1202083255 Q * jescheng Remote host closed the connection 1202083270 J * jescheng ~jescheng@proxy-sjc-2.cisco.com 1202083529 J * Infinito argos@201-3-16-248.gnace701.dsl.brasiltelecom.net.br 1202083840 J * kiorky ~kiorky@82.231.146.43 1202087060 J * FireEgl FireEgl@4.0.0.0.1.0.0.0.c.d.4.8.0.c.5.0.1.0.0.2.ip6.arpa 1202090129 Q * FireEgl Ping timeout: 480 seconds 1202091231 J * virtuoso_ ~s0t0na@ppp89-110-58-205.pppoe.avangarddsl.ru 1202091638 Q * virtuoso Ping timeout: 480 seconds 1202092854 J * FireEgl ~FireEgl@Sebastian.Atlantica.DollarDNS.Net 1202095871 Q * Piet Quit: Piet 1202097403 Q * Infinito Quit: Quitte 1202098214 Q * ||Cobra|| Ping timeout: 480 seconds 1202099359 J * ||Cobra|| ~cob@pc-csa01.science.uva.nl 1202099794 J * doener_ ~doener@i577BB5F2.versanet.de 1202100086 Q * _gh_ Ping timeout: 480 seconds 1202100203 Q * doener Ping timeout: 480 seconds 1202100697 J * _gh_ ~gerrit@c-67-169-199-103.hsd1.or.comcast.net 1202104801 Q * jescheng Remote host closed the connection 1202104813 J * jescheng ~jescheng@proxy-sjc-2.cisco.com 1202105371 J * zeta ~zeta@cache-2-e.bagan.net.mm 1202106194 Q * zeta Remote host closed the connection 1202106220 J * zeta ~zeta@cache-2-e.bagan.net.mm 1202106238 Q * zeta Remote host closed the connection 1202107903 J * Slydder ~chuck@194.59.17.53 1202107928 M * Slydder morning all 1202107973 J * derjohn_mobil ~aj@p5B23D278.dip.t-dialin.net 1202108494 J * Punkie ~Punkie@goc.coolhousing.net 1202108706 Q * derjohn_mobil Ping timeout: 480 seconds 1202108814 J * derjohn_mobil ~aj@p5B23D278.dip.t-dialin.net 1202109308 Q * FireEgl Quit: Bye... 1202110287 J * _bjh_ ~bjh@84.112.154.154 1202112261 J * JonB ~NoSuchUse@kg1-68.kollegiegaarden.dk 1202112372 J * gebura ~gebura@77.192.186.197 1202112432 M * gebura hi 1202112458 M * daniel_hozac hello 1202113690 Q * derjohn_mobil Ping timeout: 480 seconds 1202114064 Q * Slydder Remote host closed the connection 1202114075 J * Slydder ~chuck@194.59.17.53 1202114206 Q * Slydder Remote host closed the connection 1202114251 J * balbir ~balbir@122.167.199.244 1202114259 J * Slydder ~chuck@194.59.17.53 1202114268 J * dna ~dna@52-211-dsl.kielnet.net 1202114420 N * DoberMann[ZZZzzz] DoberMann 1202115561 J * yaboo ~jsirucka@220-245-131-131.static.tpgi.com.au 1202116742 Q * dna Ping timeout: 480 seconds 1202117062 J * dna ~dna@152-237-dsl.kielnet.net 1202118007 Q * dna Ping timeout: 480 seconds 1202118897 J * dna ~dna@75-222-dsl.kielnet.net 1202118955 J * renihs ~penguin@83-65-34-34.arsenal.xdsl-line.inode.at 1202119210 M * yaboo stupid question if the host has something running on a port will the vserver be able also to use that port 1202119226 M * daniel_hozac only if the host's process is restricted to the host's IP address(es). 1202119370 M * yaboo ok so how do I know if the vserver has use of its own ports, and vice versa with the host 1202119397 Q * dna Ping timeout: 480 seconds 1202119397 M * daniel_hozac hmm? 1202119837 Q * kiorky Ping timeout: 480 seconds 1202120049 J * kiorky ~kiorky@82.231.146.43 1202120180 J * onox ~onox@kalfjeslab.demon.nl 1202120224 M * onox I try to sniff on traffic from inside vserver X to vserver X with tcpdump 'port 389' -A, but it doesn't show anything, am I doing something wrong? 1202120242 M * daniel_hozac tcpdump should fail in a guest. 1202120275 M * onox no, I am executing tcpdump from the host 1202120302 M * onox I meant 'traffic going from X to X' 1202120325 M * daniel_hozac is that your exact command line? no -i or similar? 1202120355 M * onox that helped :) 1202120834 M * renihs hmm anyone here using 2.6.22-2.2.0.5 on gentoo? 