You are not logged in.
Thank you.
I find that those who attack the character and intentions of others - despite clear evidence to the contrary (the site was working and was successfully accessed by several on this Forum) are likely projecting something of their own troubles.
It's really easy to just ignore my requests for help and to leave it to those who are willing to answer some very simple questions - from knowledge, rather than conjecture.
I've asked, several times, about my concerns that my nftables install may be corrupted ...
So far, no one has offered a solution (I've looked, a lot, for myself) at how-to restore what I believe to be missing pieces of it (the lib modules, to be precise) - nor, has anyone offered an alternative explanation as to why nftables is not working.
I've been using Linux for a long time and have observed the toxic-assumptions problem before - it's always unhealthy to the community.
Answers to my questions should involve simple step-by-step advice ... false assumptions are, well, we all know about assumptions ... sigh.
Marjorie wrote:As he has a fixed IP from his ISP (though I recall he does describe it as immutable not fixed) that isn't necessarily an issue
I wasn't referring to dynamic IPs, but rather the security implications.
Given the level of experience/understanding displayed and the cherry-picking of responses, I don't want to contribute towards an eventual "My home network is compromised, how do I fix it?" situation.
My advice: stop trying to do this, host the site with an established provider.
Security is manageable - it's a step by step process.
I have web sites hosted on Bluehost, and have for a long time.
This is about the Linux spirit of independence and learning.
Again, this was working, but due to missing the hardware RAID toggle 'on', the system was unstable and had to be reconstructed.
If nftables would only play nicely it would seem we'd be rocking!
I powered-off the server overnight and just powered back up.
root@devuan1:/# service nftables status
nftables: unrecognized service
root@devuan1:/# service nftables restart
nftables: unrecognized service
root@devuan1:/# service nftables force-reload
nftables: unrecognized service
root@devuan1:/# nft list ruleset
root@devuan1:/#
I suspected a potential conflict but that doesn't appear to be the case ...
root@devuan1:/# whereis ufw
ufw: /etc/ufw
root@devuan1:/# whereis iptables
iptables: /usr/sbin/iptables /usr/share/iptables /usr/share/man/man8/iptables.8.gz
root@devuan1:/# service ufw status
ufw: unrecognized service
root@devuan1:/# service iptables status
iptables: unrecognized service
root@devuan1:/#
Just tried nft flush ruleset;nft -f /etc/nftables.conf - no change.
FYI ...
root@devuan1:/# nft -v
nftables v0.9.8 (E.D.S.)
root@devuan1:/#
This remains a concern ...
root@devuan1:/# whereis libmnl
libmnl:
root@devuan1:/# whereis libnftnl
libnftnl:
root@devuan1:/#
May I suggest that you don't want to compile any netfilter components?
Can you point me to a reliable instructional as to how to have git remove the 'objects' it loaded, please?
The less clutter the better.
Thanks
Love the gone "pear shaped" humor. You remind me of an old friend.
I swapped your nftables.conf code for mine - do I need to reboot for it to take effect?
EDIT 1:
Rebooted - no joy.
EDIT 2:
# nft -cf /etc/nftables.conf reports no errors.
Is nftables actually running?
# nft list ruleset
I would just ignore that "guide". It looks like one of those shitty sites that farm forum & wiki content for ad revenue.
root@devuan1:~/libnftnl# nft list ruleset
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.1.0/24 oif "eth0" snat to 1.2.3.4
}
}
root@devuan1:~/libnftnl#
What is this telling me about what's happening - and what's not happening that should be?
Try running a port scan (eg nmap) from another system on the same network. That should tell you what ports are open.
If you don't have a port scanner sudo traceroute -T -p 80 realupnow.com would test access to port 80, Then you could repeat for other ports, eg 443 (https) and 22 (sshd). That should tell what ports are blocked.
Edit: we cross posted.
You may need to allow *inbound* access to port 80 (and port 443 if you want to use https). Knowing what point of view inbound and outbound refer to can be confusing.
chain inbound {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state invalid drop
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
iif "lo" counter packets accept
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
ip protocol igmp accept
# iif "lo" counter packets 0 bytes 0 accept
# ip protocol icmp limit rate 4/second accept
# ip6 nexthdr ipv6-icmp limit rate 4/second accept
# ip protocol igmp limit rate 4/second accept
tcp dport { 22, 80, 443 accept
log
}
traceroute terminates at 66.172.90.106 (the static ip) for 22, 80, and 443.
