Can't access Nethserver web panel port 980 through red card

Support
,
#1

Hi,
I am having issues connecting to Nethserver from the internet. I can connect locally on all services with the green card but keep getting ERR_TUNNEL_CONNECTION_FAILED when trying to access any page from the red card.
System version NethServer release 7.6.1810 (final)
Kernel release 3.10.0-957.1.3.el7.x86_64

I have tried removing the firewall. Disabling and the enabling red card access and still get ERR_TUNNEL_CONNECTION_FAILED when trying to access the server from the internet. This includes nextcloud which was working until the last updates a few days ago.

I think it has something to do with a update, but can’t see anything in the system logs… so probably looking in the wrong place. How can I manually setup red card access to my server from terminal, or better yet which logs should I be looking at?

Thanks

Turbond

#2

What does the services menu in server manager say about access to this service?

#3

You could start with /var/log/messages

#4

It’s enabled and working. I can access it via green interface but not through red. Checked firewall rules and can see red is droppung packets even though set not too. So quedtion is how fo I set firewall rules to factory default and start fresh… including fail2ban.

#5

Sorry I meant security -> network services. That page will show you from which interfaces the service can be reached and you can adjust the access settings to include the red interface.

#6

I am having the same issue from red connection into an updated installation. Tomorrow I will be able to be local and verify if I can access from Green and is there are any kind of updates

#7

Shorewall is working correctly?

#8

Hi All.

If the ip is in the whitelist of fail2ban then I can access the web interface. However if the ip is not whitelisted and not in a jail I can’t access the web interface so must be something to do with Shorewall not passing on packets from the red interface to Nethserver. I can access the nethserver by ssh on the red interface.

I have tried unbanning ip’s but get rule not found so know it’s not a fail2ban issue (have also uninstalled fail2ban and still get same results)

I will delve a bit deeper today. Will shorewall clear cause any issues with nethserver? I am thinking of resetting Shorewall.

#9

If u do

systemctl restart httpd-admin

you get some errors?

#10

No errors on systemctl restart httpd-admin.
Error in firewall.log

Feb 2 11:03:00 server kernel: Shorewall:net2fw:DROP:IN=p2p1 OUT= MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=172.217.25.42 DST=192.168.xx.xx LEN=40 TOS=0x00 PREC=0x00 TTL=115 ID=7053 PROTO=TCP SPT=443 DPT=49195 WINDOW=0 RES=0x00 RST URGP=0

#11

image
image.png1588Ă—95 4.35 KB

Check this on Network Services… httpd-admin is accepted on green and red?
Have you try also to change browser?
Certificate is self-signed or let’s encrypt?

#12

Hi,
Certificate is a COMODO certificate, still valid. and yes have enabled and disabled and re-enabled htp-admin multiple times on the red interface. Also have tried Firefox and chrome. Same issue.

#13

Have u try with an SSH tunnel if it works?

#14

Yes SSH tunnel still works… it’s just the web interface and related web modules like nextcloud. I think it’s a rule in Shorewall blocking apache access but don’t know what one to refer to.

#15

If u do

shorewall stop
shorewall start

what is the output of cli?

#16

[root@server ~]# shorewall start
Compiling using Shorewall 5.1.10.2…
Processing /etc/shorewall/params …
Processing /etc/shorewall/shorewall.conf…
Loading Modules…
Compiling /etc/shorewall/zones…
Compiling /etc/shorewall/interfaces…
Determining Hosts in Zones…
Locating Action Files…
Compiling /etc/shorewall/policy…
Running /etc/shorewall/initdone…
Adding Anti-smurf Rules
Adding rules for DHCP
Compiling TCP Flags filtering…
Compiling Kernel Route Filtering…
Compiling Martian Logging…
Compiling /etc/shorewall/snat…
Compiling MAC Filtration – Phase 1…
Compiling /etc/shorewall/rules…
Compiling /etc/shorewall/conntrack…
Compiling MAC Filtration – Phase 2…
Applying Policies…
Compiling /etc/shorewall/mangle…
Generating Rule Matrix…
Optimizing Ruleset…
Creating iptables-restore input…
Compiling /etc/shorewall/stoppedrules…
Shorewall configuration compiled to /var/lib/shorewall/.start
Starting Shorewall…
Initializing…
Processing /etc/shorewall/init …
Processing /etc/shorewall/tcclear …
Setting up Route Filtering…
Setting up Martian Logging…
Setting up Proxy ARP…
Setting up Traffic Control…
Processing /etc/shorewall/tcstart …
FireQOS 3.1.5
© 2013-2014 Costa Tsaousis, GPL

Clearing all QoS on all interfaces…

          br0: cleared traffic control
         p2p1: cleared traffic control
        vnet1: cleared traffic control
       wlp3s0: cleared traffic control
         p3p1: cleared traffic control
        vnet0: cleared traffic control
         tap0: cleared traffic control
      vb-nsdc: cleared traffic control
  • removed all IFB devices
  • cleared FireQOS status
    FireQOS 3.1.5
    © 2013-2014 Costa Tsaousis, GPL

Traffic is classified:

  - on 0 interfaces
  - to 0 classes
  - by 0 FireQOS matches

0 TC commands executed

All Done! Enjoy…
bye…
Preparing iptables-restore input…
Running /sbin/iptables-restore --wait 60…
IPv4 Forwarding Enabled
Processing /etc/shorewall/start …
Processing /etc/shorewall/started …
done.

#17

I’m still interested to learn what this page says about the access interaces

#18

Sorry for these many questions, but I think that to find a solution we have to know your network…

Can u post rules in Firewall page?

#19

Service configuration

Status: enabled
TCP ports: 980

Allow access from zones

Internet (red)
LAN (green)
#20

No rules are defined. Create the first one now!