Netplan ipv6 "No route to host" - linux

I've clearly misconfigured my ipv6 listener addresses. Question 1: I need someone to spot the error. And a bonus Question 2: is there any risk to removing the "/sbin/ip address add" command below?
This is on a ubuntu 18.04 virtual machine.
Here's a curl command, showing that ipv6 routing is not set up correctly:
curl -vvv -L "http://[2600:1303:d000:1::17c3:4571]"
* Trying 2600:1303:d000:1::17c3:4571...
* TCP_NODELAY set
* Immediate connect fail for 2600:1303:d000:1::17c3:4571: No route to host
* Closing connection 0
curl: (7) Couldn't connect to server
Previously, when the program started, it issued a native "/sbin/ip address add". That turned out to be problematic because when the network interface was reset, the route would be lost.
So, I added /etc/netplan because configuring the ipv6 routing survives a network restart. However, I didn't remove the "ip addr add" on startup. Currently, two commands are used to setup routing: netplan and "/sbin/ip address add". Here's the order of commands executed:
1. Manual one-time command of "/etc/netplan apply" which didn't return any errors.
2. "ip addr add" every time the server starts. So, at least once since the manual netplan command.
Here's the ipv6 addresses it's listening on:
netstat -anp | grep redir | grep LISTEN
tcp6 0 0 2600:1303:d000:1::17:80 :::* LISTEN 3187/my-service
tcp6 0 0 2600:1303:d000:1::17:80 :::* LISTEN 3187/my-service
tcp6 0 0 2600:1303:d000:1::17:80 :::* LISTEN 3187/my-service
tcp6 0 0 2600:1303:d000:1::17:80 :::* LISTEN 3187/my-service
tcp6 0 0 2600:1303:d000:1::17:80 :::* LISTEN 3187/my-service
Here's what I want it to be listening on:
[2600:1303:c000:1::15d4:456f]:80"
[2600:1303:d000:1::17c3:4570]:80"
[2600:1303:d000:1::17c3:4571]:80"
[2600:1303:d000:1::17c3:4572]:80"
Here's the "ip address add" command. Notice that the I'm using "/24" and I wonder if that's the problem. Or perhaps using both "ip addr add" and netplan isn't working as intended. This is a legacy application and because my networking skills in this area aren't strong, I wasn't sure if it would be safe to remove the "ip addr add". I didn't think it would hurt to keep the "ip addr add" command, but perhaps I was wrong.
out, e = exec.Command("/sbin/ip", "-6", "addr", "add", ip + "/24", "dev", "eth0").CombinedOutput()
Here's my netplan config file. Note that this is only part of the file; for security reasons I'm not including the mac address, name servers or gateway. However, they are correct because my ipv4 addresses work. Also, I haven't posted the real ipv6 addresses for security reasons as well.
root#ubuntu:~# cat /etc/netplan/50-cloud-init.yaml
# This file is generated from information provided by
# the datasource. Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
version: 2
ethernets:
eth0:
addresses: [ '2600:1303:d000:1::17c3:456e/24', '2600:1303:d000:1::17c3:4570/24', '2600:1303:d000:1::17c3:4572/24', '2600:1303:d000:1::17c3:4571/24', '2600:1303:d000:1::17c3:456f/24' ]
Thanks in Advance ;)

There were a couple of problems:
There was no gateway6.
The bit mask should have been "/64" instead of "/24"
Netplan wouldn't delete the old routes. I had to do following steps:
1. ip -6 addr del 2600:1303:d000:1::17c3:456f/24 dev eth0
2. netplan apply

Related

Why my website hosted on aws refuses to connect?

