Hello Adrian, systemctl restart packetfence-iptables
Thanks, Ludovic Zammit lzam...@inverse.ca <mailto:lzam...@inverse.ca> :: +1.514.447.4918 (x145) :: www.inverse.ca <http://www.inverse.ca/> Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu <http://www.sogo.nu/>) and PacketFence (http://packetfence.org <http://packetfence.org/>) > On Feb 1, 2021, at 10:31 AM, Adrian Dessaigne via PacketFence-users > <packetfence-users@lists.sourceforge.net> wrote: > > Hello ! > > I got the exact same issue ! Do you have a command to reload PacketFence > iptable configuration ? > > Regards, > > Adrian. > > De: "packetfence-users" <packetfence-users@lists.sourceforge.net> > À: "Geert Heremans" <heremans.ge...@gmail.com>, "packetfence-users" > <packetfence-users@lists.sourceforge.net> > Cc: "Durand fabrice" <fdur...@inverse.ca> > Envoyé: Mercredi 7 Octobre 2020 15:30:09 > Objet: Re: [PacketFence-users] Cannot join domain using GUI - net ads join > works > > Ok so it looks that you iptables config is not able to load. > > It's probably related to NETFLOW kernel module. > > You have 2 choices, the first one: > > edit /usr/local/pf/conf/iptables.conf and remove the line "-I FORWARD -j > NETFLOW" > > or do a yum update , if there is a new kernel then reboot the server then do > yum reinstall dkms-ipt-netflow > > > > Then once done check again iptables -L -n -v , if it's more verbose then > retry to join to the domain, it should work. > > > > Regards > > Fabrice > > > > Le 20-10-07 à 09 h 23, Geert Heremans a écrit : > Hello Fabrice > > of course. Anything that helps. > > The output of the iptables -L -n -v command you'll find below: > > Chain INPUT (policy ACCEPT 1891K packets, 332M bytes) > pkts bytes target prot opt in out source > destination > > Chain FORWARD (policy ACCEPT 13 packets, 1053 bytes) > pkts bytes target prot opt in out source > destination > > Chain OUTPUT (policy ACCEPT 1887K packets, 340M bytes) > pkts bytes target prot opt in out source > destination > > > Below the contents of the iptables.conf file. Also attached to this email > > # Copyright (C) Inverse inc. > # iptables template > # This file is manipulated on PacketFence's startup before being given to > iptables > *filter > > ### INPUT ### > :INPUT DROP [0:0] > # accept loopback stuff > -A INPUT --in-interface lo --jump ACCEPT > # accept anything related > -A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT > # Accept Ping (easier troubleshooting) > -A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT > > :input-management-if - [0:0] > # SSH > -A input-management-if --match state --state NEW --match tcp --protocol tcp > --dport 22 --jump ACCEPT > # HTTP and HTTPS for the portal > -A input-management-if --protocol tcp --match tcp --dport 80 --jump ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 443 --jump ACCEPT > # Web Admin > -A input-management-if --protocol tcp --match tcp --dport %%web_admin_port%% > --jump ACCEPT > # Webservices > -A input-management-if --protocol tcp --match tcp --dport > %%webservices_port%% --jump ACCEPT > # AAA > -A input-management-if --protocol tcp --match tcp --dport %%aaa_port%% --jump > ACCEPT > # Unified API > -A input-management-if --protocol tcp --match tcp --dport %%unifiedapi_port%% > --jump ACCEPT > # httpd.portal modstatus > -A input-management-if --protocol tcp --match tcp --dport > %%httpd_portal_modstatus%% --jump ACCEPT > # httpd.collector > -A input-management-if --protocol tcp --match tcp --dport > %%httpd_collector_port%% --jump ACCEPT > # haproxy stats (uncomment if activating the haproxy dashboard) - 1025 for > haproxy-portal, 1026 for haproxy-db > #-A input-management-if --protocol tcp --match tcp --dport 1025 --jump ACCEPT > #-A input-management-if --protocol tcp --match tcp --dport 1026 --jump ACCEPT > # Netdata > -A input-management-if --protocol tcp --match tcp --dport 19999 --jump ACCEPT > > # RADIUS > -A input-management-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT > -A input-management-if --protocol udp --match udp --dport 1812 --jump ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT > -A input-management-if --protocol udp --match udp --dport 1813 --jump ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT > -A input-management-if --protocol udp --match udp --dport 1815 --jump ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT > # RADIUS (eduroam virtual-server) > %%eduroam_radius_virtualserver%% > # SNMP Traps > -A input-management-if --protocol udp --match udp --dport 162 --jump ACCEPT > # DHCP (for IP Helpers to mgmt to track users' IP in production VLANs) > -A input-management-if --protocol udp --match udp --dport 67 --jump ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 67 --jump ACCEPT > # OpenVAS Administration Interface > -A input-management-if --protocol tcp --match tcp --dport 9392 --jump ACCEPT > # Nessus Administration Interface > -A input-management-if --protocol tcp --match tcp --dport 8834 --jump ACCEPT > # PacketFence-PKI > # -A input-management-if --protocol tcp --match tcp --dport 9393 --jump ACCEPT > # -A input-management-if --protocol tcp --match tcp --dport 9292 --jump ACCEPT > > # Fingerbank collector (replication, Netflow, API, sFlow) > -A input-management-if --protocol udp --match udp --dport 1192 --jump ACCEPT > -A input-management-if --protocol udp --match udp --dport 2055 --jump ACCEPT > -A input-management-if --protocol tcp --match tcp --dport 4723 --jump ACCEPT > -A input-management-if --protocol udp --match udp --dport 6343 --jump ACCEPT > > # VRRP > -A input-management-if -d 224.0.0.0/8 <http://224.0.0.0/8> -j ACCEPT > -A input-management-if -p vrrp -j ACCEPT > # Mysql > -A input-management-if --protocol tcp --match tcp --dport 3306 --jump ACCEPT > > # Syslog > -A input-management-if --protocol udp --match udp --dport 514 --jump ACCEPT > > :input-portal-if - [0:0] > -A input-portal-if --protocol tcp --match tcp --dport 80 --jump ACCEPT > -A input-portal-if --protocol tcp --match tcp --dport 443 --jump ACCEPT > > :input-radius-if - [0:0] > -A input-radius-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT > -A input-radius-if --protocol udp --match udp --dport 1812 --jump ACCEPT > -A input-radius-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT > -A input-radius-if --protocol udp --match udp --dport 1813 --jump ACCEPT > -A input-radius-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT > -A input-radius-if --protocol udp --match udp --dport 1815 --jump ACCEPT > -A input-radius-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT > %%eduroam_radius_listening%% > > :input-dns-if - [0:0] > -A input-dns-if --protocol tcp --match tcp --dport 53 --jump ACCEPT > -A input-dns-if --protocol udp --match udp --dport 53 --jump ACCEPT > > :input-dhcp-if - [0:0] > -A input-dhcp-if --protocol udp --match udp --dport 67 --jump ACCEPT > -A input-dhcp-if --protocol tcp --match tcp --dport 67 --jump ACCEPT > > > :input-internal-vlan-if - [0:0] > # DNS > -A input-internal-vlan-if --protocol tcp --match tcp --dport 53 --jump ACCEPT > -A input-internal-vlan-if --protocol udp --match udp --dport 53 --jump ACCEPT > # HTTP (captive-portal) > -A input-internal-vlan-if --protocol tcp --match tcp --dport 80 --jump ACCEPT > -A input-internal-vlan-if --protocol tcp --match tcp --dport 443 --jump ACCEPT > -A input-internal-vlan-if --protocol tcp --match tcp --dport 647 --jump ACCEPT > # HTTP (parking portal) > -A input-internal-vlan-if --protocol tcp --match tcp --dport 5252 --jump > ACCEPT > %%input_inter_vlan_if%% > > > :input-internal-isol_vlan-if - [0:0] > # DNS > -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 53 --jump > ACCEPT > -A input-internal-isol_vlan-if --protocol udp --match udp --dport 53 --jump > ACCEPT > # DHCP > -A input-internal-isol_vlan-if --protocol udp --match udp --dport 67 --jump > ACCEPT > -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 67 --jump > ACCEPT > # HTTP (captive-portal) > -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 80 --jump > ACCEPT > -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 443 --jump > ACCEPT > -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 647 --jump > ACCEPT > # HTTP (parking portal) > -A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 5252 --jump > ACCEPT > %%input_inter_isol_vlan_if%% > > :input-internal-inline-if - [0:0] > # DNS > -A input-internal-inline-if --protocol tcp --match tcp --dport 