Hello Fabrice
of course. Anything that helps.
The output of the iptables -L -n -v command you'll find below:
Chain INPUT (policy ACCEPT 1891K packets, 332M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy ACCEPT 13 packets, 1053 bytes)
pkts bytes target prot opt in out source
destination
Chain OUTPUT (policy ACCEPT 1887K packets, 340M bytes)
pkts bytes target prot opt in out source
destination
Below the contents of the iptables.conf file. Also attached to this email
# Copyright (C) Inverse inc.
# iptables template
# This file is manipulated on PacketFence's startup before being given
to iptables
*filter
### INPUT ###
:INPUT DROP [0:0]
# accept loopback stuff
-A INPUT --in-interface lo --jump ACCEPT
# accept anything related
-A INPUT --match state --state ESTABLISHED,RELATED --jump ACCEPT
# Accept Ping (easier troubleshooting)
-A INPUT --protocol icmp --icmp-type echo-request --jump ACCEPT
:input-management-if - [0:0]
# SSH
-A input-management-if --match state --state NEW --match tcp
--protocol tcp --dport 22 --jump ACCEPT
# HTTP and HTTPS for the portal
-A input-management-if --protocol tcp --match tcp --dport 80 --jump ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 443 --jump
ACCEPT
# Web Admin
-A input-management-if --protocol tcp --match tcp --dport
%%web_admin_port%% --jump ACCEPT
# Webservices
-A input-management-if --protocol tcp --match tcp --dport
%%webservices_port%% --jump ACCEPT
# AAA
-A input-management-if --protocol tcp --match tcp --dport %%aaa_port%%
--jump ACCEPT
# Unified API
-A input-management-if --protocol tcp --match tcp --dport
%%unifiedapi_port%% --jump ACCEPT
# httpd.portal modstatus
-A input-management-if --protocol tcp --match tcp --dport
%%httpd_portal_modstatus%% --jump ACCEPT
# httpd.collector
-A input-management-if --protocol tcp --match tcp --dport
%%httpd_collector_port%% --jump ACCEPT
# haproxy stats (uncomment if activating the haproxy dashboard) - 1025
for haproxy-portal, 1026 for haproxy-db
#-A input-management-if --protocol tcp --match tcp --dport 1025 --jump
ACCEPT
#-A input-management-if --protocol tcp --match tcp --dport 1026 --jump
ACCEPT
# Netdata
-A input-management-if --protocol tcp --match tcp --dport 19999 --jump
ACCEPT
# RADIUS
-A input-management-if --protocol tcp --match tcp --dport 1812 --jump
ACCEPT
-A input-management-if --protocol udp --match udp --dport 1812 --jump
ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 1813 --jump
ACCEPT
-A input-management-if --protocol udp --match udp --dport 1813 --jump
ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 1815 --jump
ACCEPT
-A input-management-if --protocol udp --match udp --dport 1815 --jump
ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 2083 --jump
ACCEPT
# RADIUS (eduroam virtual-server)
%%eduroam_radius_virtualserver%%
# SNMP Traps
-A input-management-if --protocol udp --match udp --dport 162 --jump
ACCEPT
# DHCP (for IP Helpers to mgmt to track users' IP in production VLANs)
-A input-management-if --protocol udp --match udp --dport 67 --jump
ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 67 --jump
ACCEPT
# OpenVAS Administration Interface
-A input-management-if --protocol tcp --match tcp --dport 9392 --jump
ACCEPT
# Nessus Administration Interface
-A input-management-if --protocol tcp --match tcp --dport 8834 --jump
ACCEPT
# PacketFence-PKI
# -A input-management-if --protocol tcp --match tcp --dport 9393
--jump ACCEPT
# -A input-management-if --protocol tcp --match tcp --dport 9292
--jump ACCEPT
# Fingerbank collector (replication, Netflow, API, sFlow)
-A input-management-if --protocol udp --match udp --dport 1192 --jump
ACCEPT
-A input-management-if --protocol udp --match udp --dport 2055 --jump
ACCEPT
-A input-management-if --protocol tcp --match tcp --dport 4723 --jump
ACCEPT
-A input-management-if --protocol udp --match udp --dport 6343 --jump
ACCEPT
# VRRP
-A input-management-if -d 224.0.0.0/8 <http://224.0.0.0/8> -j ACCEPT
-A input-management-if -p vrrp -j ACCEPT
# Mysql
-A input-management-if --protocol tcp --match tcp --dport 3306 --jump
ACCEPT
# Syslog
-A input-management-if --protocol udp --match udp --dport 514 --jump
ACCEPT
:input-portal-if - [0:0]
-A input-portal-if --protocol tcp --match tcp --dport 80 --jump ACCEPT
-A input-portal-if --protocol tcp --match tcp --dport 443 --jump ACCEPT
:input-radius-if - [0:0]
-A input-radius-if --protocol tcp --match tcp --dport 1812 --jump ACCEPT
-A input-radius-if --protocol udp --match udp --dport 1812 --jump ACCEPT
-A input-radius-if --protocol tcp --match tcp --dport 1813 --jump ACCEPT