I have a node app which runs on localhost perfectly, I hosted it on AWS ec2 instance on port 80 and it worked fine too, after 7 days of inactivity when I searched public IP address of my ec2 instance(on any browser), it says <public_ipv4> refused to connect.
Here are a few things I did for troubleshooting which I read from AWS forums but not getting any luck:
deleted the node_modules/ directory and reinstalled using npm
install command
Have correctly allowed HTTP traffic on port 80 inside inbound rules of security groups for that instance(i have only one instance running)
Ran netstat -nplt | grep 80 , which gave me output :
tcp6 0 0 :::80 :::* LISTEN
I have added a script in package.json file, through which app.js file will run
In my app.js file i am listening to port 80:
app.listen(80, async function(){
console.log("server has started");
})
What else am I missing?
Screenshot of inbound rules :
it seems you have allowed only IP v6 address on Inbound traffic of Security Groups..
Not added allow permission for IPv4 address..
Add below rule
HTTP tcp 0.0.0.0/0 80
if you have added both rule ( IPV4 and IPV6) then
sudo netstat -tnlp | grep :80
should show below both lines..
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
but in your case it showing only tcp6
See if the steps below helps.
Did you stop your ec2 instance start and it again if you did it would have changed your public ip if that is case use the new public ip.
Check your security groups attached to the ec2 instance if it allows in bound traffic on port 80.
If the first step does not work connect to your ec2 instance and run a curl command to see if your app is running.
In my app.js file i have used port 80 :
app.listen(80, async function(){
console.log("server has started");
})
but when i changed port number to 3000 in app.listen , it worked , i dont't know how did this happen though.
There was no issue with security groups.

Port is closed on Azure Linux VM even though allowed by network security group (NSG)

here's my scenario:
I have IP camera behind the company firewall that I want to stream publicly, and for that, I've created two Azure VMs (Ubuntu 19.04) - let's call them vm1 and vm2
In case it's important, my VM SKU is Standard B1s (1 vcpus, 1 GiB memory)
I SSH to my camera and from there, I do a remote port forwarding for RTSP like this:
ssh -R 554:localhost:554 root#<vm1-ip>
And, I guess I need to enable root SSH because it's a "well-known" port.
I log in to vm1, and I see it's listening on the port: sudo netstat -tlnp gives me this:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:554 0.0.0.0:* LISTEN 108748/sshd: root#p
tcp6 0 0 ::1:554 :::* LISTEN 108748/sshd: root#p
But, when I use nmap from from vm2, the port is shown as closed:
nmap <vm1-ip> -p 554
PORT STATE SERVICE
554/tcp closed rtsp
When I use vlc to connect to the stream, it doesn't work either: the URL I use in vlc is: rtsp://<vm1-ip>/...
I thought this might be an issue with the NSG (network security group) associated with vm1, so I tried allowing all inbound traffic:
and, needless to say that it doesn't solve the issue
Any thoughts on this?
Thank you

Failure on local socket bind when wifi drops

We are getting this strange issue on a raspberry pi.
We run a service on a socket that should work for both local and remote clients via wifi.
The trouble is that stopping the remote network also stops connections from local clients.
Our python server sets up a socket like this:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
s.setsockopt(socket.SOL_SOCKET, socket.SO_DONTROUTE, 1)
s.settimeout(2)
s.bind(("", 8888))
while True:
try:
conn, addr = s.accept()
except socket.timeout:
print("Socket timeout on s.accept(), continuing")
continue
#do stuff
We have a local node client running a loop like this every second or so (and actually sending data):
// every second
socket.connect("localhost", "8888" );
socket.on('connect', function() { /* do stuff */ });
socket.on('error', function(ex) { });
Everything runs fine until we cut wifi.
We server side times-out on s.accept and we see the error message in our logs.
I think that the socket is bound to listen on 0.0.0.0 but somehow does not fail over to 127.0.0.1 or some sort of strange routing situation occurs.
netstat -an | grep 8888 gives
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8888 127.0.0.1:52794 TIME_WAIT
tcp 0 0 127.0.0.1:8888 127.0.0.1:52724 TIME_WAIT
tcp 0 0 127.0.0.1:8888 127.0.0.1:52740 TIME_WAIT
tcp 0 0 127.0.0.1:8888 127.0.0.1:52778 TIME_WAIT
netstart -rn gives
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.1.1 0.0.0.0 UG 304 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 304 0 0 wlan0
I'm guessing that we just need a localhost route?
The local connections establish again when the wifi comes back up. So I don't there is some permanent dropping of the bind in the python socket.
the hosts line in /etc/nsswitch.conf gives
hosts: files mdns4_minimal [NOTFOUND=return] dns
We monitored ping to localhost during the test and it continues to function fine.
We also monitored netstat to see that port stays LISTENING on 0.0.0.0 Perhaps this is the issue?
Easiest Solution
It looks like you should avoid any naming by using "127.0.0.1" as described in our comment discussion.
In more detail:
According to the source and the docs (after nodejs first tests for an ip,) it checks if you've provided a lookup function as an option to connect, if not, it does its own "dns.lookup" call as the default. Despite the name, this function is actually trying to use system naming but might be subtly different, for example it may try to prefer ipv6.
To debug further you could try to make a more direct test case with dns.lookup and compare things like the output of getent ahosts|ahostsv4|ahostsv6 localhost against your different systems and when the wifi is down, as well as comparing other configuration like the gai.conf to try to determine if system naming is a bit different on this system or being given slightly different requests.