22 shows one line, 80 and 443 two.
I can ssh in - so 22 is open.
This is in nftables.com ... which I thought would open 80 outbound?
chain OUTBOUND {
type filter hook output priority filter; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback
oif "lo" accept
# Accepted ports out (DNS / DHCP / TIME / WEB for package updates / SMTP)
ct state new tcp dport {22, 80, 443} accept
log prefix "DROP_output: " limit rate 3/second
}
}
I'm not seeing nf_tables modules: nf_tables_inet, nf_tables_ip, nf_tables_ip6 when I run "lsmod | grep nf_tables" as shown here https://linux-audit.com/nftables-beginners-guide-to-traffic-filtering/
I can view realupnow.com/index.html from the server but not from another computer on the same network.
I can ssh in from another computer on the same network.
I'm not getting errors (nothing in the logs and nothing when I run "nginx -t") the system just isn't connecting from the outside (other than ssh).
For whatever reason several modules necessary to nftables are missing (nf_tables_inet, nf_tables_ipv6, nf_tables_ipv4, nf_netlink, nf_chain).
After thrashing about the Internet it seems that this may be the way to restore them ...
$ git clone https://git.netfilter.org/libnftnl
$ cd libnftnl
$ sh autogen.sh
$ ./configure
$ make
$ sudo make install
The 'objects' downloaded all 9198 of them
I changed to libnftnl then $ sh autogen.sh but that returned an error "autogen.sh: 3: autoreconf: not found".
So, I'm not certain as to how best to proceed ...
NOTE 1: I tried to reload libmnl and libnftnl via Synaptic but it showed them as present and I didn't see a way to re-install them.
NOTE 2: I first ran $ git clone https://git.netfilter.org/libmnl and the 'objects' downloaded - because this site said libmnl was necessary https://wiki.nftables.org/wiki-nftables … om_sources
Having a quick look from outside:
$ host www.realupnow.com
www.realupnow.com has address 66.172.90.106But I can't tell what 66.172.90.106 is. Could that be your router's external IP address? Or the server's external IP address?
That's my WAN IP/static IP address.
EDIT 1:
So, Traceroute gets to the WAN IP, and using SSH I can log into the server 192.168.50.3.
What, specifically (I'm hoping someone has a checklist for troubleshooting), would prevent connecting via html?
EDIT 2:
I can see /var/www/html/index.html via a browser on the server http://www.realupnow.com but not my laptop, on the same network.
EDIT 3:
Looking at the Answer halfway down this page https://unix.stackexchange.com/question … -nat-table might installing and using conntrack to reset things be advised (since I'm using nftables and I've copied over some things from my prior working setup)?
I can SSH in.
Might I have a nftables problem?
I think this is supposed to show nf_tables_inet, nf_tables_ipv6, nf_tables_ipv4, nf_netlink, nf_chain ...
root@devuan1:~# lsmod | grep nf_tables
nf_tables 253952 0
libcrc32c 16384 1 nf_tables
nfnetlink 20480 1 nf_tables
root@devuan1:~#
OK. I have internal working - when I run realupnow.com I get https://realupnow.com and the default nginx welcome page displays.
If I try to force realupnow.com/index.html or info.php I get 404 Not Found
If I try from a different computer, on the same network, I get ...
Unable to connect
An error occurred during a connection to www.realupnow.com
I'll have a look at the router - I haven't changed anything on it since this was working a few weeks ago ...
In the process of some new troubleshooting I revisited this part of your previous reply.
Devuan, or something, doesn't seem to like surf ...
More recently browser developers have introduced new and interesting ways of resolving domain names, so it's possible that this won't work for you. In that case, you should install surf and trial this via the command line start:
$ surf http://realupnow.com/info.php
Unless of course, you rather enjoy some browser wrestling
Note that it's http without a trailing s.
root@devuan1:~# surf http://realupnow.com/info.php
** (surf:5562): WARNING **: 22:11:30.126: Could not open /sys/class/dmi/id/chassis_type: Failed to open file “/sys/class/dmi/id/chassis_type”: Permission denied
** (surf:5562): WARNING **: 22:11:30.126: Could not open /sys/firmware/acpi/pm_profile: Failed to open file “/sys/firmware/acpi/pm_profile”: Permission denied
** (surf:5562): WARNING **: 22:11:30.149: webkit_web_context_set_additional_plugins_directory is deprecated and does nothing. Netscape plugins are no longer supported.
