server config displays wrong info

Discussion in 'Installation/Configuration' started by chief, Aug 16, 2016.

  1. chief

    chief Member

    Hi,
    My customers have reported that 1 server cannot email another server - both are ispconfig 3.05.4p8 and debian jesse
    I ran ifconfig and have the correct IP info and gateway displayed here, i can ping the other server but email wont connect to it from both ends.
    I tailed the mail.log and see that the email is "network unreachable", I then log in to ISPCONFIG admin and go to system-server config and see this:
    IP 127.0.0.1 - netmask 255.255.255.0 - gateway 0.0.0.0 nameserver 8.8.8.8.8.8.4.4.
    on 1 server and the other is:
    using a local ip address, which is also wrong. this info was updated months ago but updated in /etc/network/interfaces and not in admin.
    Is it ok for me to update this info to the correct info, save and reboot????
     
  2. chief

    chief Member

    I have updated to the correct IP, Netmask, gateway and DNS.
    Still getting network unreachable.
     
  3. Jesse Norell

    Jesse Norell Active Member

    The interface/ip info on that page is not used at all unless you enable the 'Network configuration' checkbox at the top, and as the message says, 'The network configuration option is only available for Debian and Ubuntu Servers. Do not enable this option if your network interface is not eth0.' If you edited /etc/network/interfaces directly, you don't need to do anything with the Server Config settings for that.

    Try logging in to each server and run 'ifconfig' and 'route -n' .. assuming those servers are both on the same local network, check especially that your netmasks are correct.
     
  4. Jesse Norell

    Jesse Norell Active Member

    You might have port 25 closed in your firewall; can anything else on the internet connect to that mail server?
     
  5. chief

    chief Member

    thanks for reply.
    Ok thanks for clarification on first point.
    I have had both interfaces open in front of me and both display same subnet and gateway and nameservers.
    Both have different ip, they are Internet facing with live IPS.
    There is no firewall other than what ispconfig ships with. External hosts have no problem sending email and I have no problems with receiving.
    But both machines cannot connect with ssh, telnet etc giving 'network unreachable'. But I can ping. Very odd.
     
  6. Jesse Norell

    Jesse Norell Active Member

    what do your iptables rules look like on both servers?
     
  7. chief

    chief Member

    1 server is:
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -N fail2ban-dovecot-pop3imap
    -N fail2ban-postfix-sasl
    -N fail2ban-pureftpd
    -N fail2ban-ssh
    -A INPUT -p tcp -m multiport --dports 25 -j fail2ban-postfix-sasl
    -A INPUT -p tcp -m multiport --dports 110,995,143,993 -j fail2ban-dovecot-pop3imap
    -A INPUT -p tcp -m multiport --dports 21 -j fail2ban-pureftpd
    -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
    -A fail2ban-dovecot-pop3imap -j RETURN
    -A fail2ban-postfix-sasl -j RETURN
    -A fail2ban-pureftpd -j RETURN
    -A fail2ban-ssh -s 116.31.116.49/32 -j REJECT --reject-with icmp-port-unreachable
    -A fail2ban-ssh -j RETURN
    2 server is:
    -P INPUT ACCEPT
    -P FORWARD ACCEPT
    -P OUTPUT ACCEPT
    -N fail2ban-dovecot-pop3imap
    -N fail2ban-postfix-sasl
    -N fail2ban-pureftpd
    -N fail2ban-ssh
    -A INPUT -p tcp -m multiport --dports 25 -j fail2ban-postfix-sasl
    -A INPUT -p tcp -m multiport --dports 110,995,143,993 -j fail2ban-dovecot-pop3imap
    -A INPUT -p tcp -m multiport --dports 21 -j fail2ban-pureftpd
    -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
    -A fail2ban-dovecot-pop3imap -j RETURN
    -A fail2ban-postfix-sasl -j RETURN
    -A fail2ban-pureftpd -j RETURN
    -A fail2ban-ssh -s 116.31.116.49/32 -j REJECT --reject-with icmp-port-unreachable
    -A fail2ban-ssh -j RETURN
     
  8. Jesse Norell

    Jesse Norell Active Member

    quick interpretation: you have no firewall rules, only hooks for fail2ban (which currently has a single host 116.31.116.49 blocked for ssh service).

    Can you paste the ouput of 'ifconfig -a' and 'route -n' ? And are these physical or virtual servers ?
     