1202120845 M * renihs i fail to get any vserver running on that kernel 1202120951 M * renihs if i launch it with vserver xxx start, it starts and kills soon afterwards, if i do it manually with the long nice line it bails with vcontext .../dev/null no such directory 1202120998 M * renihs if i *add* (missing?) /dev/console to the unstarted vserver dev it fails because it can mount proc at start time :p 1202121006 M * onox are you trying to launch old vservers? 1202121049 M * renihs no 1202121055 M * renihs same state as the host 1202121088 M * renihs i tried different vserver guests (2006 stages) etc 1202121098 M * renihs different issues partially but all fail to start 1202121209 J * Julius ~julius@p57B272EC.dip.t-dialin.net 1202121230 M * yaboo ok got a strange problem 1202121297 M * renihs i get this error on the normal vserver xxx start operation after about 2seconds 1202121300 M * renihs vxW: [xid #0] !!! limit: dfe3a04c[VM,9] = 31 on exit. 1202121309 M * yaboo seems that the vserver server and the vserver guest hove there ports tied together 1202121318 M * renihs according to google this might indicate my guest having the context id of the host (which is not the case) 1202121325 M * renihs other than that google isnt very rewarding 1202121386 M * yaboo how do I make the host and server have independant acting ports 1202121404 M * renihs give em different ips? 1202121439 M * yaboo they have different ip's 1202121447 M * yaboo but they seemed to be tried 1202121474 Q * Aiken Remote host closed the connection 1202121477 M * renihs if i try to start the server with /usr/bin/nice -n 0 /usr/sbin/chbind --silent --secure --nid 666 /usr/lib/util-vserver/exec-ulimit /etc/vservers/template/ulimits /usr/sbin/vtag --create --tag 666 --silent -- /usr/sbin/vcontext --create --silent --xid 666 -- /usr/sbin/vlimit --dir /etc/vservers/template/rlimits --missingok -- /usr/sbin/vsched --xid self --force -- /usr/lib/util-vserver/vsysctl --xid self --dir /etc/vservers/templa 1202121477 M * renihs te/sysctl --missingok -- /usr/sbin/vuname --xid self --dir /etc/vservers/template/uts --missingok -- /usr/sbin/vuname --xid self --set -t context=/etc/vservers/template -- /usr/sbin/vattribute --set --secure --flag default --flag fakeinit -- /usr/lib/util-vserver/save_ctxinfo /etc/vservers/template /bin/env -i PATH=/bin:/usr/bin:/sbin:/usr/sbin /usr/sbin/vcontext --migrate-self --endsetup --chroot --silent --initpid --disconnect - 1202121477 M * renihs - /sbin/init (sorry for long line) 1202121481 M * renihs omg 1202121490 M * renihs that wasnt intended :( 1202121500 M * JonB renihs: paste.linux-vserver.org 1202121509 M * renihs yar, it didnt look that long 1202121511 M * renihs sorry :( 1202121552 M * daniel_hozac yaboo: you need to limit everything running on the host to the host's IP address(es). 1202121562 M * daniel_hozac yaboo: that's why you're recommended not to run too much on the host. 1202121601 M * yaboo daniel_hozac, the host has two ip's, real ip to the internet, and a net ip on the inside 1202121632 M * yaboo and the vserver has another nat ip also 1202121653 M * renihs pasted on http://rafb.net/p/n4a3nx66.html (different errors/start methods) 1202121695 M * matti Hi folks ;) 1202121831 J * Aiken ~james@ppp118-208-62-134.lns4.bne1.internode.on.net 1202122020 M * onox I can connect on the host using openssl to vserverX:636, but nmap from another machines shows no 636 1202122090 M * onox even while the firewall contains the PREROUTING and FORWARD rules 1202123051 M * onox :s 1202123971 Q * Aiken Remote host closed the connection 1202124098 M * JonB onox: netstat -a -p -n 1202124231 Q * virtuoso_ Remote host closed the connection 1202124931 M * onox JonB: that only shows a single sshd service running on the host 1202124938 M * onox no services from vservers 1202125182 J * independence independen@blinkenshell.org 1202125291 M * independence how is the work on vserver for 2.6.24 going? 1202125324 M * JonB onox: do it inside the guest 1202125435 M * daniel_hozac independence: slowly, unfortunately. 