Koozali.org: home of the SME Server
Contribs.org Forums => Koozali SME Server 10.x => Topic started by: rmoria on August 16, 2021, 11:05:47 AM
-
Hi,
I am rebuilding to SME 10. I am at the point I want to bring back the websites it was hosting.
I can not access them from the internet,but I can access them from the private side.
How can I check if the traffic is blocked by the server or if my ISP blocked port80?
-
Please go back a few steps and tell us exactly what steps you have taken so far.
Did the sites work publicly on v9?
What mode is the server?
Do you have routers or other firewalls installed?
-
Yes, they worked on SME9
Server and gateway
No extra routers or firewall installed. Connected to ISP by modem in bridge mode.
I have a basic index.htm in the ibay(s) now, that I can see from the private network
-
Have you restored from a backup or done a clean start?
-
config show SystemMode
-
I did a fresh start.
systemmode:
SystemMode=servergateway
-
It has probably something to do with the database not working for root (and others, like horde). I can also not redirect ports.
I am running a backup and tomorrow I will see if a fresh install (again) works better. :-(
-
first you should not use root and its password for web application. you should create a dedicated db and user per app. If not confident with command line, use phpmyadmin contrib and connect as admin. multiple reasons, but few of them are
- if leaked you also give up your master ldap password for SME
- if leaked for one app you compromiser your whole mysql db
second, if you can see content from inside and not from outside it is very unlikely it is a mysql issue
third can not access is as saying the car does not work and not letting the engineer with more information. Nobody will be able to help you.
How do you try your external access ? What is displayed? error? What do you expect to see? Better give us an url so we can test for you.
Last, this is not windows, deleting and installing again is not the first solution. Investigating, understanding and fixing is the way.
so start to tell more, this will avoid a long unhelpfull thread.
edit
also /var/log/httpd/access_log and error_log could be helpfull to help diagnose the issue when trying to access
-
ip-adres : 213.93.205.219
dns : tolot.net (primary) / babshop.nl (points to ibay) / groenzwartereigers.nl (points to ibay)
with "db accounts show" I can see that all 3 Ibays are set to global access and no password
-
First I am assuming that the IP is really the current that has been assigned by your ISP lately and obtained by reading the config of your SME (ifconfig). If you do not have a static IP this could have changed before I checked for it. ( If I am assuming wrong correct me and there will be extra debugging steps)
I am also assuming you are restoring on the same hardware you were using for the SME9. Different hardware, could be related to other potential issues ( If I am assuming wrong correct me and there will be extra debugging steps).
Your domains seem pointing to the right IP though, so no DNS issue.
I am able to ping but that is all I can get from your IP. Nmap was unable to find one single opened port.
Also I must say that from Canada I get 2 hops with 87% loss. Tested from France and there was not routing issue.
So either you have a provider filtering your port, but from what you where saying this was working before with a SME9, either you have some issues with your local firewall/modem/router, either this is a conflict with a SME config.
1- This could be from your ISP router/modem ? I guess you did not change anything on this device?
2- I am assuming that your modem/router is set as modem gateway and is not NATing anything (acting as router), because this could be a first issue if not please correct me there will be again extra debugging to do.
this could help partly answering the question
config show ExternalInterface
3- if this is a SME configuration, we have to check :
-3a custom templates (this is the major source of issues when restoring from backup)
/sbin/e-smith/audittools/templates
-3b firewall and http services setting
config show masq
config show httpd-e-smith
- services running
systemctl status -l masq httpd-e-smith
4- any contrib installed like fail2ban, xt_geoip that could block your access? try following command to check
/sbin/e-smith/audittools/newrpms |grep ^smeserver
5- also could be hardware / software issue with network: please check
lspci |grep -i Eth
-
2:
config show ExternalInterfaceExternalInterface=interface
Configuration=DHCPEthernetAddress
Driver=r8169
Gateway=
IPAddress=
Name=enp3s0
Netmask=255.255.255.0
3a: I did not do a restore to there, just data in Ibays
3b:config show masq
masq=service
DenylogTarget=drop
Logging=most
Stealth=no
Trace=disabled
pptp=yes
status=enabledconfig show httpd-e-smith
httpd-e-smith=service
SSLv2=disabled
SSLv3=disabled
TCPPort=80
access=public
status=enabled
systemctl status -l masq httpd-e-smith
● masq.service - masq, the Koozali SME Server firewall script
Loaded: loaded (/usr/lib/systemd/system/masq.service; enabled; vendor preset: enabled)
Active: active (exited) since zo 2021-08-29 12:58:56 CEST; 22min ago
Main PID: 1297 (code=exited, status=0/SUCCESS)
Memory: 0B
CGroup: /system.slice/masq.service
aug 29 12:58:55 nathan.tolot.net systemd[1]: Starting masq, the Koozali SME Serv er firewall script...
aug 29 12:58:56 nathan.tolot.net masq[1297]: Enabling IP masquerading: done
aug 29 12:58:56 nathan.tolot.net systemd[1]: Started masq, the Koozali SME Serve r firewall script.
