Zentyal Forum, Linux Small Business Server
Zentyal Server => Installation and Upgrades => Topic started by: jussi_j on March 31, 2011, 09:34:43 am
-
This morning when coming to office all external connections are down and no internet access. At the evening everything was fine. Restartd server and no change.
- all clients has IP addresses, DHCP is working and renew from win client works
- server is accessible from outside using VPN but clients can't see it
- from server you can access network but no from virtualbox running in server
Only things odd I found are that backups has failed few days because on user has copied huge amout of data into directory, which is backuped and backup machine is running out of space. This shoudn't be the issue because it's been on many days.
Other is that in IDS log there is tons of "COMMUNITY SIP TCP/IP message flooding directed to SIP proxy"-messages. What is this?
Any ideas?
-
lets take problem @ a time.
you can not access the Internet from your network.
is your router working? can you reach http://www.bbc.co.uk?
could you provide further info on your 'network' problem firstly.
-
Router is working because I can go to www.bbc.co.uk from server. Problem is that clients can't see server.
I have two network cards in server, other is connected to modem and has public IP address. Other is connected to internal network switch and all internet traffic is going via zentyal server.
Strange thing is that this has happened without anyone at office. There is automatic security updates scheduled to run 2am, maybe some update last night did this.
Is there some configuration file I could provide?
-
do you use proxy/content filter?
could you try running on a client
tracepath bbc.co.uk
and post it here
-
There was one problem found. During Linux installation I selected encrypted home directories and my home directory was unmounted automatically. There was just README file saying that this directory is automatically unmounted to prevent damages. I re-mounted it and removed encrypiton and restored all files. Still the situation is odd.
I can access whole network when using VPN. Internet works from server but no from clients. We have one Linux client and I can access it using ssh from server.
it says:
jussi@verstas:~$ tracepath bbc.co.uk
gethostbyname2: Unknown host
jussi@verstas:~$ cat /etc/resolv.conf
nameserver 192.168.13.1
jussi@verstas:~$
Nameserver setting seems to be ok but DNS at server doesn't work of something.
Copy from dashboard:
Network Running
Firewall Running
Antivirus Running
Apache Running
Certification Authority Available
DHCP Running
DNS Running
Backup Running
Events Running
FTP Running
IDS Running
Logs Running
Monitor Running
NTP Running
VPN Running
Printer Sharing Running
RADIUS Running
Zentyal Cloud Client Not subscribed
File Sharing Running
User Corner Running
Users and Groups Running
Web Server Running
-
Fotgot to say that we're not using proxy or content filter.
-
assuming that your zentyal is 192.168.13.1
can you run on the client
nmap 192.168.13.1
you may need to install nmap
could you also check that your firewall is allowing DNS connection from internal networks?
since it was working before, i can not quite understand what would have changed - have you tried rebooting this zentyal?
-
can you have a look under
services
if dns has is defined as an internal service (tick box)?
-
DNS is internal service (ticked in services list) is it OK?
I've rebooted system many times.
nmap doesn't say anything because it can't see the server.
Firewall is it's original state:
Filtering rules from internal networks to Zentyal - many rules allowing all including dns, only deny rule is for LDAP
Filtering rules for internal networks - only one rule, allow all
Filtering rules for traffic coming out from Zentyal - only one rule, allow all
This is really strange, from server everything seems to work, I can ssh to clients. From client, I can't ping zentyal, but client gets IP from server as well server MAC is in ARP table.
-
Nmap from host itself says:
jussi@lkserver:~$ nmap 192.168.13.1
Starting Nmap 5.00 ( http://nmap.org ) at 2011-04-01 13:52 EEST
Interesting ports on 192.168.13.1:
Not shown: 986 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
389/tcp open ldap
443/tcp open https
445/tcp open microsoft-ds
631/tcp open ipp
636/tcp open ldapssl
714/tcp open unknown
2049/tcp open nfs
8888/tcp open sun-answerbook
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
-
hi,
not sure about this
nmap doesn't say anything because it can't see the server.
you seem to have answered your query here - if you can not 'see' the server you can not go through it and access internet.
can you run this on client
tracepath 192.168.13.1
-
Maybe my original question wasn't clear enough, but I know well that the client can't see server and the question is "what can be wrong"?
Trace path says:
jussi@verstas:~$ tracepath 192.168.13.1
1: verstas.local (192.168.13.150) 0.118ms pmtu 1500
1: no reply
2: no reply
.......