53 --jump > ACCEPT > -A input-internal-inline-if --protocol udp --match udp --dport 53 --jump > ACCEPT > # HTTP (captive-portal) > # prevent registered users from reaching it > # TODO: Must work in dispatcher and Catalyst to redirect registered client > out of the portal > #-A input-internal-inline-if --protocol tcp --match tcp --dport 80 --match > mark --mark 0x1 --jump DROP > #-A input-internal-inline-if --protocol tcp --match tcp --dport 443 --match > mark --mark 0x1 --jump DROP > # allow everyone else behind inline interface (not registered, isolated, etc.) > -A input-internal-inline-if --protocol tcp --match tcp --dport 80 --jump > ACCEPT > -A input-internal-inline-if --protocol tcp --match tcp --dport 443 --jump > ACCEPT > -A input-internal-inline-if --protocol tcp --match tcp --dport 647 --jump > ACCEPT > %%input_inter_inline_rules%% > > :input-highavailability-if - [0:0] > #SSH > -A input-highavailability-if --match state --state NEW --match tcp --protocol > tcp --dport 22 --jump ACCEPT > #Galera autofix > -A input-highavailability-if --protocol udp --match udp --dport 4253 --jump > ACCEPT > #Galera cluster > -A input-highavailability-if --protocol tcp --match tcp --dport 4444 --jump > ACCEPT > -A input-highavailability-if --protocol tcp --match tcp --dport 4567 --jump > ACCEPT > -A input-highavailability-if --protocol tcp --match tcp --dport 4568 --jump > ACCEPT > #PacketFence MariaDB Quorum server > -A input-highavailability-if --protocol tcp --match tcp --dport 7890 --jump > ACCEPT > -A input-highavailability-if --protocol tcp --match tcp --dport 7891 --jump > ACCEPT > # Corosync > -A input-highavailability-if --protocol udp --match udp --dport 5405 --jump > ACCEPT > -A input-highavailability-if --protocol udp --match udp --dport 5407 --jump > ACCEPT > #DRBD > -A input-highavailability-if --protocol tcp --match tcp --dport 7788 --jump > ACCEPT > # Heartbeat > -A input-highavailability-if --protocol udp --match udp --dport 694 --jump > ACCEPT > #PCS > -A input-highavailability-if --protocol tcp --match tcp --dport 2224 --jump > ACCEPT > -A input-highavailability-if --protocol tcp --match tcp --dport 3121 --jump > ACCEPT > -A input-highavailability-if --protocol tcp --match tcp --dport 21064 --jump > ACCEPT > > # These will redirect to the proper chains based on conf/pf.conf's > configuration > %%filter_if_src_to_chain%% > > ### FORWARD ### > :FORWARD DROP [0:0] > -I FORWARD -j NETFLOW > > :forward-internal-vlan-if - [0:0] > %%filter_forward_vlan%% > > :forward-internal-isolvlan-if - [0:0] > %%filter_forward_isol_vlan%% > > :forward-internal-inline-if - [0:0] > %%filter_forward_inline%% > > %%filter_forward%% > > %%filter_forward_domain%% > > :OUTPUT ACCEPT [0:0] > > COMMIT > > *mangle > :PREROUTING ACCEPT [0:0] > :prerouting-int-inline-if - [0:0] > %%mangle_prerouting_inline%% > :INPUT ACCEPT [0:0] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :POSTROUTING ACCEPT [0:0] > :postrouting-int-inline-if - [0:0] > %%mangle_postrouting_inline%% > # These will redirect to the proper chains based on conf/pf.conf's > configuration > %%mangle_if_src_to_chain%% > COMMIT > > *nat > :PREROUTING ACCEPT [0:0] > :prerouting-int-inline-if - [0:0] > :postrouting-inline-routed - [0:0] > :postrouting-int-inline-if - [0:0] > :prerouting-int-vlan-if - [0:0] > > %%nat_prerouting_inline%% > %%nat_prerouting_vlan%% > > :OUTPUT ACCEPT [0:0] > # These will redirect to the proper chains based on conf/pf.conf's > configuration > %%nat_if_src_to_chain%% > > > :POSTROUTING ACCEPT [0:0] > > %%nat_postrouting_inline%% > > # > # Chain to enable routing instead of NAT > # > %%routed_postrouting_inline%% > > # > # NAT out (PAT actually) > # > # If you want to do your own thing regarding NAT like for example: > # - allowing through instead of doing NAT (make sure you have the proper > return route) > # - traffic out on some interface other than management > # - overloading on multiple IP addresses > # Comment the next two lines and do it here on the POSTROUTING chain. > # Make sure to adjust the FORWARD rules also to allow traffic back-in. > %%nat_postrouting_vlan%% > > # > # Routing for the hidden domain network > # > %%domain_postrouting%% > COMMIT > > Op