Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Issues connecting two VPS's - Iptables/CSF? [Solved]
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Issues connecting two VPS's - Iptables/CSF? [Solved]

zemigptzemigpt Member
edited October 2014 in Help

Hi!
I've been banging my head with this problem for a while, so I decided to ask for help.

I have two VPS's from two different providers.
One is the main on, the other is for backup.
Both are running CentOS 6.5 minimal with Centmin Mod installed for management.

I configured mysql replication and lsyncd for real-time file backup, added both ips to the csf.allow files and everything was working fine until a couple of days.
Without any warning that I can spot on the logs, the two VPS's can't see each other.
I noticed that csf updated from version 7.15 to 7.54, but that shouldn't have caused this.

Ping:
Desktop --> Main = Ping OK - 0% packet loss;
Desktop --> Backup = Ping OK - 0% packet loss;
Main --> Backup = Ping NOT OK - 100% packet loss;
Backup --> Main = Ping NOT OK - 100% packet loss;

SSH / SCP:
Desktop --> Main = OK;
Desktop --> Backup = OK;
Main --> Backup = connection timeout;
Backup --> Main = connection timeout;

I've tried to disable csf ("csf -x") and "service iptables stop" followed by "iptables -F" to rule out funky firewall rules, but still couldn't make them connect.

I reinstalled the OS on the backup, and right now it doesn't even have centmin mod installed but I still can't ping or SSH to the main VPS.
I can't even wget the index.php from the main server, so it seems to me that it is in fact something in the firewall of the main VPS that is refusing connections from the backup's ip address.
But considering that i've disabled csf and iptables how can that be?!?
What am I missing?...

Help anyone?

Comments

  • MunMun Member
    edited October 2014

    How are you transferring the backups, rsync?

    Also, what does an mtr look like between the two servers.

  • Its not about OS / IP tables you should consider raising a ticket at main provider / sub provider and ask them if they have any conflicts with each other if so you can't force them to remove cross ip blocking. Else you could ask them to check it for you since unmanaged vps have network and hardware under cover of the support.

  • ProfforgProfforg Member
    edited October 2014

    Show an output of "traceroute" from Main --> Backup and from Backup --> Main.

    e.g. traceroute 1.1.1.1

    Show the output of "route -n" on Main and Backup.

    Show the output of "ip route" on Main and Backup.

  • Add both VPSes to /etc/csf/csf.allow

    Then restart csf on both with csf -r

    And try again

  • @ATHK said:
    Add both VPSes to /etc/csf/csf.allow

    From the initial post (my emphasis in bold):

    @zemigpt said:I configured mysql replication and lsyncd for real-time file backup, added both ips to the csf.allow files

  • @k0nsl said:

    zemigpt said:I configured mysql replication and lsyncd for real-time file backup, added both ips to the csf.allow files

    Hah sorry guess I should of read that a bit better ;)

    Try flushing the rules with csf -f

  • mikhomikho Member, Host Rep

    Traceroute would probably tell us where the problem is.

  • Thank you all for the replies!

    The backup transfer is made with lsyncd that uses rsync.

    mtr Main --> Backup
    My traceroute [v0.75] main (0.0.0.0) Sun Oct 12 10:15:05 2014 Keys: Help Display mode Restart statistics Order of fields quit Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. nl-vz9.iniz.com 0.0% 22 0.0 0.0 0.0 0.1 0.0 2. 109.201.146.212 0.0% 22 11.8 3.7 0.3 11.8 3.8 3. 85.159.239.6 0.0% 22 0.9 0.6 0.4 1.2 0.2 85.159.239.34 4. 85.159.239.29 0.0% 22 11.8 1.7 0.6 11.8 3.1 ae0-908.ams12.ip4.gtt.net 5. xe-10-0-0.atl11.ip4.gtt.net 0.0% 22 1.1 62.5 0.6 136.7 62.3 ae0-908.ams12.ip4.gtt.net 6. db-transit-gw.ip4.gtt.net 0.0% 22 122.6 123.3 121.7 134.9 3.6 xe-10-0-0.atl11.ip4.gtt.net 7. db-transit-gw.ip4.gtt.net 0.0% 22 122.8 122.1 120.8 130.9 2.1 250.166.48.199.static.reverse.as62639.com 8. 107.150.0.21 0.0% 22 120.6 122.8 120.6 131.5 3.5 250.166.48.199.static.reverse.as62639.com 9. 107.150.0.21 47.6% 21 121.8 121.4 120.6 123.5 1.1 10. ???

    mtr Backup --> Main (shows an error message)
    My traceroute [v0.75] backup (0.0.0.0) Sun Oct 12 05:23:39 2014 Resolver: Received error response 2. (server failure)er of fields quit Packets Pings Host Loss% Snt Last Avg Best Wrst StDev 1. 107.150.0.21 0.0% 37 0.1 0.1 0.0 0.1 0.0 2. 78.152.57.69 0.0% 37 0.5 3.8 0.3 14.1 4.6 3. eth3-3.r1.atl1.us.as5580.net 0.0% 37 16.8 10.5 6.4 21.1 4.5 4. eth2-1.core1.ash2.us.as5580.net 0.0% 37 18.9 19.2 18.8 21.8 0.8 5. ae0-0.edge1.ash2.us.as5580.net 0.0% 37 19.1 19.8 18.9 34.6 3.5 6. xe-5-2-1.er2.iad10.us.above.net 0.0% 37 19.0 21.2 18.9 63.0 8.2 7. ae9.cr2.dca2.us.above.net 0.0% 37 20.1 21.4 20.0 39.3 4.2 8. xe-0-3-1.cr1.ams10.us.above.net 0.0% 37 129.2 129.2 126.6 147.0 4.8 9. ae8.mpr1.ams10.nl.above.net 0.0% 37 126.8 128.0 126.7 154.2 4.7 10. 94.31.31.10 0.0% 37 120.6 120.8 120.5 124.5 0.7 11. 85.159.239.5 0.0% 37 120.7 124.6 120.7 133.1 4.3 12. rtr1.dbn.nl.iniz.com 0.0% 37 120.8 120.9 120.7 122.2 0.4 13. nl-vz9.iniz.com 0.0% 37 120.7 119.4 117.7 121.2 1.5 14. ???