-A input-radius-if --protocol udp --match udp --dport 1813 --jump ACCEPT
-A input-radius-if --protocol tcp --match tcp --dport 1815 --jump ACCEPT
-A input-radius-if --protocol udp --match udp --dport 1815 --jump ACCEPT
-A input-radius-if --protocol tcp --match tcp --dport 2083 --jump ACCEPT
%%eduroam_radius_listening%%
:input-dns-if - [0:0]
-A input-dns-if --protocol tcp --match tcp --dport 53 --jump ACCEPT
-A input-dns-if --protocol udp --match udp --dport 53 --jump ACCEPT
:input-dhcp-if - [0:0]
-A input-dhcp-if --protocol udp --match udp --dport 67 --jump ACCEPT
-A input-dhcp-if --protocol tcp --match tcp --dport 67 --jump ACCEPT
:input-internal-vlan-if - [0:0]
# DNS
-A input-internal-vlan-if --protocol tcp --match tcp --dport 53
--jump ACCEPT
-A input-internal-vlan-if --protocol udp --match udp --dport 53
--jump ACCEPT
# HTTP (captive-portal)
-A input-internal-vlan-if --protocol tcp --match tcp --dport 80
--jump ACCEPT
-A input-internal-vlan-if --protocol tcp --match tcp --dport 443
--jump ACCEPT
-A input-internal-vlan-if --protocol tcp --match tcp --dport 647
--jump ACCEPT
# HTTP (parking portal)
-A input-internal-vlan-if --protocol tcp --match tcp --dport 5252
--jump ACCEPT
%%input_inter_vlan_if%%
:input-internal-isol_vlan-if - [0:0]
# DNS
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 53
--jump ACCEPT
-A input-internal-isol_vlan-if --protocol udp --match udp --dport 53
--jump ACCEPT
# DHCP
-A input-internal-isol_vlan-if --protocol udp --match udp --dport 67
--jump ACCEPT
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 67
--jump ACCEPT
# HTTP (captive-portal)
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 80
--jump ACCEPT
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 443
--jump ACCEPT
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 647
--jump ACCEPT
# HTTP (parking portal)
-A input-internal-isol_vlan-if --protocol tcp --match tcp --dport 5252
--jump ACCEPT
%%input_inter_isol_vlan_if%%
:input-internal-inline-if - [0:0]
# DNS
-A input-internal-inline-if --protocol tcp --match tcp --dport 53
--jump ACCEPT
-A input-internal-inline-if --protocol udp --match udp --dport 53
--jump ACCEPT
# HTTP (captive-portal)
# prevent registered users from reaching it
# TODO: Must work in dispatcher and Catalyst to redirect registered
client out of the portal
#-A input-internal-inline-if --protocol tcp --match tcp --dport 80
--match mark --mark 0x1 --jump DROP
#-A input-internal-inline-if --protocol tcp --match tcp --dport 443
--match mark --mark 0x1 --jump DROP
# allow everyone else behind inline interface (not registered,
isolated, etc.)
-A input-internal-inline-if --protocol tcp --match tcp --dport 80
--jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 443
--jump ACCEPT
-A input-internal-inline-if --protocol tcp --match tcp --dport 647
--jump ACCEPT
%%input_inter_inline_rules%%
:input-highavailability-if - [0:0]
#SSH
-A input-highavailability-if --match state --state NEW --match tcp
--protocol tcp --dport 22 --jump ACCEPT
#Galera autofix
-A input-highavailability-if --protocol udp --match udp --dport 4253
--jump ACCEPT
#Galera cluster
-A input-highavailability-if --protocol tcp --match tcp --dport 4444
--jump ACCEPT
-A input-highavailability-if --protocol tcp --match tcp --dport 4567
--jump ACCEPT
-A input-highavailability-if --protocol tcp --match tcp --dport 4568
--jump ACCEPT
#PacketFence MariaDB Quorum server
-A input-highavailability-if --protocol tcp --match tcp --dport 7890
--jump ACCEPT
-A input-highavailability-if --protocol tcp --match tcp --dport 7891
--jump ACCEPT
# Corosync
-A input-highavailability-if --protocol udp --match udp --dport 5405
--jump ACCEPT
-A input-highavailability-if --protocol udp --match udp --dport 5407
--jump ACCEPT
#DRBD
-A input-highavailability-if --protocol tcp --match tcp --dport 7788
--jump ACCEPT
# Heartbeat
-A input-highavailability-if --protocol udp --match udp --dport 694
--jump ACCEPT
#PCS
-A input-highavailability-if --protocol tcp --match tcp --dport 2224
--jump ACCEPT
-A input-highavailability-if --protocol tcp --match tcp --dport 3121
--jump ACCEPT
-A input-highavailability-if --protocol tcp --match tcp --dport 21064
--jump ACCEPT
# These will redirect to the proper chains based on conf/pf.conf's
configuration
%%filter_if_src_to_chain%%
### FORWARD ###
:FORWARD DROP [0:0]
-I FORWARD -j NETFLOW
:forward-internal-vlan-if - [0:0]
%%filter_forward_vlan%%
:forward-internal-isolvlan-if - [0:0]
%%filter_forward_isol_vlan%%
:forward-internal-inline-if - [0:0]
%%filter_forward_inline%%
%%filter_forward%%
%%filter_forward_domain%%
:OUTPUT ACCEPT [0:0]
