Access Server Manager

NethServer Version: 7

Hi,
I installed nethserver 7 in the cloud, I can only reach it from the public ip.
I can connect to ssh but I can not connect to the web interface.

How can I fix it?

thanks

Giuseppe Roia

Did you use

https://YourIp:980

thanks for the quick answer
Unfortunately it does not work.
I read that by default only from the local network you can access, but I can not do it.

Thanks for your help

I thought that the install default was to allow access on both the red and green interfaces.

Regardless, if you can connect via ssh, you could try to tunnel the request.

Cheers.

Please share with us some details :wink:

Like:

  • what was the error on the browser?
  • did you see and error on firewall.log, messages or httpd-admin access.log?
  • do you have a proxy between your machine and the remote one which blocks port 980?
  • does the httpd-admin service is running on the remote host?

I have the same issue. Installed a clean CentOS image on my virtual environment. Then updated the install with yum update. When finished i could ping 8.8.8.8. After that i entered nethserver-install, a lot of packages were installed and it finishes with:

Complete!

Configuring system, please wait…

You can access the Web interface at:

https://nethsrv.:980
Login: root
Password: <your_root_password>

Installation log can be found here: /var/log/nethserver-install.log

I ping 8.8.8.8, i get :

ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
From 192.168.178.178 icmp_seq=1 Destination Host Unreachable
ping: sendmsg: Operation not permitted

I am unable to create reverse tunnels When i access the machine via https://192.168.178.178:980 I get "The connection has timed out

The server at 192.168.178.178 is taking too long to respond."

Currently i am unable to install any package with yum so i have issues locating firewall.log. Other logs say nothing special. I am not on the same LAN segment as the Nethserver as it is running in the cloud. Anyone any ideas how I can configure my server? Is there any cmdline configuration possible as it seems the firewall is much to restrictive imho?!

Edit: i did the folowing to reach the configuration page of Nethserver:

[root@nethsrv ~]# systemctl disable shorewall
Removed symlink /etc/systemd/system/basic.target.wants/shorewall.service.
[root@nethsrv ~]# config setprop shorewall status disabled
[root@nethsrv ~]# signal-event firewall-adjust

Rebooted my nethServer installation and voila config manager page i was able to access via both https://hostname.my.domain:980 and ip:980

Hi @WillyWanker,

Please keep security in mind and enable the firewall again if running in the cloud.

Thank you for the reminder, thing is, if I enable the firewall again using the following commands:

[root@nethsrv ~]# systemctl enable shorewall
Removed symlink /etc/systemd/system/basic.target.wants/shorewall.service.
[root@nethsrv ~]# config setprop shorewall status enabled
[root@nethsrv ~]# signal-event firewall-adjust

I am unable again to access the management web interface. How can i add rules to shorewall firewall without it being enabled? In /etc/shorewall/rules configfile i look using the cmdline there is ===== DO NOT MODIFY THIS FILE ======== thingy. If i do change this with an accept rule for my specific ip range, this change gets removed by the next reboot, hence the warning.

How can i add rules to shorewall without being able to access the configuration page being blocked by the firewall?

Please show us more details from your logs: messages and firewall.log.
And system configuration such as network configuration (ip ad, ip ro and db networks show).
Also the output of grep 980 /etc/shorewall/rules
And cat /etc/shorewall/interfaces

2 Likes
[root@nethsrv log]# cat /etc/shorewall/interfaces 
# ================= DO NOT MODIFY THIS FILE =================
# 
# Manual changes will be lost when this file is regenerated.
#
# Please read the developer's guide, which is available
# at NethServer official site: https://www.nethserver.org
#
# 
#
# Shorewall version 4 - Interfaces File
#
# For information about entries in this file, type "man shorewall-interfaces"
#
# The manpage is also online at
# http://www.shorewall.net/manpages/shorewall-interfaces.html
#
###############################################################################
?FORMAT 2
###############################################################################
#ZONE		INTERFACE		OPTIONS
#

#
# 20nics
#

#
# 40ppp -- optional PPP interfaces: define zone composition in hosts file
#
-      ppp+    optional

[root@nethsrv log]# grep 980 /etc/shorewall/rules
ACCEPT	loc	$FW	tcp	980
ACCEPT	net	$FW	tcp	980

[root@nethsrv log]# ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
92: eth0@if93: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether c2:d2:58:4b:a3:97 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 10.213.0.197/28 brd 10.213.0.207 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 2001:980:ee14:b::d/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 2001:980:ee14:b:c0d2:58ff:fe4b:a397/64 scope global mngtmpaddr dynamic 
       valid_lft 2589009sec preferred_lft 601809sec
    inet6 fe80::c0d2:58ff:fe4b:a397/64 scope link 
       valid_lft forever preferred_lft forever