31: no reply
Too many hops: pmtu 1500
Resume: pmtu 1500
jussi@verstas:~$
Is there some way to reset all network settings and start over without touching users and shares?
-
Temporarily turn off firewall. See if it improves the situation. If not, the next step is to look at what dhcp is putting out to the clients (dns wins routes etc). I feel your pain, you don't want to dissect this problem so much as you need things back up "now" so everyone quits crowding around your desk.
-
Some improvement, switching off firewall helps, at least i can ping from client to server.
Then I say iptables -L and get something to see that zentyal firewall and iptables are not in sync (i guess? I'm really not an iptables expert)
In attachment there is output from iptables -L, what bloks traffic and how to remove it? How to get iptables back in sync with zentyal?
There are strange rules like this where is listed all network devices with fixed address:
Chain inospoof (1 references)
target prot opt source destination
idrop all -- 192.168.13.135 anywhere MAC ! 00:14:38:8C:FE:DA
idrop all -- 192.168.13.130 anywhere MAC ! 00:14:38:5E:C5:36
idrop all -- 192.168.13.132 anywhere MAC ! 00:12:79:DF:67:41
idrop all -- 192.168.13.131 anywhere MAC ! 00:1B:78:28:1A:DA
idrop all -- 192.168.13.133 anywhere MAC ! 00:23:7D:89:FB:53
idrop all -- 192.168.13.101 anywhere MAC ! B8:AC:6F:AC:07:AC
idrop all -- 192.168.13.142 anywhere MAC ! 00:0B:6A:BC:A3:47
idrop all -- 192.168.13.134 anywhere MAC ! 00:80:91:4D:A4:DA
idrop all -- 192.168.13.141 anywhere MAC ! 00:11:D8:A1:23:59
idrop all -- 192.168.13.140 anywhere MAC ! E0:CB:4E:49:33:49
idrop all -- 192.168.13.102 anywhere MAC ! 08:00:27:E8:FF:F6
idrop all -- 192.168.13.150 anywhere MAC ! 00:11:09:C8:FC:EE
idrop all -- 192.168.13.160 anywhere MAC ! 00:24:A5:AD:4D:77
idrop all -- 192.168.13.135 anywhere MAC ! 00:14:38:8C:FE:DA
idrop all -- 192.168.13.130 anywhere MAC ! 00:14:38:5E:C5:36
idrop all -- 192.168.13.132 anywhere MAC ! 00:12:79:DF:67:41
idrop all -- 192.168.13.131 anywhere MAC ! 00:1B:78:28:1A:DA
idrop all -- 192.168.13.133 anywhere MAC ! 00:23:7D:89:FB:53
idrop all -- 192.168.13.101 anywhere MAC ! B8:AC:6F:AC:07:AC
idrop all -- 192.168.13.142 anywhere MAC ! 00:0B:6A:BC:A3:47
idrop all -- 192.168.13.134 anywhere MAC ! 00:80:91:4D:A4:DA
idrop all -- 192.168.13.141 anywhere MAC ! 00:11:D8:A1:23:59
idrop all -- 192.168.13.140 anywhere MAC ! E0:CB:4E:49:33:49
idrop all -- 192.168.13.102 anywhere MAC ! 08:00:27:E8:FF:F6
idrop all -- 192.168.13.150 anywhere MAC ! 00:11:09:C8:FC:EE
idrop all -- 192.168.13.160 anywhere MAC ! 00:24:A5:AD:4D:77
idrop all -- 192.168.13.0/24 anywhere
idrop all -- 192.168.13.0/24 anywhere
-
i am no iptables expert either
but you could flush (delete) your iptables and reboot zentyal
which should reset then as per rules that you defined through the webgui
-
Don't take what I am saying to be condescending, I don't mean it that way. Here is a list of what we know from your statements so far:
1) you have physical and logical connectivity to your server from the workstations.
2) You have physical and logical connectivity from your server to the internet.
3) You are able to resolve URL's to ip addresses at the server.
Now what is left from the workstations:
Do you have DNS available at the workstation --- test= ping www.yahoo.com from workstation and watch for it to actually get an ip address to ping
What is the workstation gateway set to? Is it your server?
On the server:
what does the routing table look like? Is the traffic from your network going to get out through your server?
I am a bit bothered by what is in the iptables when it should be off. I only have a few entries in the inospoof chain. Like you I am not an expert on iptables.
-
This is now solved. Flushing iptables did the trick.
Now question is how it is possible to get iptables unsync with zentyal without doing any changes in zentyal firewall or into iptables.
How to change subjet to [SOLVED] ?