thr3ads.net - Shorewall users - masq and https question [Nov 2013]

If this information is useful, please help other people find it:
Share via:

Johannes Graumann

2013-Nov-10 12:56 UTC

masq and https question

Hello,

I am running a server with one external NIC and a bridge that serves a bunch 
of lxc containers.

That bridge/NIC masqerades as the external NIC via a masq file entry.

One of the lxc containers runs nginx and ports 80 and 443 from the external 
NIC are DNATed to that container.

If I now try to use e.g the https URL of the EPEL repository from within one 
of the lxc containers, I get > Error: Cannot retrieve metalink for repository: epel. Please verify its
> path and try again
Changing the corresponding URL to "http" rather than "https"
makes a yum
call go through just fine. 

Is the firewalling setup to blame for this and if yes how to fix it?

Thank you for any insight.

Sincerely, Joh



------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

Tom Eastep

2013-Nov-10 16:36 UTC

head link

Re: masq and https question

On 11/10/2013 4:56 AM, Johannes Graumann wrote:> Hello,
> 
> I am running a server with one external NIC and a bridge that serves a
bunch
> of lxc containers.
> 
> That bridge/NIC masqerades as the external NIC via a masq file entry.
> 
> One of the lxc containers runs nginx and ports 80 and 443 from the external
> NIC are DNATed to that container.
> 
> If I now try to use e.g the https URL of the EPEL repository from within
one
> of the lxc containers, I get 
>> Error: Cannot retrieve metalink for repository: epel. Please verify its
>> path and try again
> 
> Changing the corresponding URL to "http" rather than
"https" makes a yum
> call go through just fine. 
> 
> Is the firewalling setup to blame for this and if yes how to fix it?
> 
Not enough information to say. Which URL are you using? What does the
DNS name resolve to? Are you getting any ''Shorewall'' messages
when you
try to connect?

It would be best if you forwarded the output of ''shorewall
dump'' along
with the information requested at
http://www.shorewall.net/support.htm#Guidelines.

-Tom
-- 
Tom Eastep        \ When I die, I want to go like my Grandfather who
Shoreline,         \ died peacefully in his sleep. Not screaming like
Washington, USA     \ all of the passengers in his car
http://shorewall.net \________________________________________________



------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

Johannes Graumann

2013-Nov-11 08:37 UTC

head link

Re: masq and https question

Tom Eastep wrote:
> On 11/10/2013 4:56 AM, Johannes Graumann wrote:
>> Hello,
>> 
>> I am running a server with one external NIC and a bridge that serves a
>> bunch of lxc containers.
>> 
>> That bridge/NIC masqerades as the external NIC via a masq file entry.
>> 
>> One of the lxc containers runs nginx and ports 80 and 443 from the
>> external NIC are DNATed to that container.
>> 
>> If I now try to use e.g the https URL of the EPEL repository from
within
>> one of the lxc containers, I get
>>> Error: Cannot retrieve metalink for repository: epel. Please verify
its
>>> path and try again
>> 
>> Changing the corresponding URL to "http" rather than
"https" makes a yum
>> call go through just fine.
>> 
>> Is the firewalling setup to blame for this and if yes how to fix it?
>> 
> 
> Not enough information to say. 
> Which URL are you using? https://mirrors.fedoraproject.org/metalink?repo=epel-6&arch=x86_64
> What does the DNS name resolve to? # dig https://mirrors.fedoraproject.org

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.6 <<>> 
https://mirrors.fedoraproject.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 55617
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;https://mirrors.fedoraproject.org. IN  A

;; AUTHORITY SECTION:
fedoraproject.org.      300     IN      SOA     ns04.fedoraproject.org. 
hostmaster.fedoraproject.org. 953465112 3600 600 2419200 86400

;; Query time: 29 msec
;; SERVER: 10.10.10.1#53(10.10.10.1)
;; WHEN: Mon Nov 11 03:31:59 2013
;; MSG SIZE  rcvd: 103
> Are you getting any ''Shorewall'' messages when you try to
connect?No.
> It would be best if you forwarded the output of ''shorewall
dump''Attached.
> along with the information requested at
> http://www.shorewall.net/support.htm#Guidelines.# /sbin/shorewall version
4.5.5.3

# ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state
UP qlen 1000
    link/ether 6c:62:6d:67:5f:a4 brd ff:ff:ff:ff:ff:ff
    inet 85.214.203.244/32 brd 85.214.203.244 scope global eth0
    inet6 fe80::6e62:6dff:fe67:5fa4/64 scope link 
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
    link/ether 6c:62:6d:67:5f:a5 brd ff:ff:ff:ff:ff:ff
4: tun0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast 
master br0.tun0 state DOWN qlen 500
    link/ether 46:a7:f3:d4:c3:5a brd ff:ff:ff:ff:ff:ff
5: br0.tun0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state
UP 
    link/ether 46:a7:f3:d4:c3:5a brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.1/24 brd 10.10.10.255 scope global br0.tun0
    inet6 fe80::44a7:f3ff:fed4:c35a/64 scope link 
       valid_lft forever preferred_lft forever
7: vethxSF5jF: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast
master br0.tun0 state UP qlen 1000
    link/ether fe:ae:36:36:94:7a brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fcae:36ff:fe36:947a/64 scope link 
       valid_lft forever preferred_lft forever
10: vethcA52tp: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast
master br0.tun0 state UP qlen 1000
    link/ether fe:4d:cd:60:19:48 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fc4d:cdff:fe60:1948/64 scope link 
       valid_lft forever preferred_lft forever
49: vethWEP842: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc
pfifo_fast
master br0.tun0 state UP qlen 1000
    link/ether fe:a8:11:c2:2b:d2 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::fca8:11ff:fec2:2bd2/64 scope link 
       valid_lft forever preferred_lft forever

# ip route show
default via 85.214.192.1 dev eth0 
10.10.10.0/24 dev br0.tun0  proto kernel  scope link  src 10.10.10.1 
85.214.192.1 dev eth0  scope link

Thank you for your time.

Sincerely, Joh


------------------------------------------------------------------------------
November Webinars for C, C++, Fortran Developers
Accelerate application performance with scalable programming models. Explore
techniques for threading, error checking, porting, and tuning. Get the most 
from the latest Intel processors and coprocessors. See abstracts and register
http://pubads.g.doubleclick.net/gampad/clk?id=60136231&iu=/4140/ostg.clktrk

Shorewall users - Nov 2013 - masq and https question

masq and https question

Re: masq and https question

Re: masq and https question