1202125526 M * onox JonB: I know ldaps is listening on 636 because I can connect to it from the host via openssl 1202125543 M * onox but somehow I cannot connect to it via another machine 1202125720 M * independence daniel_hozac: have you run into problems or something? 1202125773 M * JonB onox: okay, i see. But is it running on the right interface or do you only have 1 interface in the guests? 1202125906 Q * JonB Quit: This computer has gone to sleep 1202126394 M * daniel_hozac independence: yes, there are a lot of issues with 2.6.24. 1202126509 Q * balbir Ping timeout: 480 seconds 1202127201 J * balbir ~balbir@122.167.199.244 1202127617 J * JonB ~NoSuchUse@kg1-68.kollegiegaarden.dk 1202127897 J * lilalinux ~plasma@80.69.41.3 1202128276 M * onox JonB: it seems I can reach 389 and 636 from a different machine on the LAN, so it's probably my router 1202128372 Q * lilalinux Remote host closed the connection 1202128444 M * JonB onox: use tcpdump? 1202128611 M * onox it shows nothing when trying to connect from the internet 1202128698 M * onox it must be the router, it's a speedtouch, so it's ******** anyway :p 1202130152 J * ema ~ema@rtfm.galliera.it 1202130747 Q * onox Quit: leaving 1202130851 Q * pflanze Quit: [x]chat 1202131010 Q * JonB Quit: This computer has gone to sleep 1202131083 M * ard6 Bertl_zZ 1202131085 M * ard6 aaghh 1202131102 M * ard6 [22:12] okay, severe nap attack ... off to bed now (might be back a little later though) 1202131122 M * ard6 sleeping for 16 hours.... 1202131451 Q * Punkie Quit: Odcházím 1202131480 Q * zbyniu Ping timeout: 480 seconds 1202131927 J * JonB ~NoSuchUse@kg1-68.kollegiegaarden.dk 1202134021 Q * JonB Quit: This computer has gone to sleep 1202134200 Q * _bjh_ Quit: Lost terminal 1202134217 J * _bjh_ ~bjh@84.112.154.154 1202134415 M * Supaplex morning peoples :) 1202136195 Q * dowdle Remote host closed the connection 1202136735 J * dowdle ~dowdle@scott.coe.montana.edu 1202136768 J * jsambrook ~jsambrook@aelfric.plus.com 1202136878 J * dna ~dna@126-214-dsl.kielnet.net 1202137051 J * JonB ~NoSuchUse@kg1-68.kollegiegaarden.dk 1202138036 Q * JonB Quit: This computer has gone to sleep 1202138124 J * zbyniu ~zbyniu@host13-188.crowley.pl 1202138886 N * Bertl_zZ Bertl 1202138894 M * Bertl morning folks! 1202138935 M * Bertl ard6: I think I'm developing a spring flu 1202139007 M * Supaplex hey Bertl :) ohh that's not good 1202139552 M * ard6 hehe... 1202139558 A * ard6 knows the feeling 1202139568 M * ard6 everytime I go to duesseldorf in the spring... 1202139584 M * ard6 hayfever 1202139779 Q * _bjh_ Quit: leaving 1202140214 J * pmenier ~pme@LNeuilly-152-22-72-5.w193-251.abo.wanadoo.fr 1202140395 J * JonB ~NoSuchUse@kg1-68.kollegiegaarden.dk 1202141037 Q * Slydder Quit: Leaving. 1202141791 Q * gebura Quit: Quitte 1202142144 J * gebura ~gebura@77.192.186.197 1202142221 Q * gebura 1202142572 J * fatgoose ~samuel@76-10-149-199.dsl.teksavvy.com 1202142709 J * zbyniu_ ~zbyniu@host13-188.crowley.pl 1202142713 Q * zbyniu_ 1202142770 J * eviljonn1 ~eviljonny@loki.eviljonnys.com 1202142890 Q * eviljonny Ping timeout: 480 seconds 1202143159 J * Infinito argos@200-101-44-70.gnace701.dsl.brasiltelecom.net.br 1202144079 J * TrueBrain truelight@openttd.org 1202144144 M * TrueBrain Hi! Question: is it possible to give vservers secure access to ifconfig, in such a way they can manage their own blocklist and port-forwards, in such a way ngnet did? 1202144188 J * esa ~esa@ip-87-238-2-45.static.adsl.cheapnet.it 1202144347 M * daniel_hozac there are various userspace solutions for managing iptables from inside guests. 1202144364 M * TrueBrain any pointer? 1202144427 A * Supaplex is all ears 1202144451 M * daniel_hozac google virtuatables. 1202144557 M * TrueBrain lol, that is of course also a solution, just forward requests to the host :p 1202144580 M * TrueBrain is there any plan to continue on something like ngnet? 