|
Ugh, hopefully this is the right thread, but I've got an iptables issue that I'm having one hell of a time getting to work right. The scenario is this: I have a bunch of computers on a LAN, and I want these computers to only be able to talk on the LAN except when I ping a specific port (e.g. port knocking). These are the rules I've got:code:
code:
code:
code:
code:
code:
code:
e: I know other tools exist that can assist in doing this, but for complicated reasons I need to accomplish this with things available on the host, which is why iptables + recent was an obvious; albeit obnoxious choice. Winkle-Daddy fucked around with this message at 23:38 on Jun 18, 2014 |
# ? Jun 18, 2014 23:12 |
|
|
# ? May 10, 2024 06:39 |
|
Started as a question but gently caress it. Unity is the biggest piece of poo poo that hides basic functionality and should be aborted.
|
# ? Jun 19, 2014 00:24 |
|
spoon daddy posted:Started as a question but gently caress it. Unity is the biggest piece of poo poo that hides basic functionality and should be aborted. Alrighty. Give Cinnamon a try?
|
# ? Jun 19, 2014 00:41 |
|
effika posted:Alrighty. Give Cinnamon a try? I prefer openbox, but to each his own.
|
# ? Jun 19, 2014 00:45 |
|
E: forget about it
I would blow Dane Cook fucked around with this message at 07:27 on Jun 19, 2014 |
# ? Jun 19, 2014 04:44 |
|
Winkle-Daddy posted:Ugh, hopefully this is the right thread, but I've got an iptables issue that I'm having one hell of a time getting to work right. The scenario is this: I have a bunch of computers on a LAN, and I want these computers to only be able to talk on the LAN except when I ping a specific port (e.g. port knocking). In your configuration, iptables will not stop your ping command from trying to send the pings; it will just silently eat the outgoing ping messages. The "ping: sendmsg: Operation not permitted" makes me think something else is stopping the ping command from running properly. Perhaps you have SELinux enabled? If you have SELinux enabled, you should monitor the audit logs (normally at /var/log/audit) when running your ping command. If you can see AVC deny messages regarding "sendmsg" appearing while you're trying to ping, then that's the cause.
|
# ? Jun 19, 2014 05:42 |
|
I have gotten the 'operation not permitted' coming from VMs as well, particularly from VirtualBox. Its listed as a known issue that VBox guests do not send pings properly.
|
# ? Jun 19, 2014 06:16 |
|
telcoM posted:In your configuration, iptables will not stop your ping command from trying to send the pings; it will just silently eat the outgoing ping messages. The "ping: sendmsg: Operation not permitted" makes me think something else is stopping the ping command from running properly. Perhaps you have SELinux enabled? Thanks guys, they are vm's, but when I flush iptables I can ping Google just fine. I'm not sure if that negates your theory or not, but I'll do some more reading today.
|
# ? Jun 19, 2014 15:09 |
|
For some reason, all of a sudden, my Mint 15 (with KDE) date/time setting went nuts. I start it and the clock is 3 hours ahead. I correct it and then next time I restart, it is 3 hours ahead again. What can be happening here?
|
# ? Jun 19, 2014 15:19 |
|
Elias_Maluco posted:For some reason, all of a sudden, my Mint 15 (with KDE) date/time setting went nuts. Is your BIOS clock set correctly?
|
# ? Jun 19, 2014 15:42 |
|
Elias_Maluco posted:For some reason, all of a sudden, my Mint 15 (with KDE) date/time setting went nuts. Is ntpd crashing? I had this happen on Fedora 20 for a work computer a while ago, I never did figure it out, so I just added a cron to restart it every hour.
