 'sudo iptables -t nat -vnL'.
[12:02] <subvhome> oh you mean my prerouting chain is empty
[12:02] <subvhome> in my nat table
[12:03] <subvhome> ok i think i understand let me try it
[12:05] <subvhome> ok.. so i see it when i run -t nat -vnL
[12:05] <subvhome> .. but when i try to telnet the connection is dropped immediately
[12:06] <subvhome> is because I have that rule for established or related connections?
[12:07] <lordievader> You don't seem to allow the forwarding of the 3001 syn packet.
[12:07] <lordievader> Also is ipv4 forwarding enabled?
[12:08] <subvhome> yes ipv4 forwarding is enabled
[12:08] <subvhome> check this paste.. its all my rules outputted by iptables -vnL command for both filters and nat
[12:08] <subvhome> http://pastebin.com/xShjYGhN
[12:10] <subvhome> just realized something.. i don't have eth0 let me make that change
[12:10] <lordievader> You have three interfaces? eth0, em1, p255p1?
[12:10] <lordievader> Ah...
[12:11] <subvhome> ok.. so now it doesn't refuse the connection.. but just sites there timeing out.
[12:11] <subvhome> whats this syn packet you mentioned.. i was playing around with DNAT and SNAT
[12:11] <subvhome> but got really confused.
[12:14] <subvhome> i don't see anything in the logs either.
[12:15] <`jpg> Hey guys, I am experiencing some problems building AMIs based on the ubuntu cloud-image AMIs.
[12:15] <lordievader> subvhome: Tcp dump on the endpoint, do you see an incoming connection?
[12:16] <`jpg> Basically I use packer to run a shell script to configure apt and install the vivid kernel etc.
[12:16] <`jpg> However I am running into this: https://github.com/flynn/flynn/issues/1829
[12:17] <subvhome> lordievader: what would be the syntax of that command?
[12:17] <`jpg> I have no clue how I end up with a situation where thermald is not installable given the script configures the main repository correctly.
[12:17] <lordievader> subvhome: tcpdump -i <some interface> 'tcp && port <some port>'
[12:18] <`jpg> Does anyone know if there is anything beyond cloud-init that could be interfering with apt? Or have a link to the tools/etc that build the cloud-image AMIs?
[12:19] <subvhome> i get listening on em1.. link type and cap size
[12:19] <lordievader> subvhome: Do you see incoming connections?
[12:19] <subvhome> i ran sudo tcpdump -i em1 'tcp && port 3001'
[12:20] <subvhome> well thats the thing.. on the destination device.. its really dumb and I can't see if its has any connections on it. i would normally test by telneting to the port from within the local network.
[12:21] <subvhome> now i figure if i don't get the same results from outside my network.. then the connections are not being established.
[12:21] <subvhome> its some sort of handscanner
[12:22] <lordievader> Ah, I see how that makes things difficult...
[12:23] <subvhome> yea … but shouldn't it.. in theory.. that if i can establish a connection via telnet within the network.. a working iptables rule would allow the same type of results from the outside?
[12:23] <lordievader> subvhome: Yes, if the firewall/nat is configured correctly.
[12:24] <TJ-> subvhome: sounds like the device doesn't have a default route set, so only 'knows' the local network
[12:24] <TJ-> subvhome: If it is behind a NAT/router then it ought to be fine though
[12:24] <subvhome> ok.. so we had a sonicwall handling this and it was working a few months ago.
[12:25] <subvhome> and not long before i took over… the sonicwall died and someone created this server to handle dhcp and to act as a firewall
[12:25] <subvhome> which i like the idea over a sonicwall but it did work..
[12:26] <subvhome> i just need to create the rule that if hit a virtual interface ip (67.1.1.2) on port 3001 it will direct the traffic to 10.255.230.231:3001
[12:26] <subvhome> thats a real lan ip.. and a fake public ip :)
[12:27] <subvhome> now aside from it having webmin installed… the server runs great and i have been able to do great things with it.. but this one has me stumped.
[12:27] <subvhome> and i don't like to use the webmin interface…  so i try to just manage the rules manually
[12:28] <TJ-> subvhome: test if the device has a default route (create a temporary private subnet) and see if it can reply to that. If not, then the device has no default route, in which case you'll have to NAT in front of it
[12:29] <subvhome> the original ip was 67.1.1.1 and it is pingable from the outside world.. pinging it right now and also ssh into it right now. 67.1.1.2 is also live pingable and accessible via ssh. there are no routes setup on this current configuration.. which is what i am trying to do..
[12:29] <subvhome> i think lordievader was on the right track with me.. what did you mean i didn't have 3001 syn packets?
[12:30] <lordievader> Well your forward table didn't say much about connection to 10.255.230.231, so I wondered if that table didn't simply drop the packets.