1202144623 M * daniel_hozac mainline is working on that. 1202144635 M * TrueBrain any ETA? Or when it is done? 1202144812 M * TrueBrain tnx for the virtuatables suggestion daniel_hozac, I will create somthing simular, which will have to do for now :) 1202144852 M * daniel_hozac my guess is it might work for IPv4 by 2.6.26, but i'm not sure if that includes iptables... 1202145418 J * bonbons ~bonbons@2001:960:7ab:0:2c0:9fff:fe2d:39d 1202145680 J * matthew_ ~matthew@81.168.74.31 1202145874 M * Supaplex cool. 1202147913 Q * pmenier Quit: Konversation terminated! 1202148003 Q * jescheng Remote host closed the connection 1202148019 J * jescheng ~jescheng@proxy-sjc-2.cisco.com 1202148106 P * g_en__ 1202149066 J * wp ~wp@vortex.null0.nl 1202149089 M * wp hello, when i have two 'guests'battling for 0.0.0.0:443 or another port, is something setup wrongly? 1202149115 M * JonB wp: how many public ip adresses do you have? 1202149120 M * Supaplex is the host listening on that port? 1202149132 M * wp i have a /29 on it 1202149132 M * Supaplex or just a few guests? 1202149140 M * wp just guests, the host is clean on that port 1202149161 M * JonB wp: which ip address have you assigned to the guests? 1202149173 M * Supaplex I've never used more than one ip per guest, so, idk 1202149212 M * daniel_hozac only if the guests have overlapping IP addresses will that be a problem. 1202149225 M * wp JonB: 213.206.96.35/29 and 213.206.96.34/29 (ip and prefix in interfaces dir) 1202149270 M * JonB wp: that seems okay 1202149288 M * JonB wp: try to shutdown .35 and telnet to .35 1202149291 M * JonB and then with .34 1202149307 M * wp eew.. :) 1202149318 M * daniel_hozac hardly interesting. 1202149331 M * wp i can shutdown .35 temp 1202149332 M * JonB daniel_hozac: well, then you help him 1202149337 M * daniel_hozac tail -n 1 /etc/vservers/*/interfaces/*/ip 1202149358 M * daniel_hozac (use paste.linux-vserver.org) 1202149360 M * wp do you have a pastebin? 1202149365 M * wp ;) 1202149367 M * wp tnx 1202149386 M * wp http://paste.linux-vserver.org/11717 1202149417 M * daniel_hozac there you go. 1202149426 M * daniel_hozac you've assigned 127.0.0.1 to two of the guests. 1202149457 M * wp it's behaviour is different in the guest then? 1202149462 M * wp of localhost 1202149480 M * JonB well, you assigned 2 ethernet devices with the same ip address 1202149483 M * daniel_hozac what kernel do you have? 1202149485 M * wp i need it because of nagios failing to startup/compile for instance 1202149495 M * wp and postfix screaming about no lo 1202149495 M * wp :) 1202149511 M * wp 2.6.20-vs2.2.0-gentoo # 1202149514 M * JonB wp: my nagios runs just fine without a lo 1202149533 M * wp JonB: compile it? it fails on a icmp without 127.0.0.1 1202149537 M * daniel_hozac so that's expected then. 1202149546 M * daniel_hozac 127.0.0.1 is rewritten to the guest's first IP address. 1202149548 M * JonB wp: did you have a localhost entry in /etc/hosts 1202149564 M * wp JonB: yep 1202149568 M * JonB wp: i run debian, i dont compile stuff if i can avoid it. It takes time 1202149573 M * wp it really needs the 127.0.0.1 1202149583 M * JonB wp: not for running 1202149587 M * wp JonB: then it's installed from a .deb probably 1202149595 M * TrueBrain http://linux-vserver.org/Problematic_Programs#127.0.0.1_issues ;) (sorry, couldn't resist :)) 1202149598 M * JonB wp: ofc. it is from a .deb 1202149612 Q * esa Quit: Coyote finally caught me 1202149636 M * wp TrueBrain: guess that i did to these guests... but it apparently does not work when you have more heh 1202149650 M * JonB wp: no no 1202149669 M * wp daniel_hozac: how do i deal with 127.0.0.1 properly then? 1202149680 M * daniel_hozac just don't assign it. 1202149681 M * JonB wp: did you use ethernet devices or lo devices? 