How do I change a listening rule with netcat?

I have a server that has a rule like so when I check netstat -tulpn:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
This has been all well and good as the mysql database we've use has only needed local access, but now I want to remote connect to it too. I need my netstat -tulpn to read like so:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN -
How do I update this? I've been looking through nc but everything seems to only talk about setting up listening for the first time. Whenever I try to assign a new rule I get a message like this:
(base) ct#do-not-touch:/$ sudo nc -l 0.0.0.0 3306
nc: Address already in use
How do update the 127.0.0.1:3306 rule to be for 0.0.0.0:3306? Am I somehow totally off base here?
You can't* have two processes listening on the same IP and port. Since 0.0.0.0 means listen on all IPs, you can't bind to it if there's anything bound to any IP on that port. Stop the existing process listening on 127.0.0.1:3306, and then you'll be able to start one listening on 0.0.0.0:3306.
*: Technically, a flag called SO_REUSEPORT does exist, and forking after binding lets you do it as well, but neither is useful in your situation.
Ok so if you run into this in the future, you have kill the process that is using whatever port but first you must know that port.
sudo lsof -t -i:3306
Then kill whatever id.

Problems changing linux SSH port on Microsoft Azure

I am trying to change the SSH port from 22 on an Ubuntu box hosted on Azure. According this this answer How to change SSH ports in Microsoft Azure properly? you can just change the 'public' port while keeping the 'private' ssh port at 22.
However the answer is a bit outdated as there is no mention of public/private ports on Azure as far as I can tell. In the Network Scurity Group settings there are only 'Source port range' and 'Destination port range'.
Using the default settings
Source port range: *
Destination port range: 22
I can login via shell OK ie
ssh -i my_key me#azure_ip
When I changed the Source port range to a specific port I want to use as the 'public' ssh port
Source port range: new_ip
Destination port range: 22
then try
ssh -i my_key me#azure_ip -p new_ip
then the connection just times out and I cant connect.
Then I tried changing the Port in the sshd_config on the server, leaving the Source port range as * and changed the Destination port range to the new ip but got a 'public key' error
Any ideas? (I am happy to either change the public port and or the private port)
For now, in ARM module, we can't use NSG to NAT one port to another port.
As a workaround, we can change sshd_config port settings, here are the steps:
1. SSH to this VM, change sshd_config settings like this, change port 22 to port 33320:
root#jasonvm:~# vi /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 33320
2. restart ssh service:
root#jasonvm:~# service ssh restart
root#jasonvm:~# netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:33320 0.0.0.0:* LISTEN
tcp 0 0 10.0.0.4:33188 52.240.48.24:443 TIME_WAIT
tcp 0 0 10.0.0.4:44470 168.63.129.16:80 TIME_WAIT
tcp 0 0 10.0.0.4:33320 114.224.98.58:58180 ESTABLISHED
tcp 0 0 10.0.0.4:33186 52.240.48.24:443 TIME_WAIT
tcp 0 0 10.0.0.4:22 114.224.98.58:58088 ESTABLISHED
tcp 0 0 10.0.0.4:33182 52.240.48.24:443 TIME_WAIT
tcp 0 0 10.0.0.4:44464 168.63.129.16:80 TIME_WAIT
tcp 0 0 10.0.0.4:33180 52.240.48.24:443 TIME_WAIT
tcp6 0 0 :::33320 :::* LISTEN
3. Add inbound rule to NSG:
After that completed, we can use new port and public IP address to ssh this VM:
ssh user#xxx.xxx.xxx.xxx 33320

Resources