Can't SSH or access Gui, but can MC ping

Problems/questions regarding MailCleaner installation

Moderators: FlorianB, Pascal, bourgeois, mentor

cglmicro
Posts: 291
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Can't SSH or access Gui, but can MC ping

Postby cglmicro » Tue Feb 27, 2018 2:18 am

Hi guys.

I'm old to MC, but a new install in ProxMox 5.1.
My MailCleaner can ping the web and update itself. But I can't SSH in it, nor access the /admin/ GUI. Any idea ?
I'm not supposed to have a firewall before my VM, so my hosting provider told me so:
nmap -Pn -p 22,443 54.39.68.251
Starting Nmap 7.01 ( https://nmap.org ) at 2018-02-25 19:57 EST
Nmap scan report for mc61.legardeur.net (54.39.68.251)
Host is up (0.0025s latency).
PORT STATE SERVICE
22/tcp filtered ssh
443/tcp open https

And he thinks it's in my VM that there is a firewall.

I'm willing to pay for help getting this working, PM me for login and password of my OVH account, Proxmox account and MailCleaner account.

Thanks.
FlorianB
Posts: 296
Joined: Wed Apr 01, 2015 2:27 pm
How did you hear about Mailcleaner: job

Re: Can't SSH or access Gui, but can MC ping

Postby FlorianB » Tue Feb 27, 2018 1:34 pm

Hello cgl,
With a new dedicated server using Proxmox you could think to have all necessary things to deploy vms and launch servers.
Sadly Proxmox come and support (as far as I know) only bridging initially.
So you'll have network, potentially allowing you to access the net but no way to access your VM from external network.
Luckily, there is always a way and you can a NAT interface on your Proxmox machine modifying Proxmox network configuration files.
It will allow yours multiples VM to get bridge for a specific local network if you select Bridge as interface, or NAT if you choose the nat interface, allowing external access. Of course it will be necessary to add two thing:
- Nat interface
- "Transform" Proxmox in a "gateway" to route traffic from external to internal.

The following example /etc/network/interface file should probably work as you wish:

Code: Select all

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

iface enp0s20 inet manual

auto vmbr0
iface vmbr0 inet static
    address 163.172.X.X
    netmask 255.255.255.0
    gateway 163.172.X.1
    bridge_ports enp0s20
    bridge_stp off
    bridge_fd 0

auto vmbr1
iface vmbr1 inet static
      address 10.1.1.1
      netmask 255.255.255.0
      bridge_ports none
      bridge_stp off
      bridge_fd 0

      post-up echo 1 > /proc/sys/net/ipv4/ip_forward
      post-up iptables -t nat -A POSTROUTING -s '10.1.1.0/24' -o vmbr0 -j MASQUERADE
      post-down iptables -t nat -D POSTROUTING -s '10.1.1.0/24' -o vmbr0 -j MASQUERADE
      post-up iptables -t nat -A PREROUTING -i vmbr0 -p tcp --dport 15001 -j DNAT --to 10.1.1.3:80
      post-down iptables -t nat -D PREROUTING -i vmbr0 -p tcp --dport 15001 -j DNAT --to 10.1.1.3:80



X values should be changed to consider your Proxmox IP and corresponding gateway.
10.1.1.0/24 would be your vms network here, feel free to change it but stay consistent with local IPs and corrects masks
Port 15001 is a direct door to the server at adress 10.1.1.3 probably hosting a web server on port 80
Repeat the last sentence with a custom external port and an internal port of 22 for ssh access or any services you would like to publish.

Other solution is probably to buy multiple public IP and assign each one to your respective VMs.

Regards,
Florian
FlorianB
Posts: 296
Joined: Wed Apr 01, 2015 2:27 pm
How did you hear about Mailcleaner: job

Re: Can't SSH or access Gui, but can MC ping

Postby FlorianB » Tue Feb 27, 2018 1:40 pm

Have to precise than the NAT in WebGui is useless as far as I can tell, probably an option to nat directly using qemu function as it is possible but for me it was useless. So when creating your VM or changing for NAT, select bridge and select the "NAT" interface you just added so virbr1 for me.
Regards
uncltom
Posts: 525
Joined: Tue Aug 26, 2008 3:01 am
How did you hear about Mailcleaner: I dont remember probably google?
Location: Spokane, WA

Re: Can't SSH or access Gui, but can MC ping

Postby uncltom » Tue Feb 27, 2018 7:47 pm

I may be adding the obvious but keep in mind that port 22 is limited to the local subnet by default. If you can get to the GUI then you can go to status and turn the firewall service off. I had to edit dump_firewall.pl to allow SSH from any host (0.0.0.0/0) when I created the Google AMI. Filtering then happens in the Google firewall interface.

