I am running an SDN controller on port #6633 and then capturing the packets going to it using tshark which is give me following output:
*18 0.029550379 127.0.0.1 ?~F~R 127.0.0.1 OpenFlow 138 Type: OFPT_FLOW_MOD*
19 0.031562043 127.0.0.1 ?~F~R 127.0.0.1 TCP 88 8984?~F~R56292 [PSH, ACK] Seq=1 Ack=86 Win=86 Len=22 TSval=7474079 TSecr=7474075
20 0.031591119 127.0.0.1 ?~F~R 127.0.0.1 TCP 66 56292?~F~R8984 [ACK] Seq=86 Ack=23 Win=86 Len=0 TSval=7474079 TSecr=7474079
21 0.031786109 127.0.0.1 ?~F~R 127.0.0.1 TCP 163 56292?~F~R8984 [PSH, ACK] Seq=86 Ack=23 Win=86 Len=97 TSval=7474079 TSecr=7474079
*22 0.031958834 127.0.0.1 ?~F~R 127.0.0.1 OpenFlow 146 Type: OFPT_FLOW_MOD*
23 0.032035439 127.0.0.1 ?~F~R 127.0.0.1 TCP 66 47418?~F~R6633 [ACK] Seq=341 Ack=169 Win=44032 Len=0 TSval=7474079 TSecr=7474079
24 0.032732179 127.0.0.1 ?~F~R 127.0.0.1 TCP 88 8984?~F~R56292 [PSH, ACK] Seq=23 Ack=183 Win=86 Len=22 TSval=7474080 TSecr=7474079
25 0.038687398 36:68:ff:8e:d1:9c ?~F~R Broadcast OpenFlow 126 Type: OFPT_PACKET_IN
As per my application, there should be only one flow rule installed in switch. When I used the dpctl dump-flows in mininet then it also returned me only one flow rule. Now I have doubt because there are two flow mod packets.
In Packet #18 and 22 both are OFPT_FLOW_MOD packets, but if you see then both packets have a different number after OpenFlow keyword, see the third column. Could anyone explain it to me?
There's a number after every protocol, not just OpenFlow packets. Take a look at the others, for example packet #19 "TCP 88".
In all likelihood, you have a Wireshark Length column following the Protocol column, and this value is just the number of bytes in the packet. Check your Wireshark columns; tshark just uses the same ones by default.
Related
I compiled qemu-system-x86_64 on aarch64 host, and was able to run a x86_64 guest with a command like
qemu-system-x86_64 -m 4096 -drive file=vmimage.qcow2,if=virtio \
-boot once=c,menu=on -net nic,model=virtio-net-pci \
-net user,hostfwd=tcp::8080-:80,hostfwd=tcp::22222-:22
I could ssh into the guest using
ssh -p22222 user#localhost
Meanwhile, port 80 was not forwarded successfully.
For debugging, I used nc to listen to port 80 inside the guest
nc -l 80
Then in the host, I connected to the forwarded port
nc localhost 8080
However, it was unable to connect to guest nc .
I tried the monitor interface. When the host nc command is executed, info usernet shows following:
(qemu) info usernet
Hub 0 (#net162):
Protocol[State] FD Source Address Port Dest. Address Port RecvQ SendQ
TCP[SYN_SENT] 33 127.0.0.1 8080 10.0.2.15 80 0 0
TCP[ESTABLISHED] 21 127.0.0.1 22222 10.0.2.15 22 0 0
TCP[HOST_FORWARD] 12 * 8080 10.0.2.15 80 0 0
TCP[HOST_FORWARD] 11 * 22222 10.0.2.15 22 0 0
...
I believe the SYN_SENT (FD 33) corresponded to the host nc command, and this matched the HOST_FORWARD line (FD 12). However, it never became ESTABLISHED. And a few seconds later, nc died with Connection reset by peer. , and the FD 33 line disappeared.
If I nc localhost 22222, I can see the OpenSSH banner.
So it seems only port 22 forwarded. Any idea about the cause or how to debug?
Both host and guest had no firewalliptables configured, and SELinux is permissive.
Thanks
Edit:
As a temporary workaround, I configured a second nic, and used port 22 of the new interface for forwarding my service. I also switch to the newer -nic option, but hostfwd still worked for port 22 only.
qemu-system-x86_64 -m 4096 -drive file=vmimage.qcow2,if=virtio \
-boot once=c,menu=on \
-nic user,model=virtio-net-pci,hostfwd=tcp::60022-:22 \
-nic user,model=virtio-net-pci,net=10.0.3.0/24,hostfwd=tcp::8080-10.0.3.15:22
To forward successfully, I also need to
Configure sshd to listen to port 22 the first nic only.
Configure my service to listen to port 22 of the second nic.