    traceroute Main --> Backup:
    # traceroute backup-ip traceroute to backup-ip (backup-ip), 30 hops max, 60 byte packets 1 nl-vz9.iniz.com (185.53.128.12) 0.053 ms 0.013 ms 0.011 ms 2 109.201.146.212 (109.201.146.212) 7.308 ms 0.232 ms 0.227 ms 3 85.159.239.34 (85.159.239.34) 0.572 ms 0.640 ms 85.159.239.6 (85.159.239.6) 0.401 ms 4 ae0-908.ams12.ip4.gtt.net (77.67.90.85) 0.527 ms 85.159.239.29 (85.159.239.29) 0.542 ms 0.626 ms 5 ae0-908.ams12.ip4.gtt.net (77.67.90.85) 0.497 ms xe-10-0-0.atl11.ip4.gtt.net (141.136.106.113) 121.708 ms ae0-908.ams12.ip4.gtt.net (77.67.90.85) 0.530 ms 6 xe-10-0-0.atl11.ip4.gtt.net (141.136.106.113) 121.662 ms db-transit-gw.ip4.gtt.net (77.67.79.246) 127.720 ms 127.751 ms 7 250.166.48.199.static.reverse.as62639.com (199.48.166.250) 128.447 ms db-transit-gw.ip4.gtt.net (77.67.79.246) 127.679 ms 127.665 ms 8 250.166.48.199.static.reverse.as62639.com (199.48.166.250) 128.398 ms 107.150.0.21 (107.150.0.21) 120.585 ms 250.166.48.199.static.reverse.as62639.com (199.48.166.250) 120.699 ms 9 * * 107.150.0.21 (107.150.0.21) 120.544 ms 10 * * * 11 * * * 12 * * * 13 * * * 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *

    traceroute Backup --> Main:
    # traceroute main-ip traceroute to main-ip (main-ip), 30 hops max, 60 byte packets 1 107.150.0.21 (107.150.0.21) 0.057 ms 0.019 ms 0.018 ms 2 78.152.57.69 (78.152.57.69) 6.785 ms 6.766 ms 6.760 ms 3 eth3-3.r1.atl1.us.as5580.net (78.152.35.221) 9.181 ms 9.173 ms 9.165 ms 4 eth2-1.core1.ash2.us.as5580.net (78.152.35.128) 18.798 ms 18.794 ms 18.786 ms 5 ae0-0.edge1.ash2.us.as5580.net (78.152.34.61) 18.886 ms 18.881 ms 18.886 ms 6 xe-5-2-1.er2.iad10.us.above.net (128.177.113.45) 18.876 ms 18.988 ms 18.926 ms 7 ae9.cr2.dca2.us.above.net (64.125.21.57) 19.960 ms 32.347 ms 32.041 ms 8 xe-0-3-1.cr1.ams10.us.above.net (64.125.27.34) 126.726 ms 126.685 ms 126.561 ms 9 ae8.mpr1.ams10.nl.above.net (64.125.26.158) 139.604 ms 139.585 ms 139.568 ms 10 94.31.31.10 (94.31.31.10) 120.362 ms 120.511 ms 120.342 ms 11 85.159.239.37 (85.159.239.37) 129.241 ms 129.239 ms 120.672 ms 12 rtr1.dbn.nl.iniz.com (109.201.146.209) 120.709 ms 120.785 ms 120.652 ms 13 nl-vz9.iniz.com (185.53.128.12) 120.654 ms 120.643 ms 120.661 ms 14 * * * 15 * * * 16 * * * 17 * * * 18 * * * 19 * * * 20 * * * 21 * * * 22 * * * 23 * * * 24 * * * 25 * * * 26 * * * 27 * * * 28 * * * 29 * * * 30 * * *

    route -n:
    [root@main ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 venet0 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 venet0

    [root@backup ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 venet0 0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 venet0

    ip route:
    [root@main ~]# ip route 169.254.0.0/16 dev venet0 scope link metric 1002 default dev venet0 scope link

    [root@backup ~]# ip route 169.254.0.0/16 dev venet0 scope link metric 1002 default dev venet0 scope link

  • zemigptzemigpt Member
    edited October 2014

    Well, I tried to SSH to Backup VPS from another box that a friend of mine has and it also didn't work.

    Friend --> Main = OK
    Main --> Friend = OK
    Friend --> Backup = timeout
    Main --> Backup = timeout

    Tested with a free ssh server (sdf.org).
    Main --> sdf.org = OK
    Backup --> sdf.org = OK

    The backup is on Crissic.
    Both Main and my friend's VPS are on INIZ.
    It appears some sort of ip blocking.

    Support ticket it is...

  • It was something related to SSH rate limit on INIZ.
    It's solved.

    Excellent support and response time by both Crissic and INIZ!

  • SSH rate limit? O.o

  • O.o.........

  • Bad wording from my part?
    "we have enabled rate limiting on SSH port 22 to prevent brute force for clients".

    But it makes sense to me.

Sign In or Register to comment.