[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[LDM #NTH-493887]: ldmping one way only
- Subject: [LDM #NTH-493887]: ldmping one way only
- Date: Wed, 09 Nov 2016 13:12:33 -0700
Donna,
The results of your using telnet(1) from inside the campus security perimeter
(via a VPN) and from outside it appear to be definitive: The security perimeter
doesn't allow TCP connections to be initiated from within the perimeter to port
388 outside the perimeter.
> My thoughts are that ldm-relay0 has been doing all of the work and this
> connection problem has been with us on ldm-relay1. I have my tech checking
> on the firewall rules. I can tell you that the iptables (on all our LDM
> machines) already have this in the iptables:
>
> -A INPUT -p tcp -m multiport --ports 388 -m comment --comment "100 open
> port 388 for ldm" -j ACCEPT
>
> One *important* note: ldm-relay1 is outside of the A&M firewall and ldm3 is
> inside the A&M firewall. *Taimur*, can you tell me if port 388 is open
> through the A&M firewall? This was set up a long time ago but there has
> been a change in leadership in A&M's IT so who knows if this got changed
> without our notice.
>
> Our sys admin has not installed telnet (on purpose, I believe). I can use
> ping and ldmping.
>
> After getting up a VPN connection to campus, I can get this from my Mac
> laptop:
>
> donna-cotes-macbook-pro:~ donnacote$ telnet ldm-relay1.tamu.edu 388
> Trying 165.91.55.27...
> telnet: connect to address 165.91.55.27: Operation timed out
> telnet: Unable to connect to remote host
> donna-cotes-macbook-pro:~ donnacote$ telnet ldm3.tamu.edu 388
> Trying 128.194.76.166...
> Connected to ldm3.tamu.edu.
> Escape character is '^]'.
> ^]
> telnet> ^Cdonna-cotes-macbook-pro:~ donnacote$
>
> Now, I alto notice this. When I turn off my VPN connection to campus, I get
> this:
>
> donna-cotes-macbook-pro:~ donnacote$ telnet ldm-relay1.tamu.edu 388
> Trying 165.91.55.27...
> Connected to ldm-relay1.tamu.edu.
> Escape character is '^]'.
> ???Connection closed by foreign host.
> donna-cotes-macbook-pro:~ donnacote$ telnet ldm3.tamu.edu 388
> Trying 128.194.76.166...
> telnet: connect to address 128.194.76.166: Operation timed out
> telnet: Unable to connect to remote host
> donna-cotes-macbook-pro:~ donnacote$
>
> FYI:
>
> > [root@ldm-relay1 ~]# iptables --list
> > Chain INPUT (policy ACCEPT)
> > target prot opt source destination
> > ACCEPT icmp -- anywhere anywhere /* 000 accept
> > all icmp */
> > ACCEPT all -- anywhere anywhere /* 001 accept
> > all to lo interface */
> > ACCEPT all -- anywhere anywhere /* 002 accept
> > related established rules */ state RELATED,ESTABLISHED
> > ACCEPT tcp -- anywhere anywhere multiport
> > dports ssh /* 003 accept new ssh */ state NEW
> > ACCEPT tcp -- anywhere anywhere multiport
> > dports ndmp /* 100 allow webmin access */
> > ACCEPT tcp -- anywhere anywhere multiport
> > ports zabbix-agent /* 100 allow zabbix-agent */
> > ACCEPT tcp -- anywhere anywhere multiport
> > ports unidata-ldm /* 100 open port 388 for ldm */
> > ACCEPT tcp -- anywhere anywhere multiport
> > dports sunrpc /* 101 portmapper tcp */
> > ACCEPT udp -- anywhere anywhere multiport
> > dports sunrpc /* 102 portmapper udp */
> > ACCEPT tcp -- anywhere anywhere multiport
> > dports 32803 /* 103 lockd tcp */
> > ACCEPT udp -- anywhere anywhere multiport
> > dports filenet-rpc /* 104 lockd udp */
> > DROP all -- anywhere anywhere /* 999 deny
> > all */
> >
> > Chain FORWARD (policy ACCEPT)
> > target prot opt source destination
> > DROP all -- anywhere anywhere /* 999 deny
> > all FORWARD */
> >
> > Chain OUTPUT (policy ACCEPT)
> > target prot opt source destination
> > [root@ldm-relay1 ~]# iptables --list-rules
> > -P INPUT ACCEPT
> > -P FORWARD ACCEPT
> > -P OUTPUT ACCEPT
> > -A INPUT -p icmp -m comment --comment "000 accept all icmp" -j ACCEPT
> > -A INPUT -i lo -m comment --comment "001 accept all to lo interface" -j
> > ACCEPT
> > -A INPUT -m comment --comment "002 accept related established rules" -m
> > state --state RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -p tcp -m multiport --dports 22 -m comment --comment "003 accept
> > new ssh" -m state --state NEW -j ACCEPT
> > -A INPUT -p tcp -m multiport --dports 10000 -m comment --comment "100
> > allow webmin access" -j ACCEPT
> > -A INPUT -p tcp -m multiport --ports 10050 -m comment --comment "100 allow
> > zabbix-agent" -j ACCEPT
> > -A INPUT -p tcp -m multiport --ports 388 -m comment --comment "100 open
> > port 388 for ldm" -j ACCEPT
> > -A INPUT -p tcp -m multiport --dports 111 -m comment --comment "101
> > portmapper tcp" -j ACCEPT
> > -A INPUT -p udp -m multiport --dports 111 -m comment --comment "102
> > portmapper udp" -j ACCEPT
> > -A INPUT -p tcp -m multiport --dports 32803 -m comment --comment "103
> > lockd tcp" -j ACCEPT
> > -A INPUT -p udp -m multiport --dports 32769 -m comment --comment "104
> > lockd udp" -j ACCEPT
> > -A INPUT -m comment --comment "999 deny all" -j DROP
> > -A FORWARD -m comment --comment "999 deny all FORWARD" -j DROP
> > [root@ldm-relay1 ~]#
Regards,
Steve Emmerson
Ticket Details
===================
Ticket ID: NTH-493887
Department: Support LDM
Priority: Normal
Status: Closed
===================
NOTE: All email exchanges with Unidata User Support are recorded in the Unidata
inquiry tracking system and then made publicly available through the web. If
you do not want to have your interactions made available in this way, you must
let us know in each email you send to us.