1202149708 M * wp JonB: what do you mean? 1202149725 M * TrueBrain wp: euh, you didn't do what the url told you, but okay :) (it tells you that '0' should be the loopback) 1202149729 M * JonB wp: in your interface files in /etc/vservers/*/... 1202149760 M * wp TrueBrain: would that really make the difference? :) 1202149773 M * daniel_hozac no, they'd still conflict. 1202149861 M * wp daniel_hozac: i removed one 1/ from a guest and now it works 1202149945 M * wp thanks all :) 1202149951 M * TrueBrain wp: you only need it to install nagios, after that you can remove the loopback... how silly, yes... 1202149968 M * wp TrueBrain: yeah, it started fine now (nrpe) 1202149984 M * wp weird tho heh 1202151240 J * DLange ~dlange@p57A319D0.dip0.t-ipconnect.de 1202151411 Q * ema Quit: leaving 1202151447 Q * giovanni Remote host closed the connection 1202151700 Q * click Ping timeout: 480 seconds 1202151816 N * DoberMann DoberMann[PullA] 1202152876 J * john ~johnhonda@59.93.11.192 1202152940 P * john 1202153533 Q * Linus Remote host closed the connection 1202154202 Q * JonB Quit: This computer has gone to sleep 1202154235 J * Piet ~piet@tor.noreply.org 1202154303 J * JonB ~NoSuchUse@kg1-68.kollegiegaarden.dk 1202154348 Q * JonB 1202155976 M * dowdle If you want a very recent kernel report, see Jon Corbet's kernel report video from linux.conf.au: http://mirror.linux.org.au/pub/linux.conf.au/2008/Wed/mel8-065.ogg (that's a video... and should be named .ogv but they named it .ogg) 1202155993 M * dowdle About 31 minutes into it, he gets into OS Virtualization 1202156341 A * mnemoc downloading 1202156357 M * arachnist the site seems fast... 1202156365 M * arachnist 16K/s 1202156390 J * JonB ~NoSuchUse@kg1-68.kollegiegaarden.dk 1202156514 M * daniel_hozac i'm getting 3 MiBps, still increasing... 1202156714 M * arachnist lol? 1202157259 J * larsivi ~larsivi@144.84-48-50.nextgentel.com 1202157523 Q * ensc Remote host closed the connection 1202157600 J * Darkglow ~pdesnoyer@208.71.184.41 1202157628 M * Darkglow Hi. 1202157665 Q * Piet Remote host closed the connection 1202157755 J * SEAwolfx6 ~seawolf@tor-irc.dnsbl.oftc.net 1202157755 J * Piet ~piet@tor.noreply.org 1202157794 M * Darkglow I have a "rename(): Operation not permitted" errors when I hasify vservers on 1 host... fixed it by stopping the vserver, copy the vserver/start the vserver using the copy ... but after 2 days, it did it again... I don't understand why... 1202157838 Q * JonB Quit: This computer has gone to sleep 1202158325 M * daniel_hozac did you restart the host inbetween? 1202158341 M * Darkglow no 1202158412 M * daniel_hozac you're left with just the immutable unlink invert bit set, right? 1202158445 M * Darkglow ----UiX ./usr/sbin/a2dismod 1202158480 M * Darkglow when I did the copy/restart procedure, it changed correctly to uiX... 1202158510 M * daniel_hozac well, something is removing the immutable bit. 1202158526 M * daniel_hozac you should figure out what. 1202158526 M * Darkglow can this be done within the vserver ? 1202158541 M * daniel_hozac not by default, only if you give it too many caps. 1202158556 M * Darkglow it has no CAPS other than the defaults... 1202158593 M * Darkglow this machine is a copy of another one... the other one has no problems...... odd 1202158654 M * daniel_hozac i assume you run hashify from a cronjob? 1202158659 M * Darkglow yes 1202158675 M * Darkglow this is where I see the errors in the morning :-) 1202158691 J * Aiken ~james@ppp118-208-62-134.lns4.bne1.internode.on.net 1202158711 M * daniel_hozac if you run setattr --iunlink, do both U and I get enabled? 1202158753 M * Darkglow yes 1202158820 M * Darkglow hum, I can't remove the old directories (vserver-old from my copy/restart procedure)... 