FYI Knockd Issues with OpenVZ and Wable

[completetech]

I followed the directions here http://nerdvittles.com/?p=13599 and then with issues I was having with the provider I also followed the code in this post Wable OpenVZ DEAL!

Everything is fine whether I use knockd or not from the IP address I setup the VM from. So thats not a concern at this point.

I changed the OPTIONS in /etc/sysconfig/knockd to show

OPTIONS="-i venet0:0"

(suggested in the nerdvittles guide) this finally allowed me to see my attempts to "knock" in /var/log/knockd.log from a different IP. The message it gives when I try and "knock" from my Android phone is

[2015-06-28 00:12] my.ip.add.ress: opencloseALL: Stage 1

.

When doing and iptables -nL I see my original IP that setup the server is listed but not the new ip address that just did the "knock" back to the server.

I then attempt to ( even though I do not see the IP address listed in iptables, thinking maybe I missed it or something) SSH, access web page or use a remote SIP Client to connect back to my server and it times out.

I, from looking at all of the different posts here on the forums and the original guide on nerdvittles seem to not be missing something, yet somehow I can not get access to anything from any other IP that is not the original IP address that created/setup this VM of Incredible PBX.

If someone who has some more experience with knockd then me I would greatly appreciate your help as I am at a loss to what could be causing me to not be able to "knock" properly back to this server.

 

[Dave Gray]

Yeah, sorry about that. Just by the device you're trying to use, it appears you're on Wable.

Wable doesn't give you a fully virtualized host - you're actually running in a container. The upshot of that, is that you can't get truly privileged access to the kernel, which you need for knockd to work. Knockd is never going to work on a containerized server.

You can access the host from the address you built it from, because that address is hardcoded into the firewall, when you built it.

 

[completetech]

So it's a no go for Wable fir me it sounds like... I was looking for something I could quickly and easily deploy for myself and then customers.. I don't mind the build/deploy time. Having "prebuilt" images on say rent pbx is nice. But I guess the cheapskate in my liked Wable pricing for the little work I needed to do

 

[TonyColorado]

One option for anyone using Wable (or, any OpenVZ container) who may need to only occasionally whitelist a new IP is to use their free console through their control panel. Even if your IP address has changed this should let you connect to your machine and update IPTables.

This might not be realistic for a large deployment, but for a home-officer user with a rarely changing IP it might be OK