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:prerouting-int-inline-if - [0:0]
%%mangle_prerouting_inline%%
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:postrouting-int-inline-if - [0:0]
%%mangle_postrouting_inline%%
# These will redirect to the proper chains based on conf/pf.conf's
configuration
%%mangle_if_src_to_chain%%
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:prerouting-int-inline-if - [0:0]
:postrouting-inline-routed - [0:0]
:postrouting-int-inline-if - [0:0]
:prerouting-int-vlan-if - [0:0]
%%nat_prerouting_inline%%
%%nat_prerouting_vlan%%
:OUTPUT ACCEPT [0:0]
# These will redirect to the proper chains based on conf/pf.conf's
configuration
%%nat_if_src_to_chain%%
:POSTROUTING ACCEPT [0:0]
%%nat_postrouting_inline%%
#
# Chain to enable routing instead of NAT
#
%%routed_postrouting_inline%%
#
# NAT out (PAT actually)
#
# If you want to do your own thing regarding NAT like for example:
# - allowing through instead of doing NAT (make sure you have the
proper return route)
# - traffic out on some interface other than management
# - overloading on multiple IP addresses
# Comment the next two lines and do it here on the POSTROUTING chain.
# Make sure to adjust the FORWARD rules also to allow traffic back-in.
%%nat_postrouting_vlan%%
#
# Routing for the hidden domain network
#
%%domain_postrouting%%
COMMIT
Op wo 7 okt. 2020 om 15:17 schreef Fabrice Durand via
PacketFence-users <packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>>:
Hello Geert,
can you provide the file /usr/local/pf/var/conf/iptables.conf and
the output of iptables -L -n -v
Regards
Fabrice
Le 20-10-07 à 08 h 11, Geert Heremans via PacketFence-users a écrit :
Thank you Maile and others
Really appreciate it.
Putting the management network on the same as the DC din't work.
Would it help if I joined the server using the net ads command
end bypass the Join Domain function in PF?
Best regards
Geert
Op wo 7 okt. 2020 om 10:32 schreef Maile Halatuituia
<maile.halatuit...@tcc.to <mailto:maile.halatuit...@tcc.to>>:
Hi Geert
I did have the same issue as yours but mine got fixed when I
put my management interface on the same network where my
Doman Controller is.
To be more clearer, my Domain IP is 10.0.1.x/24 and my PF
Management Interface is 10.0.1.y/24. After I made that
changed , everything works just fine. Hope it will help you.
Maile.
*From:*Geert Heremans via PacketFence-users
<packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>>
*Sent:* Wednesday, 7 October 2020 9:59 AM
*To:* packetfence-users@lists.sourceforge.net
<mailto:packetfence-users@lists.sourceforge.net>
*Cc:* Geert Heremans <heremans.ge...@gmail.com
<mailto:heremans.ge...@gmail.com>>
*Subject:* [PacketFence-users] Cannot join domain using GUI -
net ads join works
Hello everyone
I'm trying to get my PF10 server to join my domain. The PF
hostname is hades and my domain is sintcordula.be
<http://sintcordula.be>.
Trying to join from the gui false because no DC is found.
However when I try to join the server using the shell it
works. The computer account is created in the domain.
Failed to join domain: failed to find DC for domain
SINTCORDULA - {Operation Failed} The requested operation was
unsuccessful.
net ads join -s /etc/samba/scis2.conf -U XXXX
Using short domain name -- SINTCORDULA
Joined 'HADES' to dns domain 'SINTCORDULA.BE
<http://SINTCORDULA.BE>'
No DNS domain configured for hades. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER
Can anyone point me into the right direction for debugging?
Best Regards
Geert
Confidentiality Notice:
This email (including any attachment) is intended for
internal use only. Any unauthorized use, dissemination or
copying of the content is prohibited. If you are not the
intended recipient and have received this e-mail in error,
please notify the sender by email and delete this email and
any attachment.
Confidentiality Notice:
This email (including any attachment) is intended for
internal use only. Any unauthorized use, dissemination or
copying of the content is prohibited. If you are not the
intended recipient and have received this e-mail in error,
please notify the sender by email and delete this email and
any attachment.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
--
Fabrice Durand
fdur...@inverse.ca <mailto:fdur...@inverse.ca> :: +1.514.447.4918 (x135)
::www.inverse.ca <http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (http://www.sogo.nu) and PacketFence
(http://packetfence.org)
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
<mailto:PacketFence-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/packetfence-users
