IP-tables auto-configuration

[mquandalle]

The ip-tables auto-configuration seems to not work for me:

➜  ~  ssh sunny@192.168.2.123
ssh: connect to host 192.168.2.123 port 22: Connection refused

My local IP address is 192.168.2.*, and the peerbox is configured with a static IP address: 192.168.2.123. I'm using the latest peerbox version (v0.24).

[mquandalle]

I think I simply need to add a line here in the iptables script.

[peerchemist]

The file you have linked is depriciated, it was just a script I have used to test iptables in process of configuring it. Now this is the main file: https://github.com/peerchemist/Peerbox/blob/master/PKGBLD/pcf-firewall-setup/iptables.rules.template

I would need more info to debug this. For a start, can you remove

sudo rm /etc/pcf/firewall/.lock

and reboot? Then I would need output of:

sudo systemctl status -l pcf-firewall-setup

If you are not able to provide this (you lack monitor+keyboard) I will think of some other way to debug. Just say so.

[mquandalle]

Thank you for your quick answer,

I've followed your procedure, here is the result:

$ sudo systemctl status -l pcf-firewall-setup
* pcf-firewall-setup.service - Configure Iptables firewall
   Loaded: loaded (/usr/lib/systemd/system/pcf-firewall-setup (code=exited, status=0/SUCCESS)
   Active: active (exited) since Tue 2014-11-25 16:22:10 GMT; 4min 15s ago
  Process: 276 ExecStart=/usr/lib/pcf/modules/ocf-firewall-setup (code=exited, status=0/SUCCESS)
 Main PID: 276 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/pcf-firewall.setup.service

Nov 25 16:22:09 peerbox systemd[1]: Starting Configure Iptables firewall...
Nov 25 16:22:09 peerbox pcf-firewall-setup|297]: Got subnet address: 192.168.2.0
Nov 25 16:22:09 peerbox pcf-firewall-setup|299]: Allowing connections from: 192.168.2.0/24
Nov 25 16:22:09 peerbox systemd[1]: Started Configure Iptables firewall.

(BTW the connection is still refused)

[peerchemist]

So, everything is fine there. As you can see it properly detects right subnet and allows connections from it. Possible bug is that I have shipped release with firewall locked (/etc/pcf/firewall/.lock) by mistake. I will look at that and issue fixed version ASAP.

Could it be your ssh client? Can you purge ~.ssh/know_hosts. Since every new Peerbox install will have diffirent public keys, and old one is still written in that file. Open that file and remove old Peerbox entry and try again.

BTW one more user reported this same issue, but he's fault was trying on wrong port. I see you did not did the same error but please check your client configuration anyway.

[mquandalle]

Renaming the know_hosts does not solve the problem (anyway the error message says "port 22: Connection refused"). I think that my ssh client is not the problem.

The rules /etc/iptables/iptables.rules have been set with the correct sub-network, but when I do a sudo iptables -L -n the rules are configurated with the wrong 192.168.0.0/24 sub-network.

[mquandalle]

And the configuration is correctly loaded with a

$ sudo systemctl restart iptables

[peerchemist]

Can you try purge of: sudo rm /etc/iptables/* && sudo rm -rf /etc/pcf/ and updating pcf-firewall-setup. There is a new version of package in repo, no major changes. Not that this is needed, just to make sure we have the same setup.

sudo pacman -Sy pcf-modules-firewall-setup

and reboot.

As for why does iptables load wrong config, I do not understand. Let's try this and try do debug, I'm trying to locate a problem here.

[mquandalle]

(I'm a long-time linux user, but this is my first time with arch)

I have the following error while upgrading the pcf-modules-firewall-setup package:

[sunny@peerbox ~]$ sudo pacman -Sy pcf-modules-firewall-setup
:: Synchronizing package databases...
 core is up to date
 extra is up to date
 alarm is up to date
 peerbox                                                                                    6.6 KiB  3.22M/s 00:00 [####################################################################] 100%
resolving dependencies...
looking for inter-conflicts...

Packages (1): pcf-modules-firewall-setup-0.11-4

Total Download Size:    0.00 MiB
Total Installed Size:   0.04 MiB
Net Upgrade Size:       0.00 MiB

:: Proceed with installation? [Y/n] Y
:: Retrieving packages ...
 pcf-modules-firewall-setup-0.11-4-any                                                      2.2 KiB  1100K/s 00:00 [####################################################################] 100%
(1/1) checking keys in keyring                                                                                     [####################################################################] 100%
(1/1) checking package integrity                                                                                   [####################################################################] 100%
:: File /var/cache/pacman/pkg/pcf-modules-firewall-setup-0.11-4-any.pkg.tar.xz is corrupted (invalid or corrupted package (checksum)).
Do you want to delete it? [Y/n] Y
error: failed to commit transaction (invalid or corrupted package (checksum))
Errors occurred, no packages were upgraded.

BTW, if you want to chat (or even have a ssh access to my raspi) I added you on Tox.

[mquandalle]

It seems that the issue was the mistaken publication in the 0.24 release of both /etc/pcf/firewall/.lock and /etc/iptables/iptables.rules. This will be fixed in a latter release.