I would like to install check MK Monitoring Server on an Ubuntu VM in Azure.
The query of the services to external works, however, not the ping.
(Ubuntu 14.04. LTS)
Which port or setting do I need to set in Azure?
PING stackoverflow.com (151.101.193.69) 56(84) bytes of data.
^C
--- stackoverflow.com ping statistics ---
99 packets transmitted, 0 received, 100% packet loss, time 98057ms
According to the present Network Security Group design - you would need to open all the ports to the VM to allow for pings. Link. There's no way to allow for ICMP only currently.
Related
I'm trying to send a fake echo response to a virtual machine that is trying to ping an IP address from another virtual machine. When I send ping from the victim VM, the terminal output of the victim VM says that there were no packets received but I can see that the fake response packets are received using wireshark on the victim VM. I tried turning off the firewall but nothing changed. Are there any other security measures that I'm not aware of? (Both VMs are Ubuntu 16.04)
I am trying to figure out why the "default" Proxmox network configuration is not behaving as I expect.
I have:
a Proxmox server (10.0.40.10)
the network bridge (vmbr0) created by Proxmox by default
a VM (10.0.40.20) connected to vmbr0 (let's call it VM1)
a VM (10.0.40.25) connected to vmbr0 (let's call it VM2)
a gateway (10.0.40.254) configured on vmbr0
When I performed an HTTP transfer (GET) on VM2 from VM1, the speed I observed indicated that traffic was exiting the Proxmox host, going to the gateway, and returning back to the Proxmox host.
Both VM1 and VM2 are connected to vmbr0, so my expectation was that vmbr0 would "switch" between the two VMs, based on the MAC/ARP, and that the traffic would remain entirely local (and be one or two orders of magnitude faster).
When I run a ping from VM2 to VM1, I observe this:
[root#vm2 ~]# ping -c 5 10.0.40.20
PING 10.0.40.20 (10.0.40.20) 56(84) bytes of data.
64 bytes from 10.0.40.20: icmp_seq=1 ttl=64 time=0.485 ms
From 10.0.40.254 icmp_seq=1 Redirect Host(New nexthop: 10.0.40.20)
64 bytes from 10.0.40.20: icmp_seq=2 ttl=64 time=0.609 ms
From 10.0.40.254 icmp_seq=2 Redirect Host(New nexthop: 10.0.40.20)
64 bytes from 10.0.40.20: icmp_seq=3 ttl=64 time=0.598 ms
--- 10.0.40.20 ping statistics ---
3 packets transmitted, 3 received, +2 errors, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 0.485/0.564/0.609/0.056 ms
Running a traceroute shows:
[root#vm2 ~]# traceroute -I 10.0.40.20
traceroute to 10.0.40.20 (10.0.40.20), 30 hops max, 60 byte packets
1 gateway (10.0.40.254) 0.328 ms 0.308 ms 0.393 ms
2 10.0.40.20 (10.0.40.20) 0.472 ms 0.481 ms 0.533 ms
The vmbr0 configuration looks like this:
Network definition for VM1:
Network definition for VM2:
This seems like such a fundamental use-case it seems like I must be missing something.
Does anyone know if my expectations are correct, or is this correct behavior for vmbr0? Does something look misconfigured? Do I need something like Proxy ARP or an on-box virtual router to solve such a simple use-case?
Solved: The IP addresses of some of the Virtual Machines were configured as /32 rather than /24, eg. 10.0.40.25/32 instead of 10.0.40.25/24, and therefore did not consider themselves in the same subnet as their peers, and traffic was sent out on the default route.
I'm running an ubuntu 14.04 instance on amazon ec2- I can't seem to send any udp packets from my instance to my local machine.
Running the followings commands:
On amazon ec2 instance:
echo "test" | netcat -vu m.y.i.p 5500
Connection to m.y.i.p 5500 port [udp/*] succeeded!
On my local machine:
netcat -luv 5500
Listening on [0.0.0.0] (family 0, port 5500)
So we successfully make a connection, but I never receive the test packet on my local machine.
Is there anything else I might need to configure with my instance for this to work?
A UDP transmission does not have a connection (as does TCP) so the message "Connection to m.y.i.p 5500 port [udp/*] succeeded!" doesn't really tell you much about the true success of the transmission of a packet from A to B. It might have never even left the originating machine (due to some firewall rule).
In my experience most common UDP problems are firewall blocks at the incoming machine so you certainly need to check on any firewall rules that might be blocking UDP incoming on port 5500.
If that looks ok, then the easiest way to debug is to use a packet sniffer (tcpdump, wireshark or similar). First confirm that a UDP packet is leaving your source machine, then try to see it incoming on the target machine.
tcpdump host m.y.i.p
I am currently trying to debug a networking problem that has been plaguing me for almost three weeks. I'm working with openstack and can create virtual machines and networks fine but cannot connect to them at all. When I run this command from the server, i have to ctrl+c to stop the time-out and it returns:
[root#xxxxxx ~(keystone_admin)]# tcpdump -i any -n -v 'icmp[icmptype] = icmp-echoreply or icmp[icmptype] = icmp-echo'
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 65535 bytes
^C
0 packets captured
0 packets received by filter
0 packets dropped by kernel
I'm not sure if this is exclusively and OpenStack problem or just a networking problem in general, but i know that 'tcpdump' is supposed to return something other than 0 packets captured, received or dumped. I am new to networking and therefore do not have much experience so please be gentle. Any help is appreciated. Thanks.
tcpdump is the right tool to dump ip packets. But if your openstack security group rules blocks ICMP, 0 ICMP packets are expected.
I just want to understand what do you mean by "cannot connect to the virtual machines at all". ping command doesn't work? or other protocol like ssh or HTTP.
Generally the first common problem when connecting to OpenStack VM is the security group rules. the default one disallow ICMP protocol. You can run the following command to see the rules:
nova secgroup-list: it usually returns a default one
nova secgroup-rules-list default: it will show the defined rules. where there must be at least one rule to allow ICMP protocol.
Here's the official doc to tell how to add rules allowing ICMP and SSH.
I'm using Samba and windbindd on my linux boxes. Without a firewall up on the linux box I have no trouble resolving LAN machine names:
user#laptop-linux:~$ ping desktop
PING desktop (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_seq=1 ttl=128 time=0.878 ms
when I start the firewall I get:
user#laptop-linux:~$ ping desktop
ping: unknown host desktop
I have opened up the Samba ports (137-139 445) as well as the mDNS port 5353 with no effect. WINS has been enabled in nsswitch.conf and I've also tried removing the mdns4 entries for host lookup. I can see the DNS query going out regular DNS with my ISP domain suffix attached which is not what I want. I want to use wins / NetBIOS to do the work. Do I have allow some form of broadcast port? Can this be done while maintaining security? I want to have a firewall running on my laptop because I access open hotspots on a regular basis. Thanks
Sorry for necroing this post, but i had considerable trouble figuring this out, and hence am putting it up for anyone else who might run into it.
Basically you have to enable incoming packets (NB response packets) coming from port 137/udp of the responding system. In ubuntu 11.04, using ufw, this can be easily done as:
ufw allow proto udp from 192.168.1.0/24 port 137 to any
This assumes that your LAN is using the 192.168.1.0/24 ip range.