0

I have a server (host) running a Turnkey Trac server (tracsrv) in Virtualbox, and I'm getting some weird results with networking. Anyone know how to explain this, and if it is possible to fix the problem?

Symptoms

user@randomcomputer ~$ ssh root@tracsrv # works as expected
user@randomcomputer ~$ curl -I http://tracsrv/ # works as expected
          user@host ~$ svn co svn://tracsrv/helloworld # works as expected
user@randomcomputer ~$ svn co svn://tracsrv/helloworld # FAILS

randomcomputer, host (and therefor also tracsrv) are all running on the same LAN-network (regular /24 LAN with a single GW, nothing fancy).

Configuration

host is running iptables, where everything is blocked, except for example http:

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]

# Accept any related or established connections
-I INPUT  1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-I OUTPUT 1 -m state --state RELATED,ESTABLISHED -j ACCEPT

# Allow all traffic on the loopback interface
-A INPUT  -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT

[...]

# SSH
-A INPUT  -i eth1 -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT

# HTTP+HTTPS
-A INPUT  -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT  -i eth1 -p tcp -m tcp --dport 443 -j ACCEPT

# Inbound SVN
# Added this as I was unsure whether the host affected the VM
-A INPUT  -i eth1 -p tcp -m tcp --dport 3690 -j ACCEPT

COMMIT

But those settings shouldn't interfere with tracsrvs traffic as its network is in bridged mode:

user@host ~$ VBoxManage showvminfo tracsrv | grep "NIC 1"
NIC 1:           MAC: XXXXXXXXXXXX, Attachment: Bridged Interface 'eth1', Cable connected: on, Trace: off (file: none), Type: Am79C973, Reported speed: 0 Mbps, Boot priority: 0, Promisc Policy: deny

And finally iptables on tracsrv accepts all trafic:

root@tracsrv ~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

And svnserve is running on tracsrv:

root@tracsrv ~# lsof -i :svn
COMMAND   PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
svnserve 2352 root    3u  IPv4   5550      0t0  TCP *:svn (LISTEN)

EDIT: In response to @Guido:

user@randomcomputer ~$ telnet tracsrv 3690
Trying tracsrv...
telnet: Unable to connect to remote host: Connection timed out
user@randomcomputer ~$ svn co svn://tracsrv/helloworld
svn: E000110: Unable to connect to a repository at URL 'svn://tracsrv/helloworld'
svn: E000110: Can't connect to host 'tracsrv': Connection timed out
kd35a
  • 151
  • 1
  • 5
  • Can you telnet the svn port on tracsrv from randomcomputer? What is the output of svn co? – Guido Vaccarella Jan 04 '14 at 15:01
  • Is `host` your GW for your network ? – krisFR Jan 04 '14 at 15:35
  • @GuidoVaccarella, see my edit. – kd35a Jan 04 '14 at 15:35
  • @user2196728: no, it is not. The GW/router is a separate unit on the network. – kd35a Jan 04 '14 at 15:35
  • Can you try to run `tcpdump -ni eth1(or eth0) port 3690` at `tracsrv` side and then run `telnet tracsrv 3690` from `randomcomputer` ? Just to check if there are incoming packets at `tracsrv` side... – krisFR Jan 04 '14 at 16:08
  • @user2196728: telnet: Unable to connect to remote host: Connection timed out – kd35a Jan 04 '14 at 23:21
  • This was not my question, i know this. I was asking for `tcpdump` result ! – krisFR Jan 05 '14 at 10:13
  • @user2196728: tcpdump -ni eth0 port 3690 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes [Nothing more happens, just sitting around waiting for nothing] – kd35a Jan 06 '14 at 10:52
  • ok, but while `tcpdump` was running, did you run `telnet tracsrv 3690` from `randomcomputer` just to generate traffic ? – krisFR Jan 06 '14 at 12:07
  • Yes, I did, and nothing happened. – kd35a Jan 08 '14 at 14:41

1 Answers1

0

You are using svn: protocol for remote access. This isn't a good choice except for isolated trusted local networks. Since you feel the need to set up iptables, it sounds as if you don't trust the local network.

Try setting up subversion access over svn+ssh: or https: (http: is also appropriate only for trusted local networks, since credentials and content are sent in plain text)

Ben Voigt
  • 473
  • 6
  • 20
  • I'm fully aware of this, and have taken it into consideration, but security is not prioritized for this VM. And svn: is what's used by Turnkey linux out-of-the-box, which was good enough for this use-case. iptable-usage is mostly a question of "why not". – kd35a Jan 04 '14 at 23:31
  • @kd35a: Well, I've always found `ssh+svn:` protocol to be very easy to make work, and your ssh connections are already working, so that seems like an easy solution. – Ben Voigt Jan 05 '14 at 03:03