Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Quick Links


Categories

In this Discussion

Is it possible CloudFlare put a ban on VirMach?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Is it possible CloudFlare put a ban on VirMach?

o_be_oneo_be_one Member
in Help

Hello all,

first of all, i haven't opened any ticket at VirMach, as i know i will get an answer next week. So i would like first to check with your experience.

From a VirMach VPS i don't get any answer from CloudFlare. It works on local and other VPS from other providers. iptables is set to accept and no fail2ban or things like that installed. No CloudFlare IPs in blacklist of the VPS.

My VirMach VPS is on network 104/8.

For sure it may be a user issue, meaning i would not like to affirm its provider issue ; my investigations yet makes me feel it's something possible and i would like to check with you.

Any feedback or help welcome, thanks a lot ^^.

CC @VirMach

Comments

  • yoursunnyyoursunny Member, IPv6 Advocate
    edited April 2021

    As I understand, you cannot reach any Cloudflare hosted website from the VPS acting as client.
    Please capture traffic traces:

    1. Start this command: sudo tcpdump -w 1.pcap "tcp port 443"
    2. Run this command on another console: curl -vL https://www.lowendtalk.com/cdn-cgi/trace
    3. Run this command too: sudo traceroute -T -p 443 www.lowendtalk.com
    4. Stop the tcpdump, and upload 1.pcap to https://transfer.sh

    If you instead want to host a website on the VPS as a server:

    1. Check the TLS setting on Cloudflare: it should be set to "full", not "flexible" or "strict".
    2. Start this command: sudo tcpdump -w 1.pcap "tcp port 443"
    3. Open a browser and attempt to access the website.
    4. Stop the tcpdump, and upload 1.pcap to https://transfer.sh

    The binary format traffic trace is required.
    Text output of tcpdump is mostly useless.

    Thanked by 3o_be_one sanvit maverickp
  • o_be_oneo_be_one Member

    @yoursunny said: As I understand, you cannot reach any Cloudflare hosted website from the VPS acting as client.

    Yeah mostly this option. I try to reach a docker image on docker.com ; the endpoint i try to reach is behind CloudFlare. So i've ping / traceroute cloudflare.com and other websites behind CloudFlare and seen i cannot reach any of them.

    Thanks a lot for your help, here the pcap:
    https://transfer.sh/12LKuX/1111121.pcap

  • yoursunnyyoursunny Member, IPv6 Advocate

    I see no obvious problem in the traffic trace.
    The destination IP in frame 5 (as shown in Wireshark) belongs to Cloudflare.

    My vps5 is on the same router (64:87:88:b0:9a:c1), and I am able to connect to Cloudflare hosted websites such as this forum, as well the Docker Hub registry.

    Thanked by 1o_be_one
  • o_be_oneo_be_one Member

    Thank you @yoursunny , i don't see obvious problem as well in the traffic trace. But in any case i get no route to host. I guess / hope VirMach should be able to update my VPS route, i will open a ticket and cross finger they are not busy like last time i've tried.

  • yoursunnyyoursunny Member, IPv6 Advocate

    @o_be_one said:
    But in any case i get no route to host.

    It could be specific to the site you are connecting to, and not Cloudflare in general.
    In that case, you need a traceroute:

    sudo traceroute -T -p 443 www.example.com

    Substitute www.example.com with the actual site you are trying to access.
    Post the result in text format.

  • o_be_oneo_be_one Member

    @yoursunny said: It could be specific to the site you are connecting to, and not Cloudflare in general.

    i've tried with several CloudFlare ips and websites behind CloudFlare, even CloudFlare.com and even the website that host public Docker images :(.

    I've opened a ticket with all informations i was able to provide, i hope i'll get an answer quick ^^.

  • JabJabJabJab Member
    edited April 2021

    @o_be_one said: But in any case i get no route to host.

    We sure we talking the same things? That pcap you put there is clearly connecting to one of the cloudflare servers - it won't result in "No route to host".

    Please test the actual broken domain? You sure it's not just some shitty DNS resolve? Are you using IPv4? Did you blindly modify your routes for idk, OpenVPN and now you pay the price? :D

    Thanked by 1yoursunny
  • o_be_oneo_be_one Member
    edited April 2021

    @JabJab said: Please test the actual broken domain? You sure it's not just some shitty DNS resolve? Are you using IPv4? Did you blindly modify your routes for idk, OpenVPN and now you pay the price?

    Thanks for your feedback. I use CloudFlare dns 1.1.1.1 and 1.0.0.1 (and yeah, i can reach those both ips from the VPS). I use IPv4 (no IPv6 settings). I 've tried also to reach the ip directly and same error. I haven't modified route. Actually i only host a python Discord bot and would like now to add a metrics stack using Prometheus. No VPN at all.

    Yeah that pcap result doesn't show really relevant information :(.