[root@nethsrv log]# ip ro
default via 10.213.0.193 dev eth0
10.213.0.192/28 dev eth0 proto kernel scope link src 10.213.0.197
169.254.0.0/16 dev eth0 scope link metric 1092


[root@nethsrv log]# db networks show
10.213.0.192=network
Description=internetapp vlan12
Mask=255.255.255.240
172.18.8.0=network
Description=lantrusted vlan20
Mask=255.255.255.240

[root@nethsrv ~]# shorewall check
Checking using Shorewall 5.0.14.1...
Processing /etc/shorewall/params ...
Processing /etc/shorewall/shorewall.conf...
Checking /etc/shorewall/zones...
Checking /etc/shorewall/interfaces...
Determining Hosts in Zones...
   WARNING: *** loc is an EMPTY ZONE ***
   WARNING: *** net is an EMPTY ZONE ***
Locating Action Files...
Checking /etc/shorewall/policy...
Running /etc/shorewall/initdone...
Checking TCP Flags filtering...
Checking Kernel Route Filtering...
Checking Martian Logging...
Checking MAC Filtration -- Phase 1...
Checking /etc/shorewall/rules...
Checking /etc/shorewall/conntrack...
Checking MAC Filtration -- Phase 2...
Applying Policies...
Checking /usr/share/shorewall/action.Reject for chain Reject...
Checking /usr/share/shorewall/action.Broadcast for chain Broadcast...
Checking /usr/share/shorewall/action.Drop for chain Drop...
Checking /etc/shorewall/tcpri...
   WARNING: There are entries in /etc/shorewall/tcpri but /etc/shorewall/tcinterfaces was empty /etc/shorewall/tcpri (line 20)
Checking /etc/shorewall/stoppedrules...
Shorewall configuration verified

I got no firewall.log under /var/log/


Messages file: http://pasted.co/a6e99d93 password: nethserver

You have no network adapters defined, mine looks like:

# 20nics
#
loc     br0     dhcp,nosmurfs,routeback,bridge
net     ens33   dhcp,nosmurfs,optional

This is ok, Nethgui is allowed from local(green/LAN) and net(red/WAN).

10.213.0.193 is your default gateway, so 10.213.0.192 should be your red/WAN interface.

Here you got a warning, that the zones are empty. So your interfaces are not mapped to roles. Without zones/roles the firewall doesn’t know what’s LAN and what’s WAN.
http://docs.nethserver.org/en/v7/base_system.html#network
http://docs.nethserver.org/projects/nethserver-devel/en/v7/nethserver-firewall-base.html#roles-and-zones

So just “edit” your interfaces at the “Network” page and set roles.

Then it should work with enabled firewall.

Thnx for your detailed response. Based on your feedback stating that the interfaces needed to be specified, which in my case were missing. In the main status dashboard - Interfaces overview there was only the local loopback interface and no ETH0 or ENS33 interfaces displayed. That led me to the Nethserver developer wiki / forum where a solution was presented by configuring the interface using cmdline:

db networks set eth0 ethernet role green hwaddr xx:yy:zz:aa:bb:cc ipaddr 10.213.0.197 netmask 255.255.255.240 network 10.213.0.192 onboot yes bootproto static

After this i enabled the firewall rebooted nethserver and with shorewall running i was able to access the management interface. Also, in the main status dashboard - Interfaces overview there was now a green ETH0 interface displayed.

Thank you for your help. Is this not a possible bug because I am not he only one with this issue.

1 Like

It may be a bug in the initialization procedure that morphs the CentOS system to NethServer. Where did you start? Was it a “provisioned” system? Or did you install from centos media?

Ok I used the following steps to initiate a new NethServer installation:

  1. I Created a new LXC container from "centos-7-default version 20170504 " LXC template using PROXMOX Virtual Environment 5.0-32.
  2. Logged into the cmdline of the nethserver and ran “yum update”.
  3. ran netserver install

I think if there is an error during nethserver installation or morphing procedure this should be presented in the previously attached “messages” file, no?

I saw some errors in the messages log file.
Here’s one:
Sep 27 13:53:04 nethsrv esmith::event[1974]: Event: nethserver-base-update FAILED

I think that the procedure is:

  1. install centos (even from proxmox)
  2. nethserver-install
  3. yum update

Maybe the problem is related to LXC.
We need the configuration of the system before running nethserver-install.

1 Like

Ok let me initiate a new installation and get back to you with the results.

Edit, unfortunately no difference. I agree to think this behaviour is something related with Proxmox and/or LXC in particular. I’ll leave it as it is for the moment and continue configuring my current installation. Thanks for the help and effort guys!