Can not connect to CIFS, ports not allowed in iptables
-
Hi,
Im trying to connect to a CIFS drive (Hetzner StorageBox) but didnt succeed. After some debugging it seems that the CIFS ports (139,445) are not allowed in the Cloudron iptables config.
I already ran
sudo systemctl restart cloudron-firewalland rebooted the machine.I followed this Hetzner guide to mount from CLI: https://docs.hetzner.com/storage/storage-box/access/access-samba-cifs
$ sudo mount.cifs -o user=uxxxxx,pass=xxxxx,iocharset=utf8 //uxxxxxx.your-storagebox.de/backup /mnt/cifs-test mount error(115): Operation now in progress Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination CLOUDRON_RATELIMIT all -- anywhere anywhere CLOUDRON all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination CLOUDRON_RATELIMIT all -- anywhere anywhere DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain CLOUDRON (1 references) target prot opt source destination DROP all -- anywhere anywhere match-set cloudron_blocklist src ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp multiport dports ssh,http,202,https ACCEPT tcp -- anywhere anywhere multiport dports 3478,5349 ACCEPT udp -- anywhere anywhere multiport dports 3478,5349 ACCEPT udp -- anywhere anywhere multiport dports 50000:51000 ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT udp -- anywhere anywhere udp spt:domain ACCEPT tcp -- 172.18.0.0/16 p2-main-htz multiport dports 3002,3003 ACCEPT udp -- 172.18.0.0/16 anywhere udp dpt:domain ACCEPT all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level debug prefix "Packet dropped: " DROP all -- anywhere anywhere Chain CLOUDRON_RATELIMIT (2 references) target prot opt source destination CLOUDRON_RATELIMIT_LOG tcp -- anywhere anywhere tcp dpt:http flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 CLOUDRON_RATELIMIT_LOG tcp -- anywhere anywhere tcp dpt:https flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: public-22 side: source mask: 255.255.255.255 CLOUDRON_RATELIMIT_LOG tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 10 hit_count: 5 name: public-22 side: source mask: 255.255.255.255 tcp -- anywhere anywhere tcp dpt:202 state NEW recent: SET name: public-202 side: source mask: 255.255.255.255 CLOUDRON_RATELIMIT_LOG tcp -- anywhere anywhere tcp dpt:202 state NEW recent: UPDATE seconds: 10 hit_count: 5 name: public-202 side: source mask: 255.255.255.255 tcp -- anywhere anywhere tcp dpt:222 state NEW recent: SET name: public-222 side: source mask: 255.255.255.255 CLOUDRON_RATELIMIT_LOG tcp -- anywhere anywhere tcp dpt:222 state NEW recent: UPDATE seconds: 10 hit_count: 5 name: public-222 side: source mask: 255.255.255.255 CLOUDRON_RATELIMIT_LOG tcp -- anywhere anywhere tcp dpt:ldaps flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 CLOUDRON_RATELIMIT_LOG tcp -- anywhere anywhere tcp dpt:3004 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 CLOUDRON_RATELIMIT_LOG tcp -- !172.18.0.0/16 172.18.0.0/16 tcp dpt:2525 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 50 CLOUDRON_RATELIMIT_LOG tcp -- !172.18.0.0/16 172.18.0.0/16 tcp dpt:sieve flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 50 CLOUDRON_RATELIMIT_LOG tcp -- !172.18.0.0/16 172.18.0.0/16 tcp dpt:9993 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 50 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:2525 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 500 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:3002 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 500 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:sieve flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 500 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:9993 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 500 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:9995 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 500 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:mysql flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:postgresql flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:redis flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:27017 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 Chain CLOUDRON_RATELIMIT_LOG (19 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level debug prefix "IPTables RateLimit: " DROP all -- anywhere anywhere Chain DOCKER (3 references) target prot opt source destination ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:postgresql ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:2003 ACCEPT udp -- anywhere 172.18.19.208 udp dpt:8443 ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:ssh Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (3 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination DROP all -- anywhere anywhere match-set cloudron_blocklist src RETURN all -- anywhere anywhereAny ideas what to do here? thx!
-
Hi,
Im trying to connect to a CIFS drive (Hetzner StorageBox) but didnt succeed. After some debugging it seems that the CIFS ports (139,445) are not allowed in the Cloudron iptables config.
