Antsle Forum
Welcome to our Antsle community! This forum is to connect all Antsle users to post experiences, make user-generated content available for the entire community and more.
Please note: This forum is about discussing one specific issue at a time. No generalizations. No judgments. Please check the Forum Rules before posting. If you have specific questions about your Antsle and expect a response from our team directly, please continue to use the appropriate channels (email: [email protected]) so every inquiry is tracked.
Antman 3.0.0c on Nano .. having issues (resolved)
Quote from chamorroroots on March 3, 2020, 9:04 pm@ddmscott
Executed upgrade-antman 3.0.0d, but it still not resolve the network issue.
root@myantsle:~ # systemctl status firewalld -l
- firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 1970-01-01 00:00:11 UTC; 50 years 2 months ago
Docs: man:firewalld(1)
Main PID: 1085 (firewalld)
Tasks: 2
Memory: 26.3M
CGroup: /system.slice/firewalld.service
└─1085 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jan 01 00:00:34 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).ZONE
Executed upgrade-antman 3.0.0d, but it still not resolve the network issue.
root@myantsle:~ # systemctl status firewalld -l
- firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 1970-01-01 00:00:11 UTC; 50 years 2 months ago
Docs: man:firewalld(1)
Main PID: 1085 (firewalld)
Tasks: 2
Memory: 26.3M
CGroup: /system.slice/firewalld.service
└─1085 /usr/bin/python2 -Es /usr/sbin/firewalld --nofork --nopid
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-1' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION-STAGE-2' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -F DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -t filter -X DOCKER-ISOLATION' failed: iptables: No chain/target/match by that name.
Jan 01 00:00:32 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).
Jan 01 00:00:34 myantsle firewalld[1085]: WARNING: COMMAND_FAILED: '/usr/sbin/iptables -w10 -D FORWARD -i docker0 -o docker0 -j DROP' failed: iptables: Bad rule (does a matching rule exist in that chain?).ZONE
Quote from Joe on March 4, 2020, 8:25 amHi,
Antsle dev here. We ran into issues integrating firewalld and our other virtualization tools, so starting with 3.0.0d, iptables will be used to create port forwarding rules.
To check if your rules are intact in your command line, run
iptables -t nat -L
If you don't see your port forwarding rule there, try disabling and re-enabling your port forwarding rule on antMan and give it another shot.
-Joe
Hi,
Antsle dev here. We ran into issues integrating firewalld and our other virtualization tools, so starting with 3.0.0d, iptables will be used to create port forwarding rules.
To check if your rules are intact in your command line, run
iptables -t nat -L
If you don't see your port forwarding rule there, try disabling and re-enabling your port forwarding rule on antMan and give it another shot.
-Joe
Quote from soneill on March 5, 2020, 9:39 amWell, progress 🙂 Looks like antlet creation still doesn't create anything related to port forwarding.
Manual port forward creation does work as this shows. I created a 22011 forward pointing to the same antlet that 22010 should be there for. Accessing port 22011 via SSH does work now remotely.
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
DNAT tcp -- anywhere myantsle tcp dpt:22011 to:10.1.1.10:22<snip>
But .. I just discovered that manual port forwarding is not persisted within iptables. If you reboot you Nano, it's gone from iptables. It still exists within Antman as a definition. You have to disable and reenable it in Antman to get it back in iptables.
So fixing is still in progress apparently.
Well, progress 🙂 Looks like antlet creation still doesn't create anything related to port forwarding.
Manual port forward creation does work as this shows. I created a 22011 forward pointing to the same antlet that 22010 should be there for. Accessing port 22011 via SSH does work now remotely.
iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
DNAT tcp -- anywhere myantsle tcp dpt:22011 to:10.1.1.10:22<snip>
But .. I just discovered that manual port forwarding is not persisted within iptables. If you reboot you Nano, it's gone from iptables. It still exists within Antman as a definition. You have to disable and reenable it in Antman to get it back in iptables.
So fixing is still in progress apparently.
Quote from soneill on March 5, 2020, 10:00 amActually a question related to my post above. Is the intent that antlet creation port forwards will also show in the Port Forward antman web page along side with manually created port fowards ?
I would think so but just asking.
Oh, and if that is the intent, it would be nice if the port forward screen indicated whether a port forward is a result of manual creation or antlet creation. Just a feature suggestion.
Actually a question related to my post above. Is the intent that antlet creation port forwards will also show in the Port Forward antman web page along side with manually created port fowards ?
I would think so but just asking.
Oh, and if that is the intent, it would be nice if the port forward screen indicated whether a port forward is a result of manual creation or antlet creation. Just a feature suggestion.
Quote from jared_85k on March 5, 2020, 8:58 pmThis is affecting Edgelinux 2.0.
As a workaround until support can resolve the issue, I use libvirt hooks method with a few modifications so that I just update a file with the config I wan't and let libvirt update ipdables when I start and stop antlets.