● httpd-e-smith.service - httpd-e-smith The Koozali SME Server Apache HTTP Servi ce
Loaded: loaded (/usr/lib/systemd/system/httpd-e-smith.service; enabled; vendo r preset: enabled)
Active: active (running) since zo 2021-08-29 12:59:00 CEST; 22min ago
Docs: man:httpd(8)
man:apachectl(8)
Main PID: 1846 (httpd)
Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/s ec"
Memory: 8.6M
CGroup: /system.slice/httpd-e-smith.service
├─1846 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
├─1861 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
├─1862 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
├─1863 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
├─1864 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
├─1865 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
├─1866 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
├─1867 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
├─1868 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
├─1869 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
└─1870 /usr/sbin/httpd -f /etc/httpd/conf/httpd.conf -DFOREGROUND
aug 29 12:58:56 nathan.tolot.net systemd[1]: Starting httpd-e-smith The Koozali SME Server Apache HTTP Service...
aug 29 12:59:00 nathan.tolot.net systemd[1]: Started httpd-e-smith The Koozali S ME Server Apache HTTP Service.
4: /sbin/e-smith/audittools/newrpms |grep ^smeserver
smeserver-awstats.noarch 1.4-3.el7.sme @smecontribs
smeserver-dhcp-dns.noarch 1.2.0-5.el7.sme @smecontribs
smeserver-dhcpmanager.noarch 2.0.4-12.el7.sme @smecontribs
smeserver-letsencrypt.noarch 0.5-17 @smecontribs
smeserver-mod_dav.noarch 1.1-7.el7.sme @smecontribs
smeserver-phpmyadmin.noarch 4.0.10.2-11.el7.sme @smecontribs
smeserver-webhosting.noarch 0.0.9-12.el7.sme @smecontribs
5: lspci |grep -i Eth
00:19.0 Ethernet controller: Intel Corporation 82566DM-2 Gigabit Network Connection (rev 02)
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8169 PCI Gigabit Ethernet Controller (rev 10)
Other stuff I tried: Reset the modem and placed in bridge mode again (i keep trying to find someone at isp helpdesk that is smart enough to check if there is any firewall in the modem after I switch to bridge mode and cannot look myself). Switched local and public ethernetcards and cables (got me a new public ip adres (178.85.119.237) didn't work,so i switched back)
-
from what i see your SME is not getting any IP.
i would check what was the setting from your previous SME.
a tips when using command ifconfig you should see the external ip assigned on your external if.
another tip. usually when you reset you modem you also need to reboot the server. Some of them needs to have server already connected when rebooting it and won’t work if you change the device behind them after that.
-
It does get an IP, I am using the connection now.
ifconfig
enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 213.93.205.219 netmask 255.255.255.0 broadcast 255.255.255.255
ether 00:1e:4f:d0:d9:e1 txqueuelen 1000 (Ethernet)
RX packets 1057158 bytes 1187269683 (1.1 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 505290 bytes 92757066 (88.4 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 21 memory 0xfe9e0000-fea00000
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 255.255.0.0 broadcast 10.0.255.255
ether 3c:49:37:17:cd:8a txqueuelen 1000 (Ethernet)
RX packets 527039 bytes 93153031 (88.8 MiB)
RX errors 0 dropped 2 overruns 0 frame 0
TX packets 1042724 bytes 1180877850 (1.0 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 12201 bytes 1614893 (1.5 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 12201 bytes 1614893 (1.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
-
ExternalInterface=interface
Name=enp3s0
enp3s0:
inet 10.0.0.1
enp0s25:
inet 213.93.205.219
Think you have your interfaces mixed up.
-
Oh sorry, when I wrote that I had them switched to see if that would help. I now remade that.