Configure the second nic to use a different network. Otherwise, both nics were assigned the same IP (10.0.2.15. I may better hardcode the IP for both nics.)
The problem was actually about firewall. My VM (based on Oracle Linux 8.5 on Oracle Linux VM Templates) actually had firewall rules in both iptables and nft. After disabling both iptables and nft, the port forward worked.
I ma trying to install redhat openshift using CRC by using this doc https://computingforgeeks.com/setup-local-openshift-cluster-with-codeready-containers/. But while strating container it is giving below exception
[crc#openshift ~]$ crc start
INFO Checking if oc binary is cached
INFO Checking if podman remote binary is cached
INFO Checking if goodhosts binary is cached
INFO Checking minimum RAM requirements
INFO Checking if running as non-root
INFO Checking if Virtualization is enabled
INFO Checking if KVM is enabled
INFO Checking if libvirt is installed
INFO Checking if user is part of libvirt group
INFO Checking if libvirt daemon is running
INFO Checking if a supported libvirt version is installed
INFO Checking if crc-driver-libvirt is installed
INFO Checking if libvirt 'crc' network is available
INFO Checking if libvirt 'crc' network is active
INFO Checking if NetworkManager is installed
INFO Checking if NetworkManager service is running
INFO Checking if /etc/NetworkManager/conf.d/crc-nm-dnsmasq.conf exists
INFO Checking if /etc/NetworkManager/dnsmasq.d/crc.conf exists
INFO Starting CodeReady Containers VM for OpenShift 4.5.9...
INFO CodeReady Containers VM is running
INFO Starting network time synchronization in CodeReady Containers VM
INFO Verifying validity of the cluster certificates ...
INFO Adding 8.8.8.8 as nameserver to the instance ...
INFO Check internal and public DNS query ...
INFO Check DNS query from host ...
WARN foo.apps-crc.testing resolved to [127.0.0.1] but 192.168.130.11 was expected
ERRO Failed to query DNS from host: Invalid IP for foo.apps-crc.testing
Failed to query DNS from host: Invalid IP for foo.apps-crc.testing
Os which I am using is RHEL8. I am not getting why it is giving the above error. If I run host -R 3 foo.apps-crc.testing I am geting below response:
[crc#openshift ~]$ host -R 3 foo.apps-crc.testing
foo.apps-crc.testing has address 127.0.0.1
/etc/resolv.conf:
# Generated by NetworkManager
search 8.8.4.4
nameserver 127.0.0.1
.
[crc#openshift ~]$ ping foo.apps-crc.testing
PING foo.apps-crc.testing (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.036 ms
64 bytes from localhost (127.0.0.1): icmp_seq=2 ttl=64 time=0.050 ms
64 bytes from localhost (127.0.0.1): icmp_seq=3 ttl=64 time=0.066 ms
64 bytes from localhost (127.0.0.1): icmp_seq=4 ttl=64 time=0.062 ms
64 bytes from localhost (127.0.0.1): icmp_seq=5 ttl=64 time=0.066 ms
64 bytes from localhost (127.0.0.1): icmp_seq=6 ttl=64 time=0.068 ms
64 bytes from localhost (127.0.0.1): icmp_seq=7 ttl=64 time=0.051 ms
64 bytes from localhost (127.0.0.1): icmp_seq=8 ttl=64 time=0.054 ms
64 bytes from localhost (127.0.0.1): icmp_seq=9 ttl=64 time=0.053 ms
I trying to setup a multiple domain server in gcloud instance, following this tutorial https://vorkbaard.nl/installing-a-mailserver-on-debian-8-part-3-mta-postfix/ , I modify /etc/postfix/master.cf :
smtp inet n - y - - smtpd
to
597 inet n - y - - smtpd
when I telnet domain 597 I get succefully a connection, but trying to send an email from mailx or from the telnet client I get an error as if postfix still use 25 port:
Aug 24 19:26:08 localhost postfix/smtp[1404]: connect to alt2.gmail-smtp-in.l.google.com[2607:f8b0:400c:c0f::1b]:25: Network is unreachable
So where I need to change the port to use to postfix work in google computer instance ? Telnet outside google network works ok!
thanks!
