1. Contracting
    1. General
      1. Brexit
    2. Business / Contracts
      1. Coronavirus Assistance
    3. Accounting / Legal
      1. Umbrella Companies
      2. HMRC Scheme Enquiries
      3. The Future of Contracting
      4. IR35 Reform
    4. Technical
    5. Welcome / FAQs
  2. Social
    1. Light Relief
    2. Social / Events
  • Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

More IPTables lunacy

Collapse
X
1 to 10 of 20 Previous 1 2 template Next
Collapse
Reply to Thread
  •  
  • Filter
  • Time
  • Show
Clear All
new posts
1 to 10 of 20 Previous 1 2 template Next
    #1

    More IPTables lunacy

    KVM Server all running fine and dandy on Centos 7.

    When I try and connect from the windows client using Virt-Viewer I get "Cannot connect to graphics server".

    Shut down firewalld and all works.

    Clearly a problem with IPTables. But at this time of night it's not exactly leaping out at me. Port 5902 needs to be open.

    The KVM is behind a NAT, but this I think is the red herring as the NAT is forwarding on just fine.

    Here is IPTables just in case anyone is still up and in a vaguely helpful mood.

    So the question is WTF is port 5902 getting blocked?

    GNU nano 2.3.1 File: iptables

    # sample configuration for iptables service
    # you can edit this manually or use system-config-firewall
    # please do not ask us to add additional ports/services to this default configuration
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    #DHCP Rules
    -A INPUT -m udp -p udp --dport 67 -m comment --comment "DHCP" -j ACCEPT
    -A INPUT -m udp -p udp --dport 68 -m comment --comment "DHCP" -j ACCEPT
    -A INPUT -m udp -p udp --dport 2535 -m comment --comment "DHCP" -j ACCEPT
    #Active Directory rules
    -A INPUT -m udp -p udp --dport 53 -m comment --comment "DNS" -j ACCEPT
    -A INPUT -m udp -p udp --dport 88 -m comment --comment "Kerberos UDP" -j ACCEPT
    -A INPUT -m udp -p udp --dport 123 -m comment --comment "NTP" -j ACCEPT
    -A INPUT -m udp -p udp --dport 135 -m comment --comment "RPC UDP" -j ACCEPT
    -A INPUT -m udp -p udp --dport 137 -m comment --comment "NetBIOS Netlogon and Browsing" -j ACCEPT
    -A INPUT -m udp -p udp --dport 138 -m comment --comment "NetBIOS Netlogon and Browsing" -j ACCEPT
    -A INPUT -m udp -p udp --dport 389 -m comment --comment "LDAP UDP" -j ACCEPT
    -A INPUT -m udp -p udp --dport 445 -m comment --comment "SMB CIFS" -j ACCEPT
    -A INPUT -m udp -p udp --dport 464 -m comment --comment "Kerberos Password Management" -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 25 -m comment --comment "SMTP" -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -m comment --comment "DNS" -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 88 -m comment --comment "Kerberos" -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 135 -m comment --comment "RPC" -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -m comment --comment "NetBIOS Session" -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 389 -m comment --comment "LDAP TCP" -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -m comment --comment "SMB CIFS" -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 464 -m comment --comment "Kerberos Password Management" -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 543 -m comment --comment "Kerberos" -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 636 -m comment --comment "LDAP SSL" -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 749 -m comment --comment "Kerberos administration" -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 3268 -m comment --comment "LDAP Global Catalog" -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 3269 -m comment --comment "LDAP Global Catalog SSL" -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 9389 -m comment --comment "AD DS Web Services" -j ACCEPT
    #End of active directory rules
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 5902 -m comment --comment "Spice Client" -j ACCEPT
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -p icmp -j ACCEPT
    -A INPUT -i lo -j ACCEPT
    -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
    -A INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
    COMMIT
    Knock first as I might be balancing my chakras.
    Tags: None
    #2
    service iptables stop
    chkconfig iptables off

    Linux is a pile of poop isn;t....