    ERROR: error pulling image configuration: Get "https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/blobs/sha256/6d/6d6859d1a42a2395a8eacc41c718a039210b377f922d19076ebbdd74aa047e89/data?verify=1619014862-%2BBb6W2DrB4uG9l7NC0kH0ph5QSU%3D": dial tcp 104.18.125.25:443: connect: no route to host

    MTR screenshot: https://prnt.sc/11t045r

    And another pcap file when i try to get the Prometheus Docker image:
    https://transfer.sh/14xgdg/docker.pcap

  • yoursunnyyoursunny Member, IPv6 Advocate

    I'm on the same router as yours, and can reach this site without problems.

    sunny@vps5:~$ traceroute production.cloudflare.docker.com                                    traceroute to production.cloudflare.docker.com (104.18.122.25), 30 hops max, 60 byte packets
 1  23-94-28-229-host.colocrossing.com (23.94.28.229)  0.971 ms  0.928 ms  0.892 ms
 2  10.1.20.225 (10.1.20.225)  0.638 ms 10.8.47.21 (10.8.47.21)  0.668 ms  0.702 ms
 3  10.1.20.37 (10.1.20.37)  0.439 ms  0.399 ms  0.452 ms
 4  10.8.32.57 (10.8.32.57)  0.398 ms 10.8.6.33 (10.8.6.33)  0.419 ms 10.8.27.53 (10.8.27.53)  0.490 ms
 5  buf-b1-link.ip.twelve99.net (62.115.59.89)  2.834 ms buf-b1-link.ip.twelve99.net (62.115.145.90)  2.831 ms  2.821 ms
 6  nyk-bb2-link.ip.twelve99.net (62.115.141.181)  10.955 ms nyk-bb3-link.ip.twelve99.net (80.91.246.37)  10.068 ms *
 7  nyk-b2-link.ip.twelve99.net (213.155.130.28)  10.461 ms nyk-b2-link.ip.twelve99.net (62.115.115.145)  12.707 ms nyk-b2-link.ip.twelve99.net (213.155.130.28)  10.599 ms
 8  cloudflare-ic328256-nyk-b2.ip.twelve99-cust.net (62.115.61.47)  17.846 ms  15.295 ms  15.114 ms
 9  104.18.122.25 (104.18.122.25)  15.046 ms  15.064 ms  15.132 ms

sunny@vps5:~$ curl -I https://production.cloudflare.docker.com/registry-v2/docker/registry/v2/
HTTP/2 403
date: Wed, 21 Apr 2021 13:56:14 GMT
content-type: application/json
content-length: 55
set-cookie: __cfduid=ddf19da9bbad30cf50163a7f2c5a39ea21619013374; expires=Fri, 21-May-21 13:56:14 GMT; path=/; domain=.production.cloudflare.docker.com; HttpOnly; SameSite=Lax; Secure
cf-request-id: 099650aaff000055549e33a000000001
expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
server: cloudflare
cf-ray: 64371d57fec95554-EWR

sunny@vps5:~$ traceroute 104.18.125.25                                                       traceroute to 104.18.125.25 (104.18.125.25), 30 hops max, 60 byte packets
 1  23-94-28-229-host.colocrossing.com (23.94.28.229)  1.670 ms  1.594 ms  1.623 ms
 2  10.8.47.21 (10.8.47.21)  0.648 ms 10.1.20.225 (10.1.20.225)  0.692 ms 10.8.47.21 (10.8.47.21)  0.656 ms
 3  10.1.20.37 (10.1.20.37)  1.125 ms 10.8.7.53 (10.8.7.53)  0.434 ms  0.431 ms
 4  10.8.5.217 (10.8.5.217)  1.107 ms 10.8.2.133 (10.8.2.133)  1.062 ms 10.8.24.73 (10.8.24.73)  0.366 ms
 5  buf-b1-link.ip.twelve99.net (62.115.59.93)  0.437 ms buf-b1-link.ip.twelve99.net (62.115.59.85)  0.663 ms buf-b1-link.ip.twelve99.net (62.115.145.90)  0.625 ms
 6  nyk-bb2-link.ip.twelve99.net (62.115.141.181)  10.845 ms  10.646 ms nyk-bb1-link.ip.twelve99.net (62.115.118.122)  10.294 ms
 7  nyk-b2-link.ip.twelve99.net (62.115.137.99)  10.513 ms  10.781 ms nyk-b2-link.ip.twelve99.net (213.155.130.28)  11.756 ms
 8  cloudflare-ic328256-nyk-b2.ip.twelve99-cust.net (62.115.61.47)  15.550 ms  15.574 ms  15.461 ms
 9  104.18.125.25 (104.18.125.25)  14.952 ms  14.935 ms  14.881 ms
    Thanked by 1o_be_one
  • jackbjackb Member, Host Rep
    edited April 2021

    @o_be_one said:
    Thank you @yoursunny , i don't see obvious problem as well in the traffic trace. But in any case i get no route to host. I guess / hope VirMach should be able to update my VPS route, i will open a ticket and cross finger they are not busy like last time i've tried.