(after changing in admin menu, internet (gateway) did not work. I had to do a signal-event postupgrade; signal-event reboot after)
Now:
config show ExternalInterface
ExternalInterface=interface
Configuration=DHCPEthernetAddress
Driver=r8169
Gateway=
IPAddress=
Name=enp3s0
Netmask=255.255.255.0
ifconfig
enp0s25: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.0.0.1 netmask 255.255.0.0 broadcast 10.0.255.255
ether 00:1e:4f:d0:d9:e1 txqueuelen 1000 (Ethernet)
RX packets 7549 bytes 2010434 (1.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7855 bytes 4981371 (4.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 21 memory 0xfe9e0000-fea00000
enp3s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 178.85.119.237 netmask 255.255.255.0 broadcast 255.255.255.255
ether 3c:49:37:17:cd:8a txqueuelen 1000 (Ethernet)
RX packets 8509 bytes 5163556 (4.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 7201 bytes 1871775 (1.7 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 687 bytes 68256 (66.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 687 bytes 68256 (66.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
Tomorrow I will try to contact ISP and hope to get someone that actualy help me check my modem.
-
Oh sorry, when I wrote that I had them switched to see if that would help. I now remade that.
Please be REALLY careful doing this sort of thing - it can totally confuse a situation and just wastes so much time, and then you end up getting ignored.
ping tolot.net
PING tolot.net (178.85.119.237): 56 data bytes
64 bytes from 178.85.119.237: icmp_seq=0 ttl=52 time=65.574 ms
ping babshop.nl
PING babshop.nl (178.85.119.237): 56 data bytes
64 bytes from 178.85.119.237: icmp_seq=0 ttl=52 time=75.899 ms
ping groenzwartereigers.nl
PING groenzwartereigers.nl (213.93.205.219): 56 data bytes
Request timeout for icmp_seq 0
So 178.85.119.237 responds but the the other doesn't.
So is your IP static or dynamic (from the looks of your login it is dynamic.....)? So I guess you are using this dynamic IP to login here.
You say you tried bridged mode. What instructions does your ISP give you to set it up? At least we can then work out what to do. What sort of router or modem is it? You said you had it in bridge mode on v9 so where are the settings for that?
A look at this might help once you have figured out what modem mode you should be in.
https://wiki.koozali.org/SME_Server:Documentation:Administration_Manual:Chapter5#Server_and_Gateway_Mode_-_Dedicated
If you have a dynamic IP you will need also need another contrib to fix the DNS as well.
Lots of questions with no real answers.
Please, go back, start again, and just do it one step at a time. You are just thrashing around trying different things and not being methodical here.
I strongly suggest having a read through this - ignore the Rocket specific bits, but read the generic stuff on reporting bugs effectively.
https://gist.github.com/reetp/a66149d5f060f260643a353ca7067a98#how-to-ask-for-help
Specifically use these to try and organise yourself to help us.
https://www.chiark.greenend.org.uk/~sgtatham/bugs.html
http://www.catb.org/esr/faqs/smart-questions.html
-
you got back again this new ip 178.85.119.237
and looking at ReetP test just up to this post, you only got part of your domains updated to the new ip
take ti,e to answer and follow ReetP suggestions
also I would add, you can check SME logs when trying to connect
tail -f /var/log/iptables/denylog.log
you have certainly a phone with LTE, this is your best friend to test you connection from "outside world"
-
I am seeing almost everything being denied:
Aug 31 16:15:50 nathan denylog: IN=enp3s0 OUT= MAC=3c:49:37:17:cd:8a:54:67:51:55:f3:37:08:00 SRC=109.38.153.152 DST=178.85.119.237 LEN=60 TOS=00 PREC=0x00 TTL=54 ID=31029 DF PROTO=TCP SPT=19666 DPT=80 SEQ=4235366483 ACK=0 WINDOW=65535 SYN URGP=0 MARK=0
Aug 31 16:17:19 nathan denylog: IN=enp3s0 OUT= MAC=3c:49:37:17:cd:8a:54:67:51:55:f3:37:08:00 SRC=109.38.153.152 DST=178.85.119.237 LEN=88 TOS=00 PREC=0x00 TTL=249 ID=17589 DF PROTO=TCP SPT=18060 DPT=8181 SEQ=3235150611 ACK=0 WINDOW=0 ACK RST URGP=0 MARK=0
(port 8181 is a connection to another machine)
-
i know you told you did not restored custom-templates but please give us output of
/sbin/e-smith/audittools/templates
also denylog.log as it states will output denied connection ;)
it is not normal that your server will deny port 80 unless a custom template or a contribs has asked so or you changed httpd-e-smith access to private.
also while ifconfig is showing your external ip, it is not shown in config db and it should be seen in two places
config get ExternalIP
config getprop ExternalInterface IPAddress
-
sbin/e-smith/audittools/templates gives no response (fresh install)
config get ExternalIP
config getprop ExternalInterface IPAddressAlso gives no output
-
This is turning into a XY problem.
https://xyproblem.info/
sbin/e-smith/audittools/templates gives no response (fresh install)
You are missing a '/'
/sbin/e-smith/audittools/templates
Then:
Also gives no output
So what have you done differently?