  9. chief

    chief Member

    server 2
    ifconfig -a:
    eth0 Link encap:Ethernet HWaddr 00:1d:09:64:04:d5
    inet addr:79.77.184.118 Bcast:79.77.184.119 Mask:255.255.255.252
    inet6 addr: fe80::21d:9ff:fe64:4d5/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:73793 errors:0 dropped:1 overruns:0 frame:0
    TX packets:78273 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:14153987 (13.4 MiB) TX bytes:49880843 (47.5 MiB)

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:65536 Metric:1
    RX packets:63483 errors:0 dropped:0 overruns:0 frame:0
    TX packets:63483 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:13393006 (12.7 MiB) TX bytes:13393006 (12.7 MiB)

    route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 79.77.184.117 0.0.0.0 UG 0 0 0 eth0
    79.77.184.116 0.0.0.0 255.255.255.252 U 0 0 0 eth0


    server 1:
    eth0 Link encap:Ethernet HWaddr c8:60:00:de:f6:cb
    inet addr:79.77.184.116 Bcast:79.77.184.119 Mask:255.255.255.252
    inet6 addr: fe80::ca60:ff:fede:f6cb/64 Scope:Link
    UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
    RX packets:97968 errors:0 dropped:1 overruns:0 frame:0
    TX packets:110367 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:1000
    RX bytes:41705895 (39.7 MiB) TX bytes:124142966 (118.3 MiB)
    Interrupt:20 Memory:f7f00000-f7f20000

    lo Link encap:Local Loopback
    inet addr:127.0.0.1 Mask:255.0.0.0
    inet6 addr: ::1/128 Scope:Host
    UP LOOPBACK RUNNING MTU:65536 Metric:1
    RX packets:18061 errors:0 dropped:0 overruns:0 frame:0
    TX packets:18061 errors:0 dropped:0 overruns:0 carrier:0
    collisions:0 txqueuelen:0
    RX bytes:102244866 (97.5 MiB) TX bytes:102244866 (97.5 MiB)

    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    0.0.0.0 79.77.184.117 0.0.0.0 UG 0 0 0 eth0
    79.77.184.116 0.0.0.0 255.255.255.252 U 0 0 0 eth0


    i see the routes are wrong, i assume this is the fault
     
  10. chief

    chief Member

    physical servers
     
  11. Jesse Norell

    Jesse Norell Active Member

    your netmask is probably wrong, you can't use .116 on a /30 subnet (normally .. you can do funny stuff to eek some life out of those, but I wouldn't mess with it if you can avoid it). ie. 79.77.184.116/30 affords the use of 2 ip addresses, .117 and .118, which normally will be your server's address and it's gateway. Or if the subnet is correct, you should likely have a different IP address and gateway on the .116 machine. Verify with your colocation provider/isp/whomever assigned the addrs.
     
  12. chief

    chief Member

    my isp state that i have 116-119. my modem is 117
     
  13. chief

    chief Member

    i have run my netmask through a alculator and it says 116-119, so it looks ok.
    But i am greatful for anything i am overlooking or missing
     
  14. Jesse Norell

    Jesse Norell Active Member

    As above, .116/30 gives you 2 usable ip addresses. The .116 address is the network address, and .119 is the broadcast address, don't use those for hosts. If your modem is .117, you only have a single .118 you can use.

    If the netmask is different (eg. 255.255.255.248) you could use the .116 address. Eg. you can see this at http://www.aboutmyip.com/AboutMyXApp/SubnetCalculator.jsp?ipAddress=79.77.184.116&cidr=30 .. change the cidr to /29 and .116 will be found between the first and last host addrs.

    If the ISP is sure you should have 4 addrs, maybe your modem shouldn't be in a routing mode, but bridging to them? (and again, the netmask would then be different) If not, and they're routing you a /30 and expecting you to use all four ip addresses "if you want to," you're going to have to use the aforementioned 'funny stuff' :) and I don't have a lot of hands-on experience with that. You'd probably have to start by seeing what your modem can do, and ask the ISP if they know of any solution that your particular modem could work with (pppoe to your servers? yuck...). And maybe complain that doing normal ip subnetting is much easier.
     
  15. chief

    chief Member

    When i spoke with them after ordering the IP's they stated that all of them are usable.
    I will contact them in the morning to confirm with them, originally they didnt sound to sure as i did ask if i could use all or just 2, they said i have 5 useable.
    Then if that is the case, they gave me the wrong subnet to use. I will post response tomorrow.
     
  16. Jesse Norell

    Jesse Norell Active Member

    If they gave you a /29 you have 6 usable ip addrs, but say one is for your modem, then you have 5 for server use. That would make sense. If that's the case, you can use .113-.118, with .117 being your modem (gateway for all your hosts). If you're adventurous and don't want to wait, set your netmask to 255.255.255.248 on everything (servers and modem) and see if everything works. :)
     
  17. chief

    chief Member

    they definitely stated 116-119. so i gotta check with them in the morning. the servers are working and have been fine for over a year, its just the mail from server 1 to 2 and vice versa.
     

Share This Page