    It wouldn't be the first time I've seen incorrectly configured iptables rules cause this problem (possibly even default rules in some images.

    Worth checking imo.

    Thanked by 2o_be_one yoursunny
  • JabJabJabJab Member
    edited April 2021

    With mtr / traceroute like he posted above I would gamble iptables / route too.

    Can you show ip r s or check your iptables/NAT rules too?

    To make sure it's working.

    root@kvm-doctor:~# traceroute 104.18.122.25
traceroute to 104.18.122.25 (104.18.122.25), 30 hops max, 60 byte packets
 1  23-94-10-77-host.colocrossing.com (23.94.10.77)  0.964 ms  1.005 ms  1.001 ms
 2  * * *
 3  10.9.15.17 (10.9.15.17)  0.313 ms  0.314 ms  0.300 ms
 4  las-b24-link.ip.twelve99.net (62.115.146.158)  0.453 ms  0.452 ms te0-3-0-0.rcr21.b002695-3.lax01.atlas.cogentco.com (38.32.69.89)  0.661 ms
 5  * * *
 6  be3359.ccr41.lax05.atlas.cogentco.com (154.54.3.70)  0.857 ms * be3243.ccr41.lax05.atlas.cogentco.com (154.54.27.118)  1.177 ms
 7  cloudflare-ic328257-las-b23.ip.twelve99-cust.net (62.115.61.149)  1.299 ms 38.104.84.254 (38.104.84.254)  10.742 ms cloudflare-ic328257-las-b23.ip.twelve99-cust.net (62.115.61.149)  3.728 ms
 8  104.18.122.25 (104.18.122.25)  0.408 ms  0.451 ms  0.559 ms
  • o_be_oneo_be_one Member
    edited April 2021

    @jackb said: It wouldn't be the first time I've seen incorrectly configured iptables rules cause this problem (possibly even default rules in some images.

    Thank you for your feedback. Here's my iptables rules:

    Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy DROP)
target     prot opt source               destination
DOCKER-USER  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-1  all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             ctstate RELATED,ESTABLISHED
DOCKER     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain DOCKER (2 references)
target     prot opt source               destination

Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target     prot opt source               destination
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
DOCKER-ISOLATION-STAGE-2  all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-ISOLATION-STAGE-2 (2 references)
target     prot opt source               destination
DROP       all  --  anywhere             anywhere
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere

Chain DOCKER-USER (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

    @JabJab said: Can you show ip r s or check your iptables/NAT rules too?

    default via 104.168.47.193 dev eth0  metric 1
104.0.0.0/8 dev eth0 scope link  src 104.168.47.201
172.17.0.0/16 dev docker0 scope link  src 172.17.0.1
172.18.0.0/16 dev br-d4ed4df4bddb scope link  src 172.18.0.1
  • JabJabJabJab Member
    edited April 2021

    @o_be_one said: My VirMach VPS is on network 104/8.

    @o_be_one said: 104.0.0.0/8 dev eth0 scope link src 104.168.47.201

    You sure you got that from DHCP settings?
    This should NOT be the whole 104.0.0.0/8 network, it should only your VPS network, probably /26 or something.

    Probably click the "Reconfigure network" button in WHMCS/VirMach Panel and expect server reboot :-)

    Thanked by 2yoursunny bulbasaur
  • o_be_oneo_be_one Member

    @JabJab said: You sure you got that from DHCP settings?

    no, it's static settings:

    auto eth0
iface eth0 inet static
     address 104.168.47.201
     netmask 255.0.0.0
     gateway 104.168.47.193

    I run a custom iso: Alpine Linux, so reconfigure network doesn't work on VirMach.
    I don't recall where i got this information, but first i've probably checked VirMach and found no information on their knowledge base regarding network settings, so i've found this information on LET.

    Thanks for your feedback i think you found the issue, will try to use dhcp instead. I remember it was not working at the beginning (but it was working from PXE boot since i've made a dhcp request to get internet to be able to load netboot.xyz, because in the past VirMach netboot.xyz image was broken ; it's fixed since i've reported it to them).

  • o_be_oneo_be_one Member
    edited April 2021

    Alright now it works! thanks a lot @JabJab you found the issue :).
    It would be nice if i had static configuration informations on @VirMach website, it would help a lot also.

    Whatever now it works, problem fixed. I'm closing the ticket on their side.

    With DHCP the ip was /27, so if anyone find this post you are now aware ^^.

    Thanked by 1JabJab
Sign In or Register to comment.