|
# ? Jun 19, 2014 16:07 |
|
You're checking whether the source address (which is almost certainly not 173.194.46.9) is in your list of recents. It isn't. And it's not related or established or in the subnet, and you haven't allowed icmp echo-request or echo-reply, so you're getting blocked when you try to open an icmp socket. If you want to port knock on output to unspecified, previously unseen hosts (your rules would work fine if you wanted to say "this host from a subnet that's not on 192.168.0.0/24 hit me on UDP 1111, so allow outbound connections to that host", which you can verify by adding a host on another subnet, like 192.168.1.0/24, adding routes, and hpinging 1111), you need knockd. I know this isn't built in and you have to install a package, but it's the appropriate solution. Or if you can't, you can trivially use the LOG target and --log-prefix='whatever' and watch syslog (or dump iptable logs to their own log) with a long-running (systemd/upstart ideally) script which inserts iptables rules to allow outbound. You could probably do this in 30 lines or less of any language you want.
|
# ? Jun 19, 2014 16:15 |
|
Experto Crede posted:Is your BIOS clock set correctly? I think it is (cant reboot now to be sure, but since I didnt touched BIOS settings for many months, I guess it should be?). Winkle-Daddy posted:Is ntpd crashing? I had this happen on Fedora 20 for a work computer a while ago, I never did figure it out, so I just added a cron to restart it every hour. "Set date and time automatically" is currently off and if I try to turn it on I get this error: "Unable to authenticate/execute the action: 6,"
|
# ? Jun 19, 2014 16:22 |
|
evol262 posted:You're checking whether the source address (which is almost certainly not 173.194.46.9) is in your list of recents. It isn't. And it's not related or established or in the subnet, and you haven't allowed icmp echo-request or echo-reply, so you're getting blocked when you try to open an icmp socket. Ahhh, that makes sense given the capacity that recent is typically used in. And here I thought I could be clever The man page lays it out pretty well, I'm not sure why on my first read I didn't make the connection. I guess I'll be writing my own script for this. Oh well, It's been a while since I've needed to actually accomplish anything like that. Winkle-Daddy fucked around with this message at 16:43 on Jun 19, 2014 |
# ? Jun 19, 2014 16:32 |
|
Elias_Maluco posted:"Set date and time automatically" is currently off and if I try to turn it on I get this error: "Unable to authenticate/execute the action: 6," Try running: code:
code:
|
# ? Jun 19, 2014 16:36 |
|
Elias_Maluco posted:I think it is (cant reboot now to be sure, but since I didnt touched BIOS settings for many months, I guess it should be?). You may also want to try "ntpdate your.ntp.server" (or 0.fedora.pool.ntp.org or another valid public server). ntpd will refuse to sync in most configurations if the time is really far off.
|
# ? Jun 19, 2014 16:51 |
|
Winkle-Daddy posted:Try running: I got "ntpd: unrecognized service". evol262 posted:You may also want to try "ntpdate your.ntp.server" (or 0.fedora.pool.ntp.org or another valid public server). ntpd will refuse to sync in most configurations if the time is really far off. I get a "ntpdate[9755]: bind() fails: Permission denied", no matter what server I use.
|
# ? Jun 19, 2014 17:05 |
|
Elias_Maluco posted:For some reason, all of a sudden, my Mint 15 (with KDE) date/time setting went nuts. Do you dual boot into windows on this machine?
|
# ? Jun 19, 2014 17:09 |
|
Elias_Maluco posted:I got "ntpd: unrecognized service". quote:I get a "ntpdate[9755]: bind() fails: Permission denied", no matter what server I use.