wo 7 okt. 2020 om 15:17 schreef Fabrice Durand via PacketFence-users > <packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net>>: > Hello Geert, > > > > can you provide the file /usr/local/pf/var/conf/iptables.conf and the output > of iptables -L -n -v > > > > Regards > > Fabrice > > > > Le 20-10-07 à 08 h 11, Geert Heremans via PacketFence-users a écrit : > Thank you Maile and others > > Really appreciate it. > > Putting the management network on the same as the DC din't work. > > Would it help if I joined the server using the net ads command end bypass the > Join Domain function in PF? > > Best regards > Geert > > Op wo 7 okt. 2020 om 10:32 schreef Maile Halatuituia > <maile.halatuit...@tcc.to <mailto:maile.halatuit...@tcc.to>>: > Hi Geert > > I did have the same issue as yours but mine got fixed when I put my > management interface on the same network where my Doman Controller is. > > To be more clearer, my Domain IP is 10.0.1.x/24 and my PF Management > Interface is 10.0.1.y/24. After I made that changed , everything works just > fine. Hope it will help you. > > Maile. > > > From: Geert Heremans via PacketFence-users > <packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net>> > Sent: Wednesday, 7 October 2020 9:59 AM > To: packetfence-users@lists.sourceforge.net > <mailto:packetfence-users@lists.sourceforge.net> > Cc: Geert Heremans <heremans.ge...@gmail.com > <mailto:heremans.ge...@gmail.com>> > Subject: [PacketFence-users] Cannot join domain using GUI - net ads join works > > > Hello everyone > > > I'm trying to get my PF10 server to join my domain. The PF hostname is hades > and my domain is sintcordula.be <http://sintcordula.be/>. > > > Trying to join from the gui false because no DC is found. > > > However when I try to join the server using the shell it works. The computer > account is created in the domain. > > > Failed to join domain: failed to find DC for domain SINTCORDULA - {Operation > Failed} The requested operation was unsuccessful. > > > net ads join -s /etc/samba/scis2.conf -U XXXX > Using short domain name -- SINTCORDULA > Joined 'HADES' to dns domain 'SINTCORDULA.BE <http://sintcordula.be/>' > No DNS domain configured for hades. Unable to perform DNS Update. > DNS update failed: NT_STATUS_INVALID_PARAMETER > > > Can anyone point me into the right direction for debugging? > > > Best Regards > > Geert > > > > Confidentiality Notice: > > This email (including any attachment) is intended for internal use only. Any > unauthorized use, dissemination or copying of the content is prohibited. If > you are not the intended recipient and have received this e-mail in error, > please notify the sender by email and delete this email and any attachment. > > Confidentiality Notice: > > This email (including any attachment) is intended for internal use only. Any > unauthorized use, dissemination or copying of the content is prohibited. If > you are not the intended recipient and have received this e-mail in error, > please notify the sender by email and delete this email and any attachment. > > > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > <https://lists.sourceforge.net/lists/listinfo/packetfence-users> > -- > Fabrice Durand > fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) :: > www.inverse.ca <http://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > <mailto:PacketFence-users@lists.sourceforge.net> > https://lists.sourceforge.net/lists/listinfo/packetfence-users > <https://lists.sourceforge.net/lists/listinfo/packetfence-users> > -- > Fabrice Durand > fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135) :: > www.inverse.ca <http://www.inverse.ca/> > Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu > <http://www.sogo.nu/>) and PacketFence (http://packetfence.org > <http://packetfence.org/>) > > > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users > _______________________________________________ > PacketFence-users mailing list > PacketFence-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/packetfence-users
_______________________________________________ PacketFence-users mailing list PacketFence-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/packetfence-users