Like I said this might be obvious so ignore me if so.

Thomas
FlorianB
Posts: 296
Joined: Wed Apr 01, 2015 2:27 pm
How did you hear about Mailcleaner: job

Re: Can't SSH or access Gui, but can MC ping

Postby FlorianB » Thu Mar 01, 2018 1:11 pm

Hello cgl, uncle,
No this is perfectly right, if we talk of MC using VM under Proxmox, you should do an insert in the table external_access in master db instance:
https://support.mailcleaner.net/boards/ ... r-firewall
Regards,
Florian
cglmicro
Posts: 291
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Re: Can't SSH or access Gui, but can MC ping

Postby cglmicro » Fri Mar 02, 2018 1:22 am

Ouf ! I'm not that good with Linux.
Maybe I can tell you more about my setup and the IP address I have.

First of all, on the OVH panel, here is what I see.
2018-03-01_1903_ovh_no1.png
2018-03-01_1903_ovh_no1.png (29.09 KiB) Viewed 301 times

2018-03-01_1905_ovh_no2.png
2018-03-01_1905_ovh_no2.png (17.01 KiB) Viewed 301 times


Now in my ProxMox GUI:
2018-03-01_1908_proxmox_no1.png
2018-03-01_1908_proxmox_no1.png (30.65 KiB) Viewed 301 times


to be continued (limit of 3 attachments)...
cglmicro
Posts: 291
Joined: Thu Mar 07, 2013 2:12 am
How did you hear about Mailcleaner: google

Re: Can't SSH or access Gui, but can MC ping

Postby cglmicro » Fri Mar 02, 2018 1:29 am

and here is the other ProxMox capture:
2018-03-01_1909_proxmox_no2.png
2018-03-01_1909_proxmox_no2.png (64.91 KiB) Viewed 301 times


Here is now my PROXMOX server interfaces file:

Code: Select all

root@ns535320:~# cat /etc/network/interfaces
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# for Routing
auto vmbr1
iface vmbr1 inet manual
        bridge_ports dummy0
        bridge_stp off
        bridge_fd 0

# vmbr0: Bridging. Make sure to use only MAC adresses that were assigned to you.
auto vmbr0
iface vmbr0 inet static
        address 158.69.246.61
        netmask 255.255.255.0
        network 158.69.246.0
        broadcast 158.69.246.255
        gateway 158.69.246.254
        bridge_ports eth0
        bridge_stp off
        bridge_fd 0

iface vmbr0 inet6 static
        address 2607:5300:0120:063d::
        netmask 64
        post-up /sbin/ip -f inet6 route add 2607:5300:0120:06ff:ff:ff:ff:ff dev vmbr0
        post-up /sbin/ip -f inet6 route add default via 2607:5300:0120:06ff:ff:ff:ff:ff
        pre-down /sbin/ip -f inet6 route del default via 2607:5300:0120:06ff:ff:ff:ff:ff
        pre-down /sbin/ip -f inet6 route del 2607:5300:0120:06ff:ff:ff:ff:ff dev vmbr0


And here is my MailCleaner interfaces file (sorry, can't copy in paste) :
2018-03-01_1916_mailcleaner_interfaces.png
2018-03-01_1916_mailcleaner_interfaces.png (6.88 KiB) Viewed 301 times


Florian: the interfaces file you ask me to modify, was it in Proxmox server or in Mailcleaner ?
The 158.69.246.61 IP is my Proxmox server.
The 54.39.68.251 IP should be my MailCleaner and need to be accessible from outside on all required ports (22, 25, 80, 443, 4242) ?
I'll send you a PM with some other details.

Return to “Installation”

Who is online

Users browsing this forum: No registered users and 5 guests