|
# ? Jun 19, 2014 17:13 |
|
Longinus00 posted:Do you dual boot into windows on this machine? I do have windows 7 installed in another partition, but I havent booted into it for months. Winkle-Daddy posted:I think on Ubuntu/Debian (which Mint is based on) it might just be ntp, not ntpd. My bad. You can also see if there's an init script for it (ls -al /etc/init.d/ | grep ntp). If there is one, just do sudo /etc/init.d/<script> restart "npt" gives the same error and "ls -al /etc/init.d/ | grep ntp" gives nothing.; Winkle-Daddy posted:You have to do this as root, ntp runs on a privileged port. Now it worked, it gave me "timestamp too far in the future: Jun 19 15:59:28 2014" (its 13:00 right now) Elias_Maluco fucked around with this message at 17:16 on Jun 19, 2014 |
# ? Jun 19, 2014 17:13 |
|
Elias_Maluco posted:Now it worked, it gave me "timestamp too far in the future: Jun 19 15:59:28 2014" (its 13:00 right now) Is ntp running? code:
code:
|
# ? Jun 19, 2014 17:47 |
|
Winkle-Daddy posted:Is ntp running? ps aux | grep ntp | grep -v grep returns empty too
|
# ? Jun 19, 2014 18:27 |
|
Elias_Maluco posted:Now it worked, it gave me "timestamp too far in the future: Jun 19 15:59:28 2014" (its 13:00 right now) What gave you this. Was it: "sudo: timestamp too far in the future"? Or ntp? Is the date correct now? If it was sudo (probably), you'll need to fsck to fix the timestamp from the system clock, and the easiest means for that would be rebooting Also: code:
|
# ? Jun 19, 2014 19:27 |
|
evol262 posted:
Only as long as there's nothing named "ntp" in the current directory (which may be hard to guarantee when used in aliases/shell scripts). psgrep is the better answer if it's available.
|
# ? Jun 19, 2014 19:54 |
|
Suspicious Dish posted:I tried looking for you in the Compiz source and got stuck in a maze of twisty plugins, all alike. Sorry. Thanks. It seems pretty nuts, since all the other settings end up in gconftool.
|
# ? Jun 19, 2014 21:09 |
|
General_Failure posted:So you're saying I might have to manually set a virtual desktop? For what it's worth, I'm using Debian sid with an experimental repository. I pulled the 14.6 driver from experimental - and although it has a few quirks - it seems to be running multi-monitor (Xinerama) in CCC with no issues. Radeon R7 260X here; I realize you're a couple generations behind with respect to your video card. As far as sid and experimental, I'm counting the days until my computer implodes and I need another hour for a netisnt back to Wheezy or Jessie. This is not a production machine. Edit: Xfce, here.
|
# ? Jun 20, 2014 02:14 |
|
Stupid question for Ubuntu 12.04 3.5.0-51-generic So my iptables were all happy campers up until 2 weeks ago when DHCP suddenly kicked the bucket when I let the disk fill up (or at least this is what I assume triggered it). After cleaning up the disk and rebooting DHCP was still dead and my changes to iptables were not taking hold. If I apply iptables changes I lose all networking on this box. A swift reboot will take me back to old firewall rules and a working network. What is my first step in figuring out what is going on here? I get no errors whether or not I apply iptable changes via webmin or via command line iptables-restore.
|
# ? Jun 21, 2014 19:45 |
|
Alright, this is definitely a Puppet 101 question, and I am sure that the Puppet docs have an answer for this and I am just dense and can't find it. Also, I hope this is the right thread for this question. I'm trying to teach myself Puppet, with the goal of managing the VPS I run with it. Additionally, when I get a better grasp on things, I want to deploy it at work. So while my home deployment will be small, I want to learn how to "do it right." I have a vanilla Puppet server and an agent. Both are managed through Puppet. Right now, on my agent node, I'm configuring Apache. I've got code like this in my nodes.pp: code:
code:
Thanks for your patience. I've been searching for answers and not really understanding what I come up with.
|
# ? Jun 21, 2014 23:42 |
|
This is something stupid and i know it. Main linux pc is running mint 16, chromebook is on chrbuntu who knows what. I can't connect from the chrome book to the mint box via RDP/VNC (using remmina as a client), FTP, or see its exported nfs shares. But i can ping both ways fine. Firewall is not installed in the mint box, hosts.allow and deny are default (no entries).