1202158847 M * Darkglow I think I will just stopp all vservers, make copies, then delete everything including .hash and restart everything... 1202158864 M * daniel_hozac try replacing chattr with a symlink to /bin/true. 1202158885 M * Darkglow on the host ? what will this do ? 1202158921 M * daniel_hozac determine if it's at all vserver-related... do the same in the guests. 1202158956 M * Darkglow ok, what do I do once this is done ? 1202159015 M * daniel_hozac wait... 1202159101 M * Darkglow ? 1202159161 M * daniel_hozac see if the same thing happens again, once you restore the proper attributes. 1202159166 M * Darkglow ok 1202160237 P * Darkglow Konversation terminated! 1202160553 J * onox ~onox@kalfjeslab.demon.nl 1202161722 J * FireEgl FireEgl@4.0.0.0.1.0.0.0.c.d.4.8.0.c.5.0.1.0.0.2.ip6.arpa 1202161799 Q * bonbons Quit: Leaving 1202162326 Q * jsambrook Remote host closed the connection 1202162384 J * jsambrook ~jsambrook@aelfric.plus.com 1202162468 Q * DLange Quit: Bye, bye. Hasta luego. 1202163308 J * derjohn_mobil ~aj@e180209087.adsl.alicedsl.de 1202163438 N * DoberMann[PullA] DoberMann 1202165010 M * onox daniel_hozac: I can't connect from my host to host:389 1202165037 M * Bertl and why's that? 1202165037 M * onox iptables says: 1202165040 M * onox DNAT tcp -- 0.0.0.0/0 10.0.0.153 tcp dpt:389 to:10.0.12.3:389 1202165059 M * onox FORWARD rule is: ACCEPT tcp -- 0.0.0.0/0 10.0.12.3 tcp dpt:389 1202165079 M * Bertl is anything forwarded? 1202165099 M * onox yes, there are dozen of other services that do work 1202165122 M * Bertl so the destination is _outside_ the host, yes? 1202165150 M * onox destination? 1202165160 M * onox my vserver is 10.0.12.3 1202165164 M * Bertl well, forwarding happens when the host is not the destination 1202165199 M * onox do you think I need an INPUT rule? 1202165214 M * Bertl if the destination is the host (also true for guests), yes 1202165253 M * onox but isn't the PREROUTING rule what I need? 1202165256 M * Bertl try and watch the counters if you're unsure (or add a log rule) 1202165280 M * Bertl as the name says, PREROUTING is before the packet is routed 1202165356 M * onox but when I connect to 10.0.0.153:389, I expect that iptables sends me to 10.0.12.3:389 1202165382 M * onox and then the forward rule allows me to actually connect to the vserver? 1202165393 M * Bertl is the DNAT entry on POSTROUTING? 1202165416 M * onox no, PREROUTING 1202165419 M * Bertl no forwarding is involved when you are on the host (guest) 1202165436 M * onox but I can't connect from a different machine either 1202165447 M * onox only POSTROUTING rule is MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 1202165463 M * Bertl what's that supposed to do? 1202165487 M * onox don't know, added it when I just started with vservers :) 1202165489 M * Bertl (except for confusing the netowrk stack :) 1202165500 M * onox Bertl: can I remove that rule? 1202165526 M * onox I thought I needed such a MASQUERADE rule for NAT 1202165577 M * Bertl you want a DNAT rule for forwarded ports (public -> private) and an SNAT rule for reaching the internet (private -> public) 1202165589 M * onox SNAT? 1202165606 M * onox my firewall script doesn't contain a SNAT rule 1202165607 M * Bertl source network address translation 1202165617 M * onox I still can download stuff from within a vserver 1202165658 M * onox another question: do I actually need a FORWARD rule when I already have a PREROUTING rule? 1202165678 M * Bertl not for Linux-VServer :) 1202165690 M * Bertl as the forward chain is not consulted anyways 1202165695 M * onox :O 1202165706 M * onox hmm, so I just need a PREROUTING rule? 1202165722 M * Bertl prerouting for the DNAT, postrouting for the SNAT (usually) 1202165755 Q * SEAwolfx6 Remote host closed the connection 1202165791 J * SEAwolfx6 ~seawolf@tor-irc.dnsbl.oftc.net 