** (surf:5562): WARNING **: 22:11:30.149: webkit_web_context_set_additional_plugins_directory is deprecated and does nothing. Netscape plugins are no longer supported.
(WebKitWebProcess:5576): Gtk-WARNING **: 22:11:30.291: Theme parsing error: gtk-widgets.css:1345:25: The style property GtkRange:slider-width is deprecated and shouldn't be used anymore. It will be removed in a future version
(WebKitWebProcess:5576): Gtk-WARNING **: 22:11:30.291: Theme parsing error: gtk-widgets.css:1346:25: The style property GtkRange:stepper-size is deprecated and shouldn't be used anymore. It will be removed in a future version
(WebKitWebProcess:5576): Gtk-WARNING **: 22:11:30.291: Theme parsing error: gtk-widgets.css:1347:34: The style property GtkScrollbar:min-slider-length is deprecated and shouldn't be used anymore. It will be removed in a future version
(WebKitWebProcess:5576): Gtk-WARNING **: 22:11:30.291: Theme parsing error: gtk-widgets.css:1348:28: The style property GtkRange:stepper-spacing is deprecated and shouldn't be used anymore. It will be removed in a future version
(WebKitWebProcess:5576): Gtk-WARNING **: 22:11:30.291: Theme parsing error: gtk-widgets.css:1349:34: The style property GtkRange:trough-under-steppers is deprecated and shouldn't be used anymore. It will be removed in a future version
** (WebKitWebProcess:5576): WARNING **: 22:11:30.538: Could not open /sys/class/dmi/id/chassis_type: Failed to open file “/sys/class/dmi/id/chassis_type”: Permission denied
** (WebKitWebProcess:5576): WARNING **: 22:11:30.538: Could not open /sys/firmware/acpi/pm_profile: Failed to open file “/sys/firmware/acpi/pm_profile”: Permission denied
Could not read style file: /root/.surf/styles/default.css
root@devuan1:~#
Does the absence of a url in this output mean something isn't working?
Any suggestions as to where to look?
[Context: Devuan nginx php-fpm nftables]
root@devuan1:/etc# netstat -l
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:http 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:ssh 0.0.0.0:* LISTEN
tcp 0 0 localhost:ipp 0.0.0.0:* LISTEN
tcp 0 0 localhost:smtp 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:https 0.0.0.0:* LISTEN
tcp 0 0 localhost:4101 0.0.0.0:* LISTEN
tcp6 0 0 [::]:ssh [::]:* LISTEN
tcp6 0 0 localhost:ipp [::]:* LISTEN
tcp6 0 0 localhost:smtp [::]:* LISTEN
tcp6 0 0 localhost:4101 [::]:* LISTEN
tcp6 0 0 [::]:sane-port [::]:* LISTEN
udp 0 0 0.0.0.0:631 0.0.0.0:*
udp 0 0 0.0.0.0:mdns 0.0.0.0:*
udp 0 0 0.0.0.0:42163 0.0.0.0:*
udp6 0 0 [::]:mdns [::]:*
udp6 0 0 [::]:52198 [::]:*
raw6 0 0 [::]:ipv6-icmp [::]:* 7
Anything in either of these flag a problem?
root@devuan1:/etc/nginx# sudo netstat -plutn | grep nginx
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4991/nginx: master
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4991/nginx: master
root@devuan1:/etc/nginx#
nftables.conf
# !/usr/sbin/nft -f
flush ruleset
# table inet filter {
# chain input {
# type filter hook input priority 0;
# }
# chain forward {
# type filter hook forward priority 0;
# }
# chain output {
# type filter hook output priority 0;
# }
# }
table inet firewall {
chain_inbound ipv4 {
icmp type echo-request limit rate 5/second accept
}
chain inbound {
type filter hook input priority filter; policy drop;
ct state established,related accept
ct state invalid drop
iif "lo" counter packets accept
ip protocol icmp accept
ip6 nexthdr ipv6-icmp accept
ip protocol igmp accept
# iif "lo" counter packets 0 bytes 0 accept
# ip protocol icmp limit rate 4/second accept
# ip6 nexthdr ipv6-icmp limit rate 4/second accept
# ip protocol igmp limit rate 4/second accept
tcp dport { 22, 80, 443 accept
log
}
chain FORWARD {
type filter hook forward priority filter; policy drop;
}
chain OUTBOUND {
type filter hook output priority filter; policy drop;
# Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop }
# Allow loopback
oif "lo" accept
# Accepted ports out (DNS / DHCP / TIME / WEB for package updates / SMTP)
ct state new tcp dport {22, 80, 443} accept
log prefix "DROP_output: " limit rate 3/second
}
}
Checked log and found my error. Thanks
I'm not getting nginx errors and I can ping 127.0.0.1 and 192.168.50.3 from the server.