[12:31] <subvhome> http://pastebin.com/xShjYGhN from this paste.. i don't have anything in FORWARD regarding that.. so what should be in there
[12:32] <subvhome> all i have is that it will allow connections back once they are established or related
[12:32] <subvhome> which is how it should be right?
[12:32] <lordievader> The easiest would be to modify rule 2 to allow all, not just RELATED and ESTABLISHED. Then later secure this more...
[12:33] <subvhome> if I allow all doesn't that leave me wide open?
[12:35] <subvhome> it worked
[12:35] <subvhome> but i don't like the idea of it allowing all connections..  how can i leave rule 2.. but add another rule to just accept connections coming in on 67.1.1.2:3001
[12:36] <subvhome> to 10.255.230.231:3001
[12:36] <lordievader> Sure.
[12:43] <TJ-> Ahhh, I hadn't seen that info earlier
[12:43] <TJ-> Trying to multitask this and making 70+ apple pies :D
[12:45] <subvhome> ok.. so im trying to add a rule in the forward… to allow this connection and still keep my network safe
[12:45] <subvhome> its not working
[12:45] <lordievader> subvhome: How are you testing this exactly?
[12:46] <subvhome> with telnet from outside the network.. when i remove the established and relative states.. the connection is established
[12:47] <lordievader> What EST,REL states, the one in the forward table?
[12:49] <subvhome> http://pastebin.com/FWK3EqM8
[12:50] <subvhome> this is what im trying to play with
[12:51] <subvhome> lordievader: yes.. when i remove EST and REL in forward chain… the connection is established.
[12:52] <lordievader> Hmm, that is odd. I'd add a couple of log rules to see what is being dropped.
[12:53] <subvhome> im going to take a bit of a break.. and regroup my brain. thanks a lot bro
[16:29] <subvhome> whats up #ubuntu-server
[16:33] <patdk-lap> hopefully everyones servers
[16:41] <subvhome> lordievader: i don't know what happened… it stopped working..
[16:42] <subvhome> lordievader: i guess nothing happened.. i can't even telnet into the device from my lan.. Maybe I DoS'd it lol
[16:46] <lordievader> subvhome: Restart the device?
[16:47] <subvhome> yea.. i gotta call someone in cali for that.. no big deal. I guess learning the fundamentals of establishing a link to the device was learned. I'm going to setup an ftp server on machine and attempt to do the same thing.
[16:48] <subvhome> my goal now will be not to have my FORWARD chain so unprotected
[17:31] <lordievader> Err, ftp?
[17:31] <lordievader> Don't use ftp...
[18:14] <subvhome> lordievader: i figured that you mean there are too many ports involved lol..brb
[18:15] <lordievader> No... ftp is old, insecure, crap and shouldn't be used.
[18:16] <lordievader> Ftps is slighly better, but from what I hear, hell to set up. sftp is a lot better. But I'd go with scp over (s)ftp(s) any day.
[18:23] <RoyK> lordievader: ftps doesn't work with nat, though
[18:23] <lordievader> Another reason not to use it ;)
[18:23] <RoyK> lordievader: and scp is like sftp
[18:24] <RoyK> or rsync over ssh
[18:24] <lordievader> I know ;)
[18:25] <RoyK> ftp hands over ports and ip addresses in L7, so if it's encrypted, the NAT router can't figure out which ports to open
[19:07] <Delemas> Just upgraded a server to 15.10. Anyone else having their Apache2 webservers ONLY listen on tcp6 after upgrade?
[19:13] <Delemas> Nevermind. Somehow ssl_module wasn't being loaded after upgrade.
[20:58] <subvhome> having a hard time with this.. so i setup a webserver and I am able to access it from a specific public IP and forwards to a specific server hosting the http site.. but only if I allow all forwarding packets from WAN to LAN in my IPTABLES… i want to still be able to only allow EST and REL connections in my forwarding chain … how can i do this…  here are my iptables -vnL outputs and my rules (I've masked my IP)
[20:59] <subvhome> http://pastebin.com/3R7UfEfE
[20:59] <subvhome> in the FORWARD chain, i want to not have to remove REL and EST
[21:01] <subvhome> lordievader: I want to thank you.. you have given me a lot of insight and I actually managed to accomplish something I have been trying to figure out for about a week. I feel like removing the REL and EST states leaves my system vulernable.
[21:32] <Seveas> subvhome: you don't have to remove the related/established rules, but you will have to add a port 800 rule
[21:32] <Seveas> 8000*
[21:32] <Seveas> something like iptables -A FORWARD -o p255p1 -i em1 -p tcp --dport 8000 -j ACCEPT
[21:33] <Seveas> the input chain is not used for that traffic, as you can see by that counter being 0
[22:03] <subvhome> thanks for that.. i will look into it...
[22:37] <subvhome> Seveas: brilliant