Opening ports for a 3rd party application

robb · November 16, 2016, 8:19pm

Hi team
I am pulling my hair here (not that I have much of that, but still )
I have a standard NS7RC2 server
1 RED on 192.168.10.100
1 GREEN on 192.168.11.100
Installed Modules:

Account provider Samba AD on 192.168.11.111 with bridged interface
Prinserver
Fileserver

Following the manual it must be possible to open ports on either RED or GREEN interface following http://docs.nethserver.org/en/v7rc/third_party.html

I tried both scenarios setting RED and GREEN (Public and Local)
I want to open a set of ports so the command should be:

Firewall
If the software needs some open ports on the firewall, create a new service named fw_.
For example, given the software mysoftware which needs ports 3344 and 5566 on LAN, use the following commands:

config set fw_mysoftware service status enabled TCPPorts 3344,5566 access green
signal-event firewall-adjust
signal-event runlevel-adjust

after this, I should be able to connect trough telnet to the ports that are opened, however, I get a connection refused:

telnet 192.168.11.100 8632
Trying 192.168.11.100…
telnet: Unable to connect to remote host: Connection refused

I did a tcp dump on the interface which gave me this:

[root@ns7 savapage]# tcpdump -i br0 port 8632 -vv
tcpdump: listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:05:57.397268 IP (tos 0x10, ttl 64, id 33277, offset 0, flags [DF], proto TCP (6), length 60)
192.168.11.10.38794 > ns7.test.lan.8632: Flags [S], cksum 0xdfb1 (correct), seq 169479176, win 29200, options [mss 1460,sackOK,TS val 19238389 ecr 0,nop,wscale 7], length 0
21:05:57.397360 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40)
ns7.test.lan.8632 > 192.168.11.10.38794: Flags [R.], cksum 0x97d9 (incorrect → 0x48ac), seq 0, ack 169479177, win 0, length 0

I could really use some help on this.
I had already some conversation with @filippo_carletti this afternoon, but that did not bring me further. It just looks like the signal event is not getting active. Is there another way of checking (or adding) the ports?

EddieA · November 16, 2016, 8:31pm

But your telnet is to port 8632.

Am I missing something.

I have been able to open ports successfully using the 3rd-Party Application instructions.

** Update ** Sorry, I just realised what you put was a cut/paste from the manual.

You can check if the port(s) have been added to the firewall here: /etc/shorewall/rules

Cheers.

robb · November 16, 2016, 9:42pm

Hi @EddieA, the example is 1:1 copy from the online user manual.
The exact command I gave was:

config set fw_savapage service status enabled TCPPorts 8631,8632 access green
then I signaled firewall and runlevel

EddieA · November 16, 2016, 9:45pm

Cheers.

robb · November 16, 2016, 9:45pm

THNX! that was at least something I was looking for.
The ports ARE listed in /etc/shorewall/rules:

Service: fw_savapage Access: red

?COMMENT fw_savapage
ACCEPT net $FW tcp 8631
?COMMENT fw_savapage
ACCEPT net $FW tcp 8632

Question is now why I can’t telnet to those ports??

EddieA · November 16, 2016, 10:08pm

But from your earlier post:

Which is your Green interface.

Cheers.

robb · November 16, 2016, 10:11pm

Green interface is 11.100
Red interface is 10.100

Situation is like this:
Laptop on 10.x subnet running Vbox
NS7 as VM in Vbox.
Red is bridged interface in VBox
Green is Host only interface and created a bridge with laptop so my laptop can reach both Red and Green interface.

/edit: @EddieA just to be sure I set it to green and red so both 10.100 and 11.100 are in the shorewall rules list
Still get a connection refused when I try to telnet to those ports on either interface.

Service: fw_savapage Access: green,red

?COMMENT fw_savapage
ACCEPT loc $FW tcp 8631
ACCEPT net $FW tcp 8631
?COMMENT fw_savapage
ACCEPT loc $FW tcp 8632
ACCEPT net $FW tcp 8632

EddieA · November 16, 2016, 11:23pm

Are you sure it’s the firewall that’s blocking you. A quick peek at the log should confirm/deny that.

Other than that, all I can think are the usual very basic checks. Can you connect to the standard NS services. Can you run the telnet on the NS box itself.

Cheers.

robb · November 16, 2016, 11:38pm

Hi @EddieA. I have absolutely no clue why.
I installed the printserver module and i can telnet to port 631 (default CUPS port), so it is not blocking all ports. Only these custum created ports.

robb · November 17, 2016, 1:58pm

@EddieA can you check for me if you can open a custom port on a fresh installed NS7RC2 server?
Just install in VBox and give it 1 interface that you can reach from your workstation. Then open a custom port (In my case I want to open ports 8631 and 8632. Maybe you can try these.

I just re-installed from the new NS7RC2 ISO. Applied the available updates and without installing any modules, I tried to open these ports. After signaling firewall and runlevel I tried to telnet to those ports but still connection refused.
The ports DO show in /etc/shorewall/rules

I am almost coming to the conclusion that I am hitting a BUG (or the documentation is wrong).
I could use some confirmation here.

Just an extra thing: when I install a new module, for instance printer module, the ports ARE opened correctly (before installing port 631 is closed (connection refused) and after installing I can perfectly connect with telnet to port 631.

So, what am I missing when opening a custom port? Please advice.

filippo_carletti · November 17, 2016, 2:10pm

@robb, the first step is to have a daemon listening on the port .
You can confirm its state with
fuser -vn tcp <port>

See:
# fuser -vn tcp 3128
USER PID ACCESS COMMAND
3128/tcp: squid 25074 F… squid

davidep · November 17, 2016, 2:12pm

Cannot reproduce it here

[root@vm4 bats]# config set fw_eight service status enabled TCPPort 8631 access green
[root@vm4 bats]# signal-event firewall-adjust 
[root@vm4 bats]# cat /etc/shorewall/rules | grep -5 8631
ACCEPT	net	$FW	tcp	995
#
#	Service: fw_eight Access: green
#
?COMMENT fw_eight 
ACCEPT	loc	$FW	tcp	8631
#
#	Service: httpd Access: green,red
#
?COMMENT httpd 
ACCEPT	loc	$FW	tcp	80

Then

nc -l $(hostname) 8631

The TCP port 8631 is accessible from LAN.

EddieA · November 17, 2016, 5:21pm

In my case, I installed a copy of Plex, to ensure that this will still be possible when I eventually upgrade. To test that, I had to open port 32400 on my Red interface, which is working fine.

I’m using ESXi and access the NS server, via it’s Red interface from other desktops in the same internal, physical, network. I also defined a second interface in NS which is only available to other VMs, which act’s as a Green, and I am able to access Plex via that also from a Windows VM.

Cheers.

robb · November 18, 2016, 9:59am

Looks like I have savapage running. I will doublecheck the install procedure and then write an install howto. I had a conversation today with the savapage developer and he told me he was willing to go through the install howto before publishing it.
So stay tuned for an absolute killer application for (larger) offices and educational environments.
When the install manual is published, next step would be creating an rpm of it and introduce it as an extra addon to the NethServer Printer module. I hope to get some help with that (or someone willing to do this, since it is far away from my comfort zone)