[edit]
After more debugs and test sending email to the same email send and recibe, from round cube, and from thunderbird, so I think the problem its the outside traffic from the port 25 and I dont know why postfix use 25 port if the master.cf stmp port is set to 597
mail.log debug sending from roundcube
Aug 25 00:58:59 localhost dovecot: imap(sender#domain.com): Debug: maildir++: root=/var/mail/vmail/inova.cloud/info, index=, indexpvt=, control=, inbox=/var/mail/vmail/inova.cloud/info, alt=
Aug 25 00:58:59 localhost dovecot: imap(sender#domain.com): Logged out in=50 out=511
Aug 25 00:59:22 localhost postfix/qmgr[952]: 494C582008: from=<sender#domain.com>, size=524, nrcpt=1 (queue active)
Aug 25 00:59:22 localhost postfix/qmgr[952]: 4F95180D0A: from=<nano#server.c.majestic-lodge-173213.internal>, size=461, nrcpt=1 (queue active)
Aug 25 00:59:22 localhost postfix/error[1435]: 494C582008: to=<destination#domain>, relay=none, delay=4617, delays=4617/0.06/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect t$
Aug 25 00:59:22 localhost postfix/error[1436]: 4F95180D0A: to=<destination#domain>, relay=none, delay=80226, delays=80226/0.03/0/0.01, dsn=4.4.1, status=deferred (delivery temporarily suspended: connect$
Aug 25 00:59:59 localhost dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Aug 25 00:59:59 localhost dovecot: imap-login: Debug: SSL: elliptic curve secp384r1 will be used for ECDH and ECDHE key exchanges
Aug 25 00:59:59 localhost dovecot: auth: Debug: auth client connected (pid=1442)
Aug 25 00:59:59 localhost dovecot: auth: Debug: client in: AUTH#0111#011PLAIN#011service=imap#011secured#011session=0wbZdolXxJkAAAAAAAAAAAAAAAAAAAAB#011lip=::1#011rip=::1#011lport=143#011rport=39364#011resp=AGl$
Aug 25 00:59:59 localhost dovecot: auth-worker(1430): Debug: sql(sender#domain.com,::1,<0wbZdolXxJkAAAAAAAAAAAAAAAAAAAAB>): query: SELECT email as username, pwd AS password FROM addresses WHERE email = 'info#$
Aug 25 00:59:59 localhost dovecot: auth: Debug: client passdb out: OK#0111#011user=sender#domain.com
Aug 25 00:59:59 localhost dovecot: auth: Debug: master in: REQUEST#0112225078273#0111442#0111#0117898818d71c58f150c8d4f75bb936fb5#011session_pid=1443#011request_auth_token
Aug 25 00:59:59 localhost dovecot: auth-worker(1430): Debug: sql(sender#domain.com,::1,<0wbZdolXxJkAAAAAAAAAAAAAAAAAAAAB>): SELECT 5000 AS uid, 5000 as gid, email, '/var/mail/vmail/domain/info' AS home FROM$
Aug 25 00:59:59 localhost dovecot: auth: Debug: master userdb out: USER#0112225078273#011sender#domain.com#011uid=5000#011gid=5000#011email=sender#domain.com#011home=/var/mail/vmail/domain/info#011auth_token$
Aug 25 00:59:59 localhost dovecot: imap-login: Login: user=<sender#domain.com>, method=PLAIN, rip=::1, lip=::1, mpid=1443, secured, session=<0wbZdolXxJkAAAAAAAAAAAAAAAAAAAAB>
Aug 25 00:59:59 localhost dovecot: imap(sender#domain.com): Debug: Added userdb setting: plugin/email=sender#domain.com
Aug 25 00:59:59 localhost dovecot: imap(sender#domain.com): Debug: Effective uid=5000, gid=5000, home=/var/mail/vmail/inova.cloud/info
Aug 25 00:59:59 localhost dovecot: imap(sender#domain.com): Debug: Namespace inbox: type=private, prefix=, sep=, inbox=yes, hidden=no, list=yes, subscriptions=yes location=maildir:/var/mail/vmail/domain/info
Aug 25 00:59:59 localhost dovecot: imap(sender#domain.com): Debug: maildir++: root=/var/mail/vmail/domain/info, index=, indexpvt=, control=, inbox=/var/mail/vmail/domain/info, alt=
Aug 25 00:59:59 localhost dovecot: imap(sender#domain.com): Logged out in=50 out=511
From outside email it doesnt recive
Two important facts:
GCE blocks outbound email on port 25, 465 and 587 (except for port 465 or 587 to Google Apps relay only).
If you are not using a relay, you cannot choose the oubound port. This is because you must connect to whichever port your destination is listening to, which will be a standard (blocked) port.
As a result you must use a email relay, which you are not by the sound of it. At the bottom of the page I linked above are some options for email relays you can use. They all include postfix options.
I am running postfix on a Google Compute instance. It is listening on 0.0.0.0:25, and I have opened port 25 on the firewall, but I cannot connect to it from the outside. I have reviewed this and this, but they do not resolve my issue. I don't see anything in the Google Compute documentation that would explain this.
The port is open on the firewall:
% gcutil --project=XXX getfirewall smtp
+---------------+-------------------------------+
| name | smtp |
| description | Incoming smtp allowed. |
| creation-time | 2014-06-08T13:29:16.052-07:00 |
| network | default |
| source-ips | 0.0.0.0/0 |
| source-tags | |
| target-tags | |
| allowed | tcp: 25 |
+---------------+-------------------------------+
From the outside, I can connect to port 80 (which is also open)...
