1372291402 Q * sannes Ping timeout: 480 seconds 1372300463 Q * hijacker Read error: Connection timed out 1372300488 J * hijacker ~hijacker@213.91.163.5 1372302348 M * Bertl off to bed now ... have a good one everyone! 1372302361 N * Bertl Bertl_zZ 1372309572 Q * FireEgl Remote host closed the connection 1372310524 J * FireEgl ~FireEgl@173-25-83-57.client.mchsi.com 1372310930 M * glen hmm, seems currently auditd is failing to startup in vserver just because it attempts to set priority and fails 1372310933 M * glen getpriority(PRIO_PROCESS, 0) = 20 1372310936 M * glen setpriority(PRIO_PROCESS, 0, 4294967292) = -1 EACCES (Permission denied) 1372310938 M * glen sendto(3, "<11>Jun 27 08:27:44 auditd: Cannot change priority (Operation not permitted)\0", 77, MSG_NOSIGNAL, NULL, 0) = 77 1372310942 M * glen sendto(3, "<14>Jun 27 08:27:44 auditd: The audit daemon is exiting.\0", 57, MSG_NOSIGNAL, NULL, 0) = 57 1372311038 M * glen damn, next is failing to adjust oom 1372311046 M * glen [pid 15220] open("/proc/self/oom_score_adj", O_WRONLY|O_NOFOLLOW 1372311051 M * glen [pid 15220] <... write resumed> ) = -1 EACCES (Permission denied) 1372311056 M * glen [pid 15220] sendto(6, "<29>Jun 27 08:29:30 auditd[15220]: Unable to adjust out of memory score\0", 72, MSG_NOSIGNAL, N 1372312419 M * glen seems audit is functioning *somewhat*, crontab -l in guest is producing some messages into hosts's auditd 1372318061 J * yoshx ~yoshx@xbn44-2-82-225-226-138.fbx.proxad.net 1372321413 J * Ghislain ~aqueos@adsl1.aqueos.com 1372321667 Q * Ghislain 1372323839 Q * neofutur_ Read error: Operation timed out 1372323856 Q * yoshx Read error: Operation timed out 1372323857 Q * BlackPanx Read error: Operation timed out 1372324009 J * neofutur neofutur@cahier2.ww7.be 1372324275 J * BlackPanx ~kvirc@31.15.133.178 1372324303 J * yoshx ~yoshx@xbn44-2-82-225-226-138.fbx.proxad.net 1372324408 Q * yoshx 1372326822 Q * alpha_one_x86 Quit: KVIrc KVIrc Aria 4.3.1, revision: 6250, sources date: 20120701, built on: 2013-03-26 15:17:55 UTC http://www.kvirc.net/ 1372329474 J * SteeleNivenson ~SteeleNiv@pool-96-224-241-140.nycmny.fios.verizon.net 1372331407 Q * ircuser-1 Ping timeout: 480 seconds 1372332597 N * Bertl_zZ Bertl 1372332606 M * Bertl morning folks! 1372333766 Q * Aiken Remote host closed the connection 1372334320 Q * SteeleNivenson Read error: Operation timed out 1372334899 J * ircuser-1 ~ircuser-1@35.222-62-69.ftth.swbr.surewest.net 1372336618 J * alpha_one_x86 ~kvirc@190.186.23.16 1372337920 J * swenTjuln ~Marko@195.95.173.243 1372338159 N * l0kit Guest1289 1372338168 J * l0kit ~1oxT@0001b54e.user.oftc.net 1372338557 Q * Guest1289 Ping timeout: 480 seconds 1372338657 J * benl ~benl@dockoffice.sonassihosting.com 1372338671 M * benl Hey Bertl - can I PM you? 1372338678 J * SteeleNivenson ~SteeleNiv@pool-96-224-241-140.nycmny.fios.verizon.net 1372338702 M * Bertl sure 1372341482 Q * wmp Ping timeout: 480 seconds 1372341771 J * wmp ~wmp@2001:41d0:1:8616::1 1372342587 Q * guerby Ping timeout: 480 seconds 1372342597 J * guerby ~guerby@ip165-ipv6.tetaneutral.net 1372344404 Q * nkukard Ping timeout: 480 seconds 1372345478 J * nkukard ~nkukard@41-133-165-4.dsl.mweb.co.za 1372345712 Q * guerby Ping timeout: 480 seconds 1372345725 J * guerby ~guerby@ip165-ipv6.tetaneutral.net 