Please, go back, read again the pages on how to report issues correctly, and then document each step and paste it somewhere like pastebin so we can see what you are doing. Remember - we are effectively blind here. We are not mind readers either.
At the minute you are still racing round in a desperate attempt to make something work and getting nowhere, and wasting lots of everyones time.
You have done a clean install. And? Then what? Exactly what did you do during set up? What options? Every little step.
If you can't be methodical and accurate and provide clear information we can't help you.
-
John we are getting there.
please can you post the output of
config show wan
/sbin/e-smith/audittools/events
also
grep ip-change /var/log/message*
-
config show wan
wan=service
status=enabled/sbin/e-smith/audittools/events
First the next command gave no output.I did signal-event IP-Change and this came:
grep ip-change /var/log/message*
/var/log/messages:Sep 2 20:01:53 nathan esmith::event[4821]: Processing event: ip-change
/var/log/messages:Sep 2 20:01:53 nathan esmith::event[4821]: Running event handler: /etc/e-smith/events/ip-change/S03set-external-ip
/var/log/messages:Sep 2 20:01:53 nathan esmith::event[4821]: S03set-external-ip=action|Event|ip-change|Action|S03set-external-ip|Start|1630605713 751506|End|1630605713 835274|Elapsed|0.083768|Status|65280
/var/log/messages:Sep 2 20:01:55 nathan esmith::event[4821]: generic_template_expand=action|Event|ip-change|Action|generic_template_expand|Start|1630605713 835553|End|1630605715 870966|Elapsed|2.035413
/var/log/messages:Sep 2 22:02:13 nathan esmith::event[4821]: adjust-services=action|Event|ip-change|Action|adjust-services|Start|1630605715 871293|End|1630612933 614584|Elapsed|7217.743291
/var/log/messages.20210902194842:Sep 2 20:01:53 nathan esmith::event[4821]: Processing event: ip-change
/var/log/messages.20210902194842:Sep 2 20:01:53 nathan esmith::event[4821]: Running event handler: /etc/e-smith/events/ip-change/S03set-external-ip
/var/log/messages.20210902194842:Sep 2 20:01:53 nathan esmith::event[4821]: S03set-external-ip=action|Event|ip-change|Action|S03set-external-ip|Start|1630605713 751506|End|1630605713 835274|Elapsed|0.083768|Status|65280
/var/log/messages.20210902194842:Sep 2 20:01:55 nathan esmith::event[4821]: generic_template_expand=action|Event|ip-change|Action|generic_template_expand|Start|1630605713 835553|End|1630605715 870966|Elapsed|2.035413
/var/log/messages.20210902194842:Sep 2 22:02:13 nathan esmith::event[4821]: adjust-services=action|Event|ip-change|Action|adjust-services|Start|1630605715 871293|End|1630612933 614584|Elapsed|7217.743291
To rule out a hardware failure,i am going to switch a network card tomorrow.
I also tried stuff on the modem, like remove the bridgemode and forwarding all ports. Just to be sure it is not blocked there. It didnt help denylog still filling up.
Switched around the networkcables again.External IP 213.93.205.219 (and changed DNS redirect to current IP)
-
issue seems that ip is not propagated to the config database.
the result is that the firewall filtering on the wan ip is mot aware of what is the wan ip will simply refuse any http connexions.
try
signal-event ip-change yourcurrentip
then we will need to investigate what is causing that.
-
signal-event ip-change yourcurrentip
That has worked. I am getting in. Sites are reachable, port forwarding is working.
Now that I have a monitor hooked up to the server again, I see errors coming from the enp0s25 networkcard (Hardware unit hang). This is the card for the local network. But maybe it is not detected correctly and it puts the server in this weird state. That would explain why the problem happened after the fresh install. The external IP db entry was good in SME9 when I changed to this card (a few month ago) and it stayed that way.
-
5: lspci |grep -i Eth
03:00.0 Ethernet controller: Realtek Semiconductor Co., Ltd. RTL8169 PCI Gigabit Ethernet Controller (rev 10)
Try this:
wget http://elrepo.reloumirrors.net/elrepo/el7/x86_64/RPMS/kmod-r8168-8.049.02-1.el7_9.elrepo.x86_64.rpm
yum localinstall kmod-r8168-8.049.02-1.el7_9.elrepo.x86_64.rpm
and reboot