1202165817 Q * larsivi Remote host closed the connection 1202165892 M * onox I really don't have a SNAT rule 1202165908 N * DoberMann DoberMann[ZZZzzz] 1202165911 M * Bertl well, if everything works without ... np 1202165911 M * onox although default policy of OUTPUT is ACCEPT 1202165979 M * onox I still don't understand why ldap isn't reachable via 10.0.0.153 1202166007 M * Bertl try with telnet, or netcat, add a log rule for each chain 1202166017 M * Bertl tcpdump the communication on lo 1202166035 M * Bertl show me the resulting data and I tell you what's wrong :) 1202166064 M * onox ok, i'll try :) 1202166104 J * dna_ ~dna@126-214-dsl.kielnet.net 1202166134 M * onox when doing: openssl s_client -connect 10.0.0.153:3389 -showcerts -state 1202166156 M * onox tcpdump says: na@126-214-dsl.kielnet.net] has joined #vserver 1202166156 M * onox 00:01 < onox> when 1202166159 M * Bertl 3389? vs 389? 1202166202 M * onox 00:07:28.786177 IP 10.0.0.153.34408 > 10.0.0.153.ms-wbt-server: S 1508963728:1508963728(0) win 32792 1202166232 M * onox Bertl: when connecting to 10.0.0.153:3389 traffic should be send to 10.0.12.3:389 1202166249 M * onox 3389 => port 389 of vserver 3 1202166264 M * Bertl 23:43 < onox> DNAT tcp -- 0.0.0.0/0 10.0.0.153 tcp dpt:389 to:10.0.12.3:389 1202166276 M * Bertl there is no 3389 1202166342 Q * dna_ 1202166389 M * onox DNAT tcp -- 0.0.0.0/0 10.0.0.153 tcp dpt:3389 to:10.0.12.3:389 1202166435 M * onox openssl s_client -connect 10.0.0.153:3389 -showcerts -state shows: 1202166448 M * onox 00:10:49.552944 IP (tos 0x0, ttl 64, id 60653, offset 0, flags [DF], proto TCP (6), length 52) 10.0.0.153.58871 > 10.0.0.153.ms-wbt-server: S, cksum 0x30b4 (correct), 1719276816:1719276816(0) win 32792 1202166461 M * onox by tcpdump -i lo 'port 3389' -A -vv 1202166486 M * Bertl use tcpdump -vvnei lo 1202166487 Q * dna Ping timeout: 480 seconds 1202166523 M * onox that gives: 00:14:08.335234 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 49834, offset 0, flags [DF], proto TCP (6), length 52) 10.0.0.153.39123 > 10.0.0.153.3389: S, cksum 0x00e2 (correct), 1937212681:1937212681(0) win 32792 1202166562 M * onox how do I interpret this message? :) 1202166592 M * Bertl and the DNAT rule (use iptables -vnL) 1202166627 M * onox 0 0 ACCEPT tcp -- * * 0.0.0.0/0 10.0.12.3 tcp dpt:389 1202166645 M * Bertl that's an accept not DNAT 1202166674 M * onox -t nat gives: 0 0 DNAT tcp -- * * 0.0.0.0/0 10.0.0.153 tcp dpt:3389 to:10.0.12.3:389 1202166709 M * Bertl and this one is in what chain? 1202166743 M * onox PREROUTING chain 1202166774 M * Bertl you see that this rule didn't match yet? (first and second column) 1202166798 M * onox match? 1202166803 M * onox 0 0 DNAT tcp -- * * 0.0.0.0/0 10.0.0.153 tcp dpt:3389 to:10.0.12.3:389 1202166822 M * onox that ACCEPT rule was from the FORWARD chain in the default table 1202166840 M * Bertl first column is packets, second column is bytes 1202166852 M * onox 0 and 0? 1202166860 M * Bertl precisly 1202166897 M * onox all my DNAT rules have 0 0 1202167033 M * Bertl check which CHAIN counter does increase when you try this 1202167034 M * Bertl it might be a blocking rule on input or output 1202167035 Q * bzed Read error: Connection reset by peer 1202167093 J * bzed ~bzed@devel.recluse.de 1202167097 M * onox :O 1202167097 M * onox 3080 works 1202167097 M * onox ok, I understand 1202167097 Q * SEAwolfx6 Remote host closed the connection 1202167097 M * onox ah, every rule had 0 0 because I just flushed iptables 1202167113 M * onox ok 1202167114 M * onox I don't understand why my DNAT rule for 3389 -> 389 does have 0 0 1202167114 M * onox even while tcpdump showed some data 1202167131 M * Bertl because it wasn't DNAT-ed 1202167186 J * SEAwolfx6 ~seawolf@tor-irc.dnsbl.oftc.net 1202167200 M * onox by why not? 1202167204 M * onox s/by/but 