1372346426 M * benl Hi guys, I'm looking to prevent connection tracking from inter-guest comms 1372346452 M * benl adding an iptable rule on `lo` doesn't appear to work, do the guests communicate over ethX? 1372346468 M * benl `cat /proc/net/ip_conntrack`doesn't define the interface 1372346638 M * Bertl no, all guest-guest traffic (on the same host) and host-guest traffic (guest on the same host) will happen via lo (unless you use network namespaces) 1372346648 P * alpha_one_x86 No matter how dark the night, somehow the Sun rises once again 1372346667 M * benl hmmm 1372346672 M * benl then this makes no sense at all 1372346947 M * Bertl what connections are not affected by your rules? 1372347768 J * michal_ ~michal@168.63.70.79 1372347822 Q * guerby charon.oftc.net coulomb.oftc.net 1372347822 Q * Romster charon.oftc.net coulomb.oftc.net 1372347822 Q * michal charon.oftc.net coulomb.oftc.net 1372347822 Q * opuk charon.oftc.net coulomb.oftc.net 1372347822 Q * vasko charon.oftc.net coulomb.oftc.net 1372347822 Q * DoberMann charon.oftc.net coulomb.oftc.net 1372347822 Q * click charon.oftc.net coulomb.oftc.net 1372347822 Q * theocrite charon.oftc.net coulomb.oftc.net 1372347822 Q * karasz charon.oftc.net coulomb.oftc.net 1372347822 Q * disposable charon.oftc.net coulomb.oftc.net 1372347822 Q * ser charon.oftc.net coulomb.oftc.net 1372347822 Q * fosco charon.oftc.net coulomb.oftc.net 1372347822 Q * transaci1 charon.oftc.net coulomb.oftc.net 1372347822 N * michal_ michal 1372347838 M * benl quite a number 1372347855 M * benl all the guests have RFC1819 addresses 1372347863 M * benl and talk to each other on the same subnet within that 1372347892 M * benl and checking `cat /proc/net/ip_conntrack | grep -E "src=172[0-9.]+\sdst=172"` - you can see connections being tracked within that subnet 1372347950 M * benl i *think* it might be down to the way I've assigned interfaces 1372347980 M * benl Ie. /etc/vservers/__guest__/interfaces/0/dev ip prefix 1372347993 M * benl where dev is eth0 1372348028 M * benl checking inside the guest with `ip addr list` - shows the private IP under eth0 1372348039 M * benl 4: eth0: mtu 1500 qdisc noqueue state UP 1372348039 M * benl inet 172.16.0.71/24 brd 172.16.0.255 scope global secondary eth0 1372348052 J * guerby ~guerby@ip165-ipv6.tetaneutral.net 1372348052 J * Romster ~romster@202.168.100.149.dynamic.rev.eftel.com 1372348052 J * opuk ~kupo@h-1-5.a176.priv.bahnhof.se 1372348052 J * disposable disposable@shell.websupport.sk 1372348052 J * transaci1 ~transacid@transacid.de 1372348052 J * vasko ~vasko@unreal.rainside.sk 1372348052 J * fosco fosco@91.208.40.1 1372348052 J * DoberMann ~james@2a01:e35:8b44:84c0::2 1372348052 J * click click@ice.vcon.no 1372348052 J * ser ~ser@host1.tldp.ibiblio.org 1372348052 J * karasz ~karasz@00015555.user.oftc.net 1372348052 J * theocrite ~Hubert@kim.theocrite.org 1372348071 M * benl would I be right in thinking that the guests would be talking over eth0, rather than lo 1372348247 M * Bertl no, local traffic always uses lo 1372348271 M * benl I'm not sure that's the case 1372348274 M * Bertl it's same if you put the 'local ip' on dummy0 1372348280 M * benl I added 1372348280 M * benl /sbin/iptables -t raw -A PREROUTING -i lo -j NOTRACK 1372348280 M * benl /sbin/iptables -t raw -A OUTPUT -o lo -j NOTRACK 1372348293 M * Bertl if it would use dummy0, nothing would ever be received or sent 1372348301 M * benl and `conntrack -E` still shows traffic on 172.xxx 1372348327 M * benl I then added 1372348327 M * benl /sbin/iptables -t raw -i eth0 -A PREROUTING -s 172.16.0.0/24 -d 172.16.0.0/24 -j NOTRACK 1372348327 M * benl /sbin/iptables -t raw -o eth0 -A OUTPUT -s 172.16.0.0/24 -d 172.16.0.0/24 -j NOTRACK 1372348333 M * benl and no more traffic ... 