    Comment

      #3
      Originally posted by stek View Post
      service iptables stop
      chkconfig iptables off

      Linux is a pile of poop isn;t....
      That's an option and one I considered. When I do this however this fecks up the internet connectivity for the VMs.
      Knock first as I might be balancing my chakras.

      Comment

        #4
        Originally posted by stek View Post
        service iptables stop
        chkconfig iptables off

        Linux is a pile of poop isn;t....
        I'm no expert, but I reckon Linux is just fine and I am being an idiot somewhere.......
        Knock first as I might be balancing my chakras.

        Comment

          #5
          Originally posted by suityou01 View Post
          That's an option and one I considered. When I do this however this fecks up the internet connectivity for the VMs.
          Can u use a bridged adapter instead?

          Comment

            #6
            Lol. You don't remember the last load of fun and games with that?

            If NAT is working without the poxy firewall then it can't be the NAT.

            This has to be a pure IPTables problem, Shirley?
            Knock first as I might be balancing my chakras.

            Comment

              #7
              Originally posted by suityou01 View Post
              Lol. You don't remember the last load of fun and games with that?

              If NAT is working without the poxy firewall then it can't be the NAT.

              This has to be a pure IPTables problem, Shirley?
              I think it might be the VNC port is use from a previous connection attempt - try it with multiple ports;

              Code:
              blah blah -m multiport --dports 5901:5906,6001:6006 blah blah

              Comment

                #8
                5901 is vnc. That works.
                5900 - 5910 was originally open as a range. Then I reverted to a single port.

                News is that wireshark reveals that it is the outbound connection from 192.168.0.5 to 192.168.0.10 that is being refused.

                So the incoming ack gets through. This smells right to me as now the virt-viewer is just sitting there saying connection.

                Kind of Ack .........

                And no Syn ever comes.

                I added and outbound rule for the same port and restarted the services but still nichts.

                Proper grateful for your time Mr Stek. Reckon this one might be unsolvable via a forum.
                Knock first as I might be balancing my chakras.

                Comment

                  #9
                  Quick look at err, one at work...

                  Try setting iptables to allow TCP ports 5801, 5901 and 6001....... Or 5800, 5900 and 6000 etc....

                  AIUI - those are needed for VNC viewer, client and server respectively...

                  Comment

                    #10
                    Originally posted by stek View Post
                    Quick look at err, one at work...

                    Try setting iptables to allow TCP ports 5801, 5901 and 6001....... Or 5800, 5900 and 6000 etc....

                    AIUI - those are needed for VNC viewer, client and server respectively...
                    Thanks stek. 6 beer tokens are all yours. Cash them in when we meet sometime.

                    The ports and ranges have been opened. I think the problem lies in that when KVM starts the NAT, libvirt adds it's own rules to ip tables for the NAT.

                    So I open port 5902 or whatever, restart IPTables, and restart the hyper visor then grep the port with IPTables and its mysteriously not there.

                    I'm looking at a hack around, to get libvvirt to add the port rules instead of adding them to ip tables. Just some scripting.

                    Seems completely mental that you can add a guest, configure the port and that KVM handles the NATTING from guest to outside world but doesn't handle outside world to guest. It's like out of box you can have as many VMs as you want, but just don't expect to talk to them ever
                    Knock first as I might be balancing my chakras.

                    Comment

                    Reply to Thread
                    1 to 10 of 20 Previous 1 2 template Next

                    Advertisers

                    1. Contracting
                      1. General
                        1. Brexit
                      2. Business / Contracts
                        1. Coronavirus Assistance
                      3. Accounting / Legal
                        1. Umbrella Companies
                        2. HMRC Scheme Enquiries
                        3. The Future of Contracting
                        4. IR35 Reform
                      4. Technical
                      5. Welcome / FAQs
                    2. Social
                      1. Light Relief
                      2. Social / Events
                    Working...
                    X