|
# ? Jun 22, 2014 03:36 |
|
madpanda posted:This is something stupid and i know it. Main linux pc is running mint 16, chromebook is on chrbuntu who knows what. I can't connect from the chrome book to the mint box via RDP/VNC (using remmina as a client), FTP, or see its exported nfs shares. But i can ping both ways fine. Firewall is not installed in the mint box, hosts.allow and deny are default (no entries). Have you considered running tcpdump on your main computer while trying to connect with the other one?
|
# ? Jun 22, 2014 04:29 |
Why can't I run mtr from the network I'm currently on?code:
|
|
# ? Jun 26, 2014 02:40 |
|
fletcher posted:Why can't I run mtr from the network I'm currently on? You're blocking ICMP out?
|
# ? Jun 26, 2014 06:31 |
|
Snorri posted:Stupid question for Ubuntu 12.04 3.5.0-51-generic Check whether iptables-save is actually saving the rules wherever Ubuntu keeps them. What happens if you do it with the actual iptables command? Is your dhcp setup backed by mysql or anything?
|
# ? Jun 26, 2014 14:55 |
|
ZippySLC posted:Alright, this is definitely a Puppet 101 question, and I am sure that the Puppet docs have an answer for this and I am just dense and can't find it. Also, I hope this is the right thread for this question. Yes, best practice is to break out your configuration into small pieces. And to use classes for your vhosts (potentially with templates). But if you're only managing one how, I wouldn't worry about it too much.
|
# ? Jun 26, 2014 15:05 |
|
Is anyone aware of a way to view the utilization of a remote NFS mount without actually mounting it? showmount only appears to show you what exported volumes are available to be mounted, and things like nfsstat and nfsiostat give all sorts of interesting metrics that don't really help me. A good old "df" will show it, but it requires mounting, which requires root. Context: I'm trying to find a way for our monitoring environment to query a big NFS appliance that Doesn't Play Nicely With Others so we don't have the normal way of monitoring this stuff (SNMP, ssh, etc) that I would typically use.
|
# ? Jun 26, 2014 22:28 |
|
Cidrick posted:Is anyone aware of a way to view the utilization of a remote NFS mount without actually mounting it? showmount only appears to show you what exported volumes are available to be mounted, and things like nfsstat and nfsiostat give all sorts of interesting metrics that don't really help me. A good old "df" will show it, but it requires mounting, which requires root. Can you install anything on the NFS box at all?
|
# ? Jun 27, 2014 01:54 |
|
jaegerx posted:Can you install anything on the NFS box at all? The NFS server? Not unless we pay Hitachi a lot of money, I'm told.
|
# ? Jun 27, 2014 03:00 |
|
evol262 posted:Yes, best practice is to break out your configuration into small pieces. And to use classes for your vhosts (potentially with templates). But if you're only managing one how, I wouldn't worry about it too much. Yeah, that would become quite unmanageable after a while. Best bet is to group your classes into "roles" so that you only need to include the role for a particular node. It gets a lot better when you store all of your server info in a database and start using hiera to classify the nodes.
|
# ? Jun 27, 2014 03:18 |
|
Cidrick posted:Is anyone aware of a way to view the utilization of a remote NFS mount without actually mounting it? showmount only appears to show you what exported volumes are available to be mounted, and things like nfsstat and nfsiostat give all sorts of interesting metrics that don't really help me. A good old "df" will show it, but it requires mounting, which requires root.
|
# ? Jun 27, 2014 04:04 |
|
|
# ? May 10, 2024 06:39 |
|
Misogynist posted:Can you screen-scrape the GUI? It's ghetto as hell, but probably your best bet if you don't have access to run things on the box. Yeah, I haven't actually looked at it, but maybe it's possible to set up a service account and use curl to POST a login and then scrape screen output or something. I was hoping there was a way via an RPC command or something to remotely query info about an NFS export that I just didn't know about :|
|
# ? Jun 27, 2014 04:17 |