I already ran
sudo systemctl restart cloudron-firewalland rebooted the machine.I followed this Hetzner guide to mount from CLI: https://docs.hetzner.com/storage/storage-box/access/access-samba-cifs
$ sudo mount.cifs -o user=uxxxxx,pass=xxxxx,iocharset=utf8 //uxxxxxx.your-storagebox.de/backup /mnt/cifs-test mount error(115): Operation now in progress Refer to the mount.cifs(8) manual page (e.g. man mount.cifs) and kernel log messages (dmesg)$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination CLOUDRON_RATELIMIT all -- anywhere anywhere CLOUDRON all -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination CLOUDRON_RATELIMIT all -- anywhere anywhere DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain CLOUDRON (1 references) target prot opt source destination DROP all -- anywhere anywhere match-set cloudron_blocklist src ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp multiport dports ssh,http,202,https ACCEPT tcp -- anywhere anywhere multiport dports 3478,5349 ACCEPT udp -- anywhere anywhere multiport dports 3478,5349 ACCEPT udp -- anywhere anywhere multiport dports 50000:51000 ACCEPT icmp -- anywhere anywhere icmp echo-request ACCEPT icmp -- anywhere anywhere icmp echo-reply ACCEPT udp -- anywhere anywhere udp spt:domain ACCEPT tcp -- 172.18.0.0/16 p2-main-htz multiport dports 3002,3003 ACCEPT udp -- 172.18.0.0/16 anywhere udp dpt:domain ACCEPT all -- anywhere anywhere LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level debug prefix "Packet dropped: " DROP all -- anywhere anywhere Chain CLOUDRON_RATELIMIT (2 references) target prot opt source destination CLOUDRON_RATELIMIT_LOG tcp -- anywhere anywhere tcp dpt:http flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 CLOUDRON_RATELIMIT_LOG tcp -- anywhere anywhere tcp dpt:https flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: SET name: public-22 side: source mask: 255.255.255.255 CLOUDRON_RATELIMIT_LOG tcp -- anywhere anywhere tcp dpt:ssh state NEW recent: UPDATE seconds: 10 hit_count: 5 name: public-22 side: source mask: 255.255.255.255 tcp -- anywhere anywhere tcp dpt:202 state NEW recent: SET name: public-202 side: source mask: 255.255.255.255 CLOUDRON_RATELIMIT_LOG tcp -- anywhere anywhere tcp dpt:202 state NEW recent: UPDATE seconds: 10 hit_count: 5 name: public-202 side: source mask: 255.255.255.255 tcp -- anywhere anywhere tcp dpt:222 state NEW recent: SET name: public-222 side: source mask: 255.255.255.255 CLOUDRON_RATELIMIT_LOG tcp -- anywhere anywhere tcp dpt:222 state NEW recent: UPDATE seconds: 10 hit_count: 5 name: public-222 side: source mask: 255.255.255.255 CLOUDRON_RATELIMIT_LOG tcp -- anywhere anywhere tcp dpt:ldaps flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 CLOUDRON_RATELIMIT_LOG tcp -- anywhere anywhere tcp dpt:3004 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 CLOUDRON_RATELIMIT_LOG tcp -- !172.18.0.0/16 172.18.0.0/16 tcp dpt:2525 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 50 CLOUDRON_RATELIMIT_LOG tcp -- !172.18.0.0/16 172.18.0.0/16 tcp dpt:sieve flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 50 CLOUDRON_RATELIMIT_LOG tcp -- !172.18.0.0/16 172.18.0.0/16 tcp dpt:9993 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 50 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:2525 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 500 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:3002 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 500 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:sieve flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 500 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:9993 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 500 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:9995 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 500 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:mysql flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:postgresql flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:redis flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 CLOUDRON_RATELIMIT_LOG tcp -- 172.18.0.0/16 172.18.0.0/16 tcp dpt:27017 flags:FIN,SYN,RST,ACK/SYN #conn src/32 > 5000 Chain CLOUDRON_RATELIMIT_LOG (19 references) target prot opt source destination LOG all -- anywhere anywhere limit: avg 2/min burst 5 LOG level debug prefix "IPTables RateLimit: " DROP all -- anywhere anywhere Chain DOCKER (3 references) target prot opt source destination ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:postgresql ACCEPT tcp -- anywhere 172.18.0.3 tcp dpt:2003 ACCEPT udp -- anywhere 172.18.19.208 udp dpt:8443 ACCEPT tcp -- anywhere 172.18.0.5 tcp dpt:ssh Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (3 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination DROP all -- anywhere anywhere match-set cloudron_blocklist src RETURN all -- anywhere anywhereAny ideas what to do here? thx!
@perelin said in Can not connect to CIFS, ports not allowed in iptables:
CIFS ports (139,445)
These are outbound ports and not blocked by firewall.
Are you able to ping your storage box? I can ping mine . If you are on hetzner, this could aso be an IPv6 routing issue (you have to open a support ticket issue with them to resolve this. I had to do this for my dedi)
-
J joseph marked this topic as a question on
-
J joseph has marked this topic as solved on
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login