1202167204 Q * independence Read error: Connection reset by peer 1202167209 J * independence independen@blinkenshell.org 1202167260 M * Bertl onox: don't know, add a log rule right before that, see what it logs 1202167348 M * onox Bertl: what does this mean: 00:27:51.228440 00:00:00:00:00:00 > 00:00:00:00:00:00, ethertype IPv4 (0x0800), length 66: (tos 0x0, ttl 64, id 64621, offset 0, flags [DF], proto TCP (6), length 52) 10.0.0.153.56479 > 10.0.0.153.3389: S, cksum 0x9935 (correct), 2799859070:2799859070(0) win 32792 1202167447 M * Bertl it means that a correct tcp packet was seen (on that interfac) from 10.0.0.153:56479 to 10.0.0.153:3389 1202167454 M * onox I do have a -j LOG rule, but it's not triggered according to iptables -vnL 1202167467 M * Bertl do you get a log message in dmesg? 1202167497 M * onox no 1202167509 M * Bertl then the packet never traverses that chain/location 1202167510 M * onox dmesg only tells me lo has entered promiscuous mode 1202167538 M * Bertl put the log target into other places too, to see where it passes by 1202167573 M * Bertl most likely the packet is dropped or something 1202167595 M * onox only my INPUT policy is set to DROP 1202167619 M * Bertl well, add a log rule there then :) 1202167751 M * onox log rule is: 0 0 LOG tcp -- * * 0.0.0.0/0 10.0.0.153 tcp dpt:3389 LOG flags 0 level 4 1202167838 M * Bertl I wouldn't bother to specify the IP, the port should suffice (also add port 389) 1202168163 M * onox telnet 10.0.0.153 3389 doesn't do a damn thing 1202168611 M * onox *sigh* 1202168619 Q * Infinito Quit: Quitte 1202168638 M * onox I bet it's just the fault of Linus and his failing slaves 1202168667 M * onox Bertl: how can this MASQUERADE rule confuse the network stack? 1202168705 Q * ag- Ping timeout: 480 seconds 1202168815 M * Bertl the masquerading rule has no source and no target address 1202168828 Q * bertagaz Remote host closed the connection 1202168831 M * Bertl so it's very hard to tell _what_ will be masqueraded 1202168986 M * onox what's masquerading anyway? :/ 1202169025 M * Bertl masquerading is the process of replacing addresses with a dynamic port mapping 1202169063 M * Bertl http://en.wikipedia.org/wiki/Network_address_translation 1202169112 M * onox so outgoing packets from 10.0.12.3 look like they came from 10.0.0.153? 1202169149 M * Bertl for example, really depends on the involved interfaces and addresses, as your masquerading rule does not define this clearly 1202169183 M * Bertl if you have, e.g. an SNAT rule, it is clear that you do a 1:1 mapping for the ports, and you switch the address 1202169205 J * xdr ~xdr@21-173-96-87.cust.blixtvik.se 1202169213 M * Bertl welcome xdr! 1202169217 M * xdr thx 1202169286 M * onox Bertl: do you have an example of a useful SNAT rule at hands? 1202169343 M * Bertl sure, let's assume we have guests at 192.168.0.xx and a public ip for each of them, like 64.0.0.xx 1202169388 Q * FireEgl Quit: Bye... 1202169392 M * Bertl then for example, iptables -t nat -A POSTROUTING -s 192.168.0.1/24 -j SNAT --to-source 64.0.0.1/24 would be a proper rule 1202169411 M * xdr anyone here running gentoo, and could tell me why my guest want's to mount misc bin fs ? 1202169415 M * xdr at startup? 1202169429 M * Bertl IIRC, wrong baselayout inside the guest 1202169443 M * onox xdr: do you use baselayout-1.12? 1202169482 M * onox Bertl: so I need iptables -t NAT -A POSTROUTING -s 10.0.12.1/24 -j SNAT --to-source 10.0.0.153? 1202169485 M * xdr onox: on the quest? 1202169488 M * onox xdr: yes 1202169512 M * xdr onox: prolly, haven't synced it yet, so that's a problem I can Ignore for now? 1202169534 M * Bertl yes, nothing bad will happen, if it starts :) 1202169535 M * onox don't know, but b-1.12 is fubar imo 1202169563 J * FireEgl FireEgl@4.0.0.0.1.0.0.0.c.d.4.8.0.c.5.0.1.0.0.2.ip6.arpa