Modified libvirt hook at "/etc/libvirt/hooks/lxc":
GNU nano 2.3.1 File: lxc
#!/bin/bash
# update: 10/24/2018
antlet_type=`basename "$0"`
echo `date` hook/${antlet_type} "antlet ${1}" "${2}" >>/var/log/libvirt/hook.log
# Update the following variables to fit your setup
# Use an equal number of host and guest ports
while IFS=: read -r antlet_name antlet_ipaddr antlet_ports_list host_ipaddr host_ports_list; do
IFS=, read -r -a antlet_ports <<<$antlet_ports_list
IFS=, read -r -a host_ports <<<$host_ports_list
# Update iptables
length=$(( ${#host_ports[@]} - 1 ))
if [ "${1}" = "${antlet_name}" ]; then
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
echo "`date` hook/${antlet_type} antlet $antlet_name Closing port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
done
fi
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
echo "`date` hook/${antlet_type} antlet $antlet_name Mapping port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
done
fi
fi
done < /etc/libvirt/hooks/antlets_lxc
Then I created the file /etc/libvirt/hooks/antlets_lxc
In this file I place the information for the portforwarding that I want, each line is a config for an antlet.
{antlet-name}:{antlet-ipaddress}:{ports-to-forward-comma-delemited}:{antsle-machine-ip}:{ports-forwarded-comma-delimited}
example - where 192.168.1.1 is the ip of my antsle:
antlet-01:10.1.1.10:22,80:192.168.1.1:22010:80022
antlet-02:10.1.1.11:22:192.168.1.1:22011
This will forward ports 22010 to port 22 and 80010 to port 80 of my antlet-01 and port 22011 to port 22 of my antlet-02.
When you shut off an antlet the forwarded ports will be removed from iptables, when you start an antlet they will be added.
Routes are not persisted through an antsle restart, but when the antlets are started via web app or at boot, the iptables is updated.
Cheers!
This is affecting Edgelinux 2.0.
As a workaround until support can resolve the issue, I use libvirt hooks method with a few modifications so that I just update a file with the config I wan't and let libvirt update ipdables when I start and stop antlets.
Modified libvirt hook at "/etc/libvirt/hooks/lxc":
GNU nano 2.3.1 File: lxc
#!/bin/bash
# update: 10/24/2018
antlet_type=`basename "$0"`
echo `date` hook/${antlet_type} "antlet ${1}" "${2}" >>/var/log/libvirt/hook.log
# Update the following variables to fit your setup
# Use an equal number of host and guest ports
while IFS=: read -r antlet_name antlet_ipaddr antlet_ports_list host_ipaddr host_ports_list; do
IFS=, read -r -a antlet_ports <<<$antlet_ports_list
IFS=, read -r -a host_ports <<<$host_ports_list
# Update iptables
length=$(( ${#host_ports[@]} - 1 ))
if [ "${1}" = "${antlet_name}" ]; then
if [ "${2}" = "stopped" ] || [ "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
echo "`date` hook/${antlet_type} antlet $antlet_name Closing port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
iptables -t nat -D PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -D FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
done
fi
if [ "${2}" = "start" ] || [ "${2}" = "reconnect" ]; then
for i in `seq 0 $length`; do
echo "`date` hook/${antlet_type} antlet $antlet_name Mapping port ${host_ports[$i]} -> ${antlet_ports[$i]} " >>/var/log/libvirt/hook.log
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p tcp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p tcp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
iptables -t nat -A PREROUTING -d ${host_ipaddr} -p udp --dport ${host_ports[$i]} -j DNAT --to ${antlet_ipaddr}:${antlet_ports[$i]}
iptables -I FORWARD -d ${antlet_ipaddr}/32 -p udp -m state --state NEW,ESTABLISHED,RELATED --dport ${antlet_ports[$i]} -j ACCEPT
done
fi
fi
done < /etc/libvirt/hooks/antlets_lxc
Then I created the file /etc/libvirt/hooks/antlets_lxc
In this file I place the information for the portforwarding that I want, each line is a config for an antlet.
{antlet-name}:{antlet-ipaddress}:{ports-to-forward-comma-delemited}:{antsle-machine-ip}:{ports-forwarded-comma-delimited}
example - where 192.168.1.1 is the ip of my antsle:
antlet-01:10.1.1.10:22,80:192.168.1.1:22010:80022
antlet-02:10.1.1.11:22:192.168.1.1:22011
This will forward ports 22010 to port 22 and 80010 to port 80 of my antlet-01 and port 22011 to port 22 of my antlet-02.
When you shut off an antlet the forwarded ports will be removed from iptables, when you start an antlet they will be added.
Routes are not persisted through an antsle restart, but when the antlets are started via web app or at boot, the iptables is updated.
Cheers!
Quote from the_threat_of_love on March 29, 2020, 3:24 pmCreating a static route like this solved my issue.
- Destination Network: 10.1.1.0
- Subnet Mask: 255.255.255.0
- Default Gateway: LAN IP of Antsle machine (192.168.X.X)
Then I could see a trivial web app I had up at 10.1.1.10.
Creating a static route like this solved my issue.
- Destination Network: 10.1.1.0
- Subnet Mask: 255.255.255.0
- Default Gateway: LAN IP of Antsle machine (192.168.X.X)
Then I could see a trivial web app I had up at 10.1.1.10.