Jail failed to telnet to other jail.

[sixtydoses]

Hi,

I am trying to get some of my jails to connect to my database jail at port 3306. Ping is not a problem, but connecting to the port is.

I did not face this problem when I first setup the jails. Initially, all of my web jails are using a set of private IP addresses - 192.168.10.x and 10.10.10.x. While for my database jail, it uses the 10.10.10.x IP. The host of my web jails is using a 78.x.x.x IP, and the host of my database jail is using a 85.x.x.x IP.

Until one day, all of my web jails failed to ping and telnet to the 3306 port of the db jail. I have no idea how or why it happened, but switching the host of db jail IP from 85.x.x.x to 78.x.x.x got everything back in place.

Today, I need to give an access to a jail that holds a 85.x.x.x and 10.x.x.x IPs to the db jail. Again, ping is fine, but connecting to the port failed. I have tried to disable the firewall on both sides, but to no avail. But, if I were to remove the 85.x.x.x IP off the jail, leaving only the 10.x.x.x IP alone, telnet works. The rest of the jails in the same host that hold only private IPs, have no problems connecting with the db jail.

Any idea what is wrong with my configuration?

Host of web jail (with IP 78.x.x.x):

[8] root@admin [/root] # jls -v
   JID  Hostname                      Path
        Name                          State
        CPUSetID
        IP Address(es)
     2  ticket.abc.com            /usr/jails/ticket.abc.com
        2                             ACTIVE
        3     
        78.x.x.x   
     3  svn.abc.com               /usr/jails/svn.abc.com
        3                             ACTIVE
        4     
        78.x.x.x   
     4  mail.abc.com              /usr/jails/mail.abc.com
        4                             ACTIVE
        5     
        78.x.x.x   
     5  forum.abc.com             /usr/jails/forum.abc.com
        5                             ACTIVE
        6     
        85.x.x.x 
     7  tools.abc.com             /usr/jails/tools.abc.com
        7                             ACTIVE
        2     
        10.10.10.x   
        85.x.x.x

Host of db jail (with 78.x.x.x IP):

[5] root@mdb1 [/root] # jls -v
   JID  Hostname                      Path
        Name                          State
        CPUSetID
        IP Address(es)
     3  jmem.abc.com              /tank/jails/jmem.abc.com
        3                             ACTIVE
        2     
        192.168.30.x 
        10.10.10.x   
     4  jdb1.abc.com              /tank/jails/jdb1.abc.com
        4                             ACTIVE
        3     
        10.10.10.x

Thanks!

 

[SirDice]

Don't use telnet, even locally. Use ssh.

That said, make sure the services running on the host and the jails are bound to the correct addresses. Do not bind any service to * (0.0.0.0).

 

[sixtydoses]

telnet is just for me to test the connection to the port. I use netcat as well, but it doesn't work anyway.

mysql port is bound to the correct address (10.10.10.x). No problem to netcat from the host and certain jails, but from a jail that has a 85.x.x.x IP as well as private, it just failed.

 

[SirDice]

Have a look at your routing tables, on both sides.

 

[sixtydoses]

Okay it's fixed, but if anyone has any comment on this issue, please do so.

I did compare the routing tables, but I had some problem when adding the route because the host of the db jail can't reach the base IP of the 85.x.x.x subnet, while other servers can.

Problem is solved by adding a 85.x.x.x IP to the db jail. The mysql port can be connected from any jails with the 85.x.x.x IP without any issue. I checked the routing table, and compare it against the routing table before I added the 85.x.x.x IP. Then I removed the 85.x.x.x IP from the jail, and added the missing entries of the routing table, but this time I specified the interface that the IP should be reachable from instead of the gateway to get it to work.