% telnet 108.XXX.XXX.XXX 80
Trying 108.XXX.XXX.XXX...
Connected to 108.XXX.XXX.XXX.
Escape character is '^]'.
GET /
<!DOCTYPE html>
<html ...>
...
</html>Connection closed by foreign host.
...but not to port 25:
% telnet 108.XXX.XXX.XXX 25
Trying 108.XXX.XXX.XXX...
telnet: connect to address 108.XXX.XXX.XXX: Operation timed out
telnet: Unable to connect to remote host
postfix is listening on all interfaces:
% gcutil --project=XXX ssh --zone=us-central1-a XXX sudo netstat -lpn -A inet
...
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
...
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 10794/master
...
I can look up the "external" address...
% gcutil --project=XXX ssh --zone=us-central1-a XXX /sbin/ifconfig eth0
...
eth0 Link encap:Ethernet HWaddr 42:01:0a:XX:XX:XX
inet addr:10.XXX.XXX.XXX Bcast:10.XXX.XXX.XXX Mask:255.255.255.255
UP BROADCAST RUNNING MULTICAST MTU:1460 Metric:1
RX packets:46397953 errors:0 dropped:0 overruns:0 frame:2
TX packets:34953374 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5031906871 (4.6 GiB) TX bytes:49375287245 (45.9 GiB)
...and telnet to port 25 on it from the box:
% gcutil --project=XXX ssh --zone=us-central1-a XXX telnet 10.XXX.XXX.XXX 25
...
Trying 10.XXX.XXX.XXX...
Connected to 10.XXX.XXX.XXX.
Escape character is '^]'.
220 XXX ESMTP Postfix (Debian/GNU)
EHLO localhost
250-XXX
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
QUIT
221 2.0.0 Bye
Connection closed by foreign host.
Any assistance is greatly appreciated.
As #GregHewgill and #complistic pointed out in their respective comments, it is my ISP (or an intermediary) who was not routing traffic for port 25. I have been unable to connect to any port 25 outside of my immediate LAN. It is somewhat embarrassing that I have never noticed this before.
Hopefully anyone with a similar issue can find this question (and answer) before spinning their wheels in ignorance like I did.
Thanks all for your help!
Take a look at this link Blocked traffic where it says that Google blocks or restricts traffic through all of the following ports/protocols between the Internet and virtual machines on specified ports.
Hope this helps.
Mary
I've been trying to use openssl to establish a connection with smtp.gmail.com port 587 or 465 with:
openssl s_client -host smtp.gmail.com -port 587 -starttls smtp
and the authentication, mail from, rcpt to, and data were all successful. but my problem is, after i write . in a new line, no 250 OK response from the server.
here is the process:
CONNECTED(00000003)
depth=1 /C=US/O=Google Inc/CN=Google Internet Authority
verify error:num=20:unable to get local issuer certificate
verify return:0
---
Certificate chain
0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
i:/C=US/O=Google Inc/CN=Google Internet Authority
1 s:/C=US/O=Google Inc/CN=Google Internet Authority
i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
(certification)
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=smtp.gmail.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 1910 bytes and written 338 bytes
---
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : RC4-MD5
Session-ID: 28E597C0025A93C82AD4A7C517F699B37D106D760597467B522C1041F1BC17C8
Session-ID-ctx:
Master-Key: 1CC83A8A4B7864DF9BBD9E9742B4E5A5937941EB2A28B88A1D4214920B77AC976D3ADC2DA7B60CF8BD6BC2B0712A42A2
Key-Arg : None
Start Time: 1296911515
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
250 ENHANCEDSTATUSCODES
ehlo
250-mx.google.com at your service, [121.94.150.147]
250-SIZE 35651584
250-8BITMIME
250-AUTH LOGIN PLAIN XOAUTH
250 ENHANCEDSTATUSCODES
auth login
334 VXNlcm5hbWU6
<my email>
334 UGFzc3dvcmQ6
<my password>
235 2.7.0 Accepted
mail from:<email>
250 2.1.0 OK t14sm1471936icd.10
rcpt to:<email>
250 2.1.5 OK t14sm1471936icd.10
data
from: someone <email>
354 Go ahead t14sm1471936icd.10
to : someone <email>
subject: test
test
test2
.
451 4.4.2 Timeout - closing connection. t14sm1471936icd.10
read:errno=0
I am using cygwin in win7 32.
I've been searching for all of the possible keywords on google but no solution comes out.
PLEASE HELP!
Maybe add the '-crlf' option to the comand line :
openssl s_client -host smtp.gmail.com -port 587 -starttls smtp -crlf