Hello everybody. Recently i moved external interface to zone "external" on my home server/router. And something strange is hapening. From my router (chamber, CentOS7) everything is fine: [root at chamber ~]# firewall-cmd --list-all home (default, active) interfaces: enp3s0 tun0 virbr0 sources: services: dhcp dhcpv6-client dns http https imaps ipp-client mdns nfs samba samba-client vnc-server ports: 143/tcp 26666/tcp masquerade: no forward-ports: icmp-blocks: rich rules: [root at chamber ~]# firewall-cmd --list-all --zone=external external (active) interfaces: enp1s0 sources: services: ports: 26666/tcp masquerade: yes forward-ports: icmp-blocks: rich rules: [root at chamber ~]# nmap 10.0.49.14 Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-21 11:57 CEST Nmap scan report for 10.0.49.14 Host is up (0.00045s latency). Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 443/tcp open https MAC Address: 52:54:00:D6:6D:4A (QEMU Virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 0.18 seconds But from host in another location (connected through VPN): moonwolf ? ~ ? nmap 10.0.49.14 Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 11:59 CEST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.06 seconds moonwolf ? ~ ? nmap 10.0.49.14 -Pn -p22 Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 11:59 CEST Nmap scan report for svn.karakkhaz.dwarfs (10.0.49.14) Host is up (0.015s latency). PORT STATE SERVICE 22/tcp filtered ssh Nmap done: 1 IP address (1 host up) scanned in 0.05 seconds moonwolf ? ~ ? ping 10.0.49.14 PING 10.0.49.14 (10.0.49.14) 56(84) bytes of data. 64 bytes from 10.0.49.14: icmp_seq=1 ttl=62 time=9.45 ms 64 bytes from 10.0.49.14: icmp_seq=2 ttl=62 time=26.0 ms ^C --- 10.0.49.14 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 1001ms rtt min/avg/max/mdev = 9.459/17.754/26.050/8.296 ms What could cause this behavior? Before interface move everything was working as expected. -- Over And Out MoonWolf
On 04/21/2016 03:11 AM, Marcin Trendota wrote:> But from host in another location (connected through VPN):What host serves the VPN? If it's another host, how is that host connected to the router? If it's "chamber," what type of VPN is it?
On Thursday 21 of April 2016 9:08:09 AM Gordon Messmer wrote:> On 04/21/2016 03:11 AM, Marcin Trendota wrote: > > But from host in another location (connected through VPN): > What host serves the VPN? If it's another host, how is that host > connected to the router? If it's "chamber," what type of VPN is it?It's OpenVPN on chamber. I've just noticed that it's similiar from home to the other location. To clear things: 10.0.49.0/26 it's my home network 10.0.32.0/22 is one of VLANs in work ("the other location").>From chamber:[root at chamber ~]# nmap 10.0.32.7 Starting Nmap 6.40 ( http://nmap.org ) at 2016-04-21 22:12 CEST Nmap scan report for 10.0.32.7 Host is up (0.053s latency). Not shown: 988 closed ports PORT STATE SERVICE 21/tcp open ftp 25/tcp open smtp 80/tcp open http 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 389/tcp open ldap 443/tcp open https 993/tcp open imaps 995/tcp open pop3s 2049/tcp open nfs 5666/tcp open nrpe Nmap done: 1 IP address (1 host up) scanned in 1.97 seconds>From other host in home network:[moonwolf at kazad ~]$ nmap 10.0.32.7 Starting Nmap 7.12 ( https://nmap.org ) at 2016-04-21 22:12 CEST Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.03 seconds When i move enp1s0 (external interface) to "home" zone, everything works fine. My observations: * When enp1s0 and tun0 (VPN interface) are both in "external" zone i'm able to scan ports of work's network from home. But not the opposite: [root at palpatine ~]# nmap 10.0.49.16 Starting Nmap 5.51 ( http://nmap.org ) at 2016-04-21 22:26 CEST Nmap scan report for 10.0.49.16 Host is up (0.039s latency). All 1000 scanned ports on 10.0.49.16 are filtered Nmap done: 1 IP address (1 host up) scanned in 9.60 seconds * When enp1s0 is in "external" zone (as only interface), and tun0 is in "home" zone i can't scan ports in home nor work. * When all interfaces are in "home" zone i can scan ports everywhere. It's a bit chaotic, i know. Sorry about that. -- Over And Out MoonWolf