Failed to connect to: No route to host correctly Server A to B

Support for security such as Firewalls and securing linux
Post Reply
flameblue59
Posts: 4
Joined: 2020/03/05 18:38:57

Failed to connect to: No route to host correctly Server A to B

Post by flameblue59 » 2020/03/05 18:44:22

Hi, I have two servers which connect together through API. However, I have no idea why it blocks each other. I have done almost everything but does not get any solution. Steps I have done.

Add this following rules to iptables
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 22 -j ACCEPT

Then, I tried to disable iptables
service iptables stop

I add the ip address into hosts.allow

All those steps is not working. I tried to check, there is no firewall installed. The weird thing, it works once I reboot the server. It really strange since the problem should be from those servers. I am so frustrated since I have to reboot the server twice a day in order to make it works.

Whoever
Posts: 1130
Joined: 2013/09/06 03:12:10

Re: Failed to connect to: No route to host correctly Server A to B

Post by Whoever » 2020/03/07 01:19:13

You are Appending these rules to the existing rule sets. If a prior rule already causes the packets to be dropped, these rules will not make any difference.

Post the results of:

Code: Select all

iptables -L -n -v
when the servers cannot connect.

You might have a routing problem. Try installing tcptraceroute and tcpdump use these to see what is happening to your packets.

Are you sure the IP addresses are not changing or that you don't have other machines with duplicate IP addresses (or MAC addresses). Normally the scripts that bring up the interfaces will check for this, but those checks can be disabled.

flameblue59
Posts: 4
Joined: 2020/03/05 18:38:57

Re: Failed to connect to: No route to host correctly Server A to B

Post by flameblue59 » 2020/03/08 04:09:05

Hi, I have disabled iptables anyway. The problem comes from "blackhole" I have no idea what it is. It seems from the route process. When I tried running

sh /script/remove-blackhole-block

Code: Select all

- Removing 103.18.179.196 from IP blackhole blocked
- Removing 92.118.38.40 from IP blackhole blocked
- Removing 119.249.54.217 from IP blackhole blocked
- Removing 92.118.38.38 from IP blackhole blocked
- Removing 92.118.38.39 from IP blackhole blocked
- Removing 185.254.188.215 from IP blackhole blocked
- Removing 46.38.144.57 from IP blackhole blocked
- Removing 144.217.197.11 from IP blackhole blocked
- Removing 46.38.144.49 from IP blackhole blocked
it removes all the blocked IP from blackhole filtering. It works within second but I have to run this twice a day since the IP is easy to get block. Do you have any idea how to whitelist it? Thank you.

aks
Posts: 3022
Joined: 2014/09/20 11:22:14

Re: Failed to connect to: No route to host correctly Server A to B

Post by aks » 2020/03/08 13:13:01

Background: https://en.wikipedia.org/wiki/Black_hole_(networking)

There are various sysctl settings for this, see https://www.kernel.org/doc/Documentatio ... sysctl.txt

It could be something stupid like I can get there, but can't get back (for example).

User avatar
TrevorH
Forum Moderator
Posts: 29475
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Failed to connect to: No route to host correctly Server A to B

Post by TrevorH » 2020/03/08 13:21:18

That script appears to be part of something called pihole so if you run that then you probably want to ask in a pihole venue as they're more likely to be able to help.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

flameblue59
Posts: 4
Joined: 2020/03/05 18:38:57

Re: Failed to connect to: No route to host correctly Server A to B

Post by flameblue59 » 2020/03/09 02:31:02

aks wrote:
2020/03/08 13:13:01
Background: https://en.wikipedia.org/wiki/Black_hole_(networking)

There are various sysctl settings for this, see https://www.kernel.org/doc/Documentatio ... sysctl.txt

It could be something stupid like I can get there, but can't get back (for example).
I have various files there but there is ip-sysctl.txt