1372348350 M * Bertl that's why I asked what the traffic is 1372348380 M * benl tcp/udp 1372348383 M * Bertl i.e. what connections do you see when lo is blocked 1372348429 M * benl normal tcp/udp 1372348442 M * Bertl any example? 1372348442 M * benl syn_sent/established etc 1372348455 M * benl I'm sure the guests are talking over eth0 1372348477 M * Bertl if you say so 1372348486 M * benl definately. 1372348515 M * benl maybe 1372348545 M * benl lol 1372348605 M * benl you might be right 1372348639 M * benl ah, there is both going on 1372348666 M * benl just watching the live output on `conntrack -E`0- and flushing/setting rules, you can see things still happening 1372348849 M * benl and applying each rule in turn stops traffic each 1372348868 M * benl only with both sets of rules does it stop all connection tracking 1372348877 M * Bertl it's always good to see that things are still happening 1372348889 M * benl handy tool conntrack! 1372348897 M * Bertl the connections going over eth0 are not local 1372348951 M * benl nevertheless, both sets of rules has quashed it! 1372348966 M * benl what about host > guest - is that lo? 1372348972 M * benl (or guest > host) 1372348995 M * Bertl yup 1372349012 M * benl hmm 1372349015 M * benl no idea then 1372349049 M * Bertl all local traffic uses 'lo' ... everything that goes out or in doesn't use lo or dummyX 1372349222 J * bonbons ~bonbons@2001:a18:20b:a301:853f:3ef3:5fde:bb69 1372349238 M * Bertl and I think I have a nap now ... bbl 1372349268 N * Bertl Bertl_zZ 1372349507 J * hijacker_ ~hijacker@cable-84-43-134-121.mnet.bg 1372353048 Q * benl Quit: HydraIRC -> http://www.hydrairc.com <- 1372354502 J * alpha_one_x86 ~kvirc@190.186.23.16 1372354537 Q * alpha_one_x86 1372355048 J * sannes ~ace@2a02:fe0:c120:3670:224:1dff:fe14:d26 1372357685 N * Bertl_zZ Bertl 1372357703 M * Bertl back now ... 1372359049 Q * sannes Quit: Leaving. 1372359050 J * sannes ~ace@2a02:fe0:c120:3670:224:1dff:fe14:d26 1372363865 Q * hijacker_ Quit: Leaving 1372365286 Q * ntrs Quit: leaving 1372365295 J * ntrs ~ntrs@vault08.rosehosting.com 1372365954 Q * sannes Remote host closed the connection 1372366858 J * sannes ~ace@2a02:fe0:c120:3670:224:1dff:fe14:d26 1372366881 Q * sannes 1372366886 J * Aiken ~Aiken@2001:44b8:2168:1000:21f:d0ff:fed6:d63f 1372367203 J * cuba33ci_ ~cuba33ci@114-25-206-208.dynamic.hinet.net 1372367364 Q * bonbons Quit: Leaving 1372367407 Q * Kabaka Remote host closed the connection 1372367476 J * Kabaka ~Kabaka@09GAAECNB.tor-irc.dnsbl.oftc.net 1372367551 Q * PowerKe Quit: leaving 1372367557 Q * cuba33ci Ping timeout: 480 seconds 1372367564 N * cuba33ci_ cuba33ci 1372368713 J * PowerKe ~tom@94-227-30-112.access.telenet.be 1372371319 J * BWare ~itsme@31.25.99.5 1372371569 Q * _BWare_ Ping timeout: 480 seconds