I can ping 192.168.50.3 from another computer on the same network.
I cannot ping 192.168.50.4 (for which I have a prior note that it may be the nginx internal ip)
I also can't access realupnow.com
Looking at the following is there anything obvious which I have incorrectly configured, please?
This is nginx.conf
user www-data;
error_log logs/error.log notice;
worker_processes auto;
pid /run/nginx.pid;
load_module modules/ndk_http_module.so;
load_module modules/ngx_http_lua_module.so;
# include conf.d/http;
# include conf.d/stream;
# include conf.d/exchange-enhanced;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
sendfile on;
tcp_nopush on;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
EDIT: realupnow.com in sites-available updated with corrections ...
This is realupnow.com in /etc/nginx/sites-available and symlinked to sites-enabled
##
# Virtual Host configuration for realupnow.com
#
# Be sure to symlink this to ~/sites-enabled/ to enable it.
# sudo ln -s /etc/nginx/sites-available/realupnow.com /etc/nginx/sites-enabled/realupnow.com
#
server {
listen 80;
# root /var/www/realupnow.com;
root /var/www/html;
index index.php index.html index.htm index.nginx-debian.html;
server_name realupnow.com www.realupnow.com;
# root /var/www/html/domain.com/public_html;
listen 443 ssl;
location / {
try_files $uri $uri/ =404;
}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
}
# RSA certificate
ssl_certificate /etc/letsencrypt/live/realupnow.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/realupnow.com/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
include /etc/letsencrypt/options-ssl-nginx.conf;
# Redirect non-https traffic to https
if ($scheme != "https") {
return 301 https://$host$request_uri;
}
}
This is etc/hosts
127.0.0.1 localhost
127.0.1.1 devuan1.realupnow.com devuan1
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
/var/www/html contains two files index.nginx-debian.html and info.php
Alternatively use either
sudo service nginx restart
or
su - service nginx restart
depending on whether you have a root password or not.
OK, cool, I'm in root but
sudo service nginx restart
ran fine.
Thanks
dcolburn wrote:nginx restart
That's not what I posted
EDIT: the first salsa link shows the ExecReload line from the systemd unit file for nginx; that command is what is run when systemctl restart nginx is called.
Better to use the init script instead though, hence my suggestion in the code block.
That's me missing a detail, again ...
I was sitting at /etc/nginx/ and missed the /init.d/ .. sigh.
All good, thanks!
Onward ...
nginx restart errors
invalid option: "restart"
I'm not sure what to make of the salsa.debian.org pages ... do I need to edit something so that nginx -s reload is the same as nginx restart?
A quick question, please?
Does nginx -s reload (as root) accomplish the same thing as sudo systemctl restart nginx.service, please?
Thanks
OK, problem solved ... the modules line has been deleted and realupnow.com renamed to realupnow.com.conf and the symlink fixed (sites-available to sites-enabled).
Making progress ... will mark this one as solved (cut & paste error or something) ... will open a new thread ...
I've tried reading the nginx instructions but find gaps and a lot of emphasis on their commercial version.
Rather than post every little question here I'm trying to Search for similar problems and then try to learn from them.
I've observed, in this Forum, that people offering help often point to non-official nginx sources where they've found explanations and examples.
(At this point it would be worth it to pay someone to set this up for me, nginx, local dns, ssl, and etc & successfully serving web pages - where I was before but for the unstable RAID1 setup. Locals either don't know this stuff or can't take on any new projects.)
Meanwhile, I'll just have to keep thrashing about until I get it working, again ...