Code: Select all

cipso_cache_bucket_size            inet_peer_gc_mintime     ipfrag_max_dist                   tcp_challenge_ack_limit  tcp_low_latency       tcp_retries1               tcp_tw_recycle
cipso_cache_enable                 inet_peer_maxttl         ipfrag_secret_interval            tcp_congestion_control   tcp_max_orphans       tcp_retries2               tcp_tw_reuse
cipso_rbm_optfmt                   inet_peer_minttl         ipfrag_time                       tcp_dma_copybreak        tcp_max_ssthresh      tcp_rfc1337                tcp_window_scaling
cipso_rbm_strictvalid              inet_peer_threshold      neigh                             tcp_dsack                tcp_max_syn_backlog   tcp_rmem                   tcp_wmem
conf                               ip_default_ttl           ping_group_range                  tcp_ecn                  tcp_max_tw_buckets    tcp_sack                   tcp_workaround_signed_windows
icmp_echo_ignore_all               ip_dynaddr               route                             tcp_fack                 tcp_mem               tcp_slow_start_after_idle  udp_mem
icmp_echo_ignore_broadcasts        ip_forward               rt_cache_rebuild_count            tcp_fin_timeout          tcp_min_snd_mss       tcp_stdurg                 udp_rmem_min
icmp_errors_use_inbound_ifaddr     ip_forward_use_pmtu      tcp_abc                           tcp_frto                 tcp_min_tso_segs      tcp_syn_retries            udp_wmem_min
icmp_ignore_bogus_error_responses  ip_local_port_range      tcp_abort_on_overflow             tcp_frto_response        tcp_moderate_rcvbuf   tcp_synack_retries         xfrm4_gc_thresh
icmp_ratelimit                     ip_local_reserved_ports  tcp_adv_win_scale                 tcp_invalid_ratelimit    tcp_mtu_probing       tcp_syncookies
icmp_ratemask                      ip_no_pmtu_disc          tcp_allowed_congestion_control    tcp_keepalive_intvl      tcp_no_metrics_save   tcp_thin_dupack
igmp_max_memberships               ip_nonlocal_bind         tcp_app_win                       tcp_keepalive_probes     tcp_orphan_retries    tcp_thin_linear_timeouts
igmp_max_msf                       ipfrag_high_thresh       tcp_available_congestion_control  tcp_keepalive_time       tcp_reordering        tcp_timestamps
inet_peer_gc_maxtime               ipfrag_low_thresh        tcp_base_mss                      tcp_limit_output_bytes   tcp_retrans_collapse  tcp_tso_win_divisor
Do you have any idea what files I have to access? I cannot find "tcp_fastopen_blackhole_timeout_sec" as the documentation given.
Last edited by flameblue59 on 2020/03/09 02:37:07, edited 1 time in total.

flameblue59
Posts: 4
Joined: 2020/03/05 18:38:57

Re: Failed to connect to: No route to host correctly Server A to B

Post by flameblue59 » 2020/03/09 02:32:54

TrevorH wrote:
2020/03/08 13:21:18
That script appears to be part of something called pihole so if you run that then you probably want to ask in a pihole venue as they're more likely to be able to help.
Where I can ask it? I am stuck since there is no solution about this.

User avatar
TrevorH
Forum Moderator
Posts: 29475
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Failed to connect to: No route to host correctly Server A to B

Post by TrevorH » 2020/03/09 12:18:44

Well since you have that script on your machine and it is not something that we provide, it would appear that your machine has this "pihole" software installed on it. That is not something we provide and it's a project in its own right so I would suggest using google to find their website and see what support resources they have and ask there. This pihole thing is designed to stop advertising websites and also to guard against attacks so it's presumably classing some relatively normal activity on your machine as an attack and adding that route to stop them from getting to your machine. Quite how it does that is not really something we can cover on this forum unless someone comes along who runs it and knows more about it. For better support, you'd be better off asking the pihole people directly as it's presumably something they'd already know the answer to.
CentOS 6 will die in November 2020 - migrate sooner rather than later!
Info for USB installs on http://wiki.centos.org/HowTos/InstallFromUSBkey
CentOS 5 is dead, do not use it.
Full time Geek, part time moderator. Use the FAQ Luke

aks
Posts: 3022
Joined: 2014/09/20 11:22:14

Re: Failed to connect to: No route to host correctly Server A to B

Post by aks » 2020/03/09 17:00:00

Read the links!

It's a command called sysctl

Post Reply

Return to “CentOS 6 - Security Support”