Pubclic internet open ports are handled by EC2 SecurityGroups.Why is port 9998 rejected but every other port opened?
I add thisI would recommend a few additional steps.
2.) Setup a root password - this is a big one.
sudo passwd -l root
I don't understand what you just said. Are you saying you didn't write these iptables rules?Pubclic internet open ports are handled by EC2 SecurityGroups.
(ssh to specific address, 9999 to anywhere, and deny all input)
I don't know how ec2 handle internal traffic, so deny all 9998 from outside(rpc port).
These look okay. They accept on port 9999 but reject more 2 connections from the same ip and more than 8 connections from the same class c network on port 9999. Your tcp flags are a bit funny. I don't think they'd be needed, but whatever.-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 8 --connlimit-mask 24 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 9999 -j ACCEPT
What is this line? Why is there a line for port 9998?-A INPUT -i eth0 -p tcp -m tcp --dport 9998 -j REJECT --reject-with tcp-reset
Why this line? Why are you accepting all other traffic?-A INPUT -i eth0 -p tcp -j ACCEPT
Lines 1-3 are redundant when the last line already accepts all outbound traffic.-A OUTPUT -o eth0 -p tcp -m tcp --sport 9999 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 9999 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 9999 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
I don't understand what you just said. Are you saying you didn't write these iptables rules?
~
--tcp-flags FIN,SYN,RST,ACK SYN is equal to --syn.-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 8 --connlimit-mask 24 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 9999 -j ACCEPT
These look okay. They accept on port 9999 but reject more 2 connections from the same ip and more than 8 connections from the same class c network on port 9999. Your tcp flags are a bit funny. I don't think they'd be needed, but whatever.
[!] --tcp-flagsmask comp
Match when the TCP flags are as specified. The first argument mask is the flags which we should examine, written as a comma-separated list, and the second argument comp is a comma-
separated list of flags which must be set. Flags are: SYN ACK FIN RST URG PSH ALL NONE. Hence the command
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST SYN
will only match packets with the SYN flag set, and the ACK, FIN and RST flags unset.
[!] --syn
Only match TCP packets with the SYN bit set and the ACK,RST and FIN bits cleared. Such packets are used to request TCP connection initiation; for example, blocking such packets coming
in an interface will prevent incoming TCP connections, but outgoing TCP connections will be unaffected. It is equivalent to --tcp-flags SYN,RST,ACK,FIN SYN. If the "!" flag precedes
the "--syn", the sense of the option is inverted.
Reject any connection to 9998. 9998 is darkcoind rpcport.-A INPUT -i eth0 -p tcp -m tcp --dport 9998 -j REJECT --reject-with tcp-reset
What is this line? Why is there a line for port 9998?
To check input traffic.-A INPUT -i eth0 -p tcp -j ACCEPT
Why this line? Why are you accepting all other traffic?
check outbound 9999 syn, estableshed outbound, other traffic.Similarly, with the outbound traffic
-A OUTPUT -o eth0 -p tcp -m tcp --sport 9999 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 9999 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 9999 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
Lines 1-3 are redundant when the last line already accepts all outbound traffic.
I wrote iptables rule.I don't understand what you just said. Are you saying you didn't write these iptables rules?
2014-04-15 00:51:30 ProcessMessage(dsee, 67 bytes) FAILED
2014-04-15 01:49:20 accepted connection 199.188.203.26:54677
2014-04-15 01:49:20 partner 199.188.203.26:54677 using obsolete version 60011; disconnecting
2014-04-15 01:49:20 ProcessMessage(version, 106 bytes) FAILED
2014-04-15 01:49:20 disconnecting node 199.188.203.26:54677
'update-rc.d ntp defaults' is ntp related not to sshd.Ugh, I've been trying to redo my MN by using this tutorial, and I thought my problem was due to the disabling of logging in as root, but actually, it's because of the iptables. I can no longer ssh into my instance when I reboot after step 7. Does it mess with my ssh security group (ssh, port 22, my ip only)?
Is anyone else having trouble? Because I'm following these instructions to the T The only warning I got in the above steps was when I did:
update-rc.d ntp defaults
and it said system start/stop links already existed.
Why can't I log back in after reboot? (refused)
update-rc.d ntp enable
#/sbin/iptables-restore < /etc/sysconfig/iptables
4) check instance setup option*filter
:INPUT ACCEPT [1038:145425]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [434:87191]
-A INPUT -i eth0 -p tcp -m tcp --dport 9998 -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 8 --connlimit-mask 24 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m tcp --dport 9999 --tcp-flags FIN,SYN,RST,ACK SYN -m connlimit --connlimit-above 2 --connlimit-mask 32 --connlimit-saddr -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p tcp -m conntrack --ctstate NEW -m tcp --dport 9999 -j ACCEPT
-A INPUT -i eth0 -p tcp -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 9999 -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --sport 9999 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 9999 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
COMMIT
I did.. LOLUgh, would you believe I put the wrong ip address in the config file?![]()
First time, I forgot to even add my IP to the darkcoin.conf. lolUgh, would you believe I put the wrong ip address in the config file?![]()
[email protected]:~$ darkcoind
terminate called after throwing an instance of 'std::runtime_error'
what(): locale::facet::_S_create_c_locale name not valid
Aborted (core dumped)
[email protected]:~$
check thisStuck on # 11
can't seem to run darkcoind
Code:[email protected]:~$ darkcoind terminate called after throwing an instance of 'std::runtime_error' what(): locale::facet::_S_create_c_locale name not valid Aborted (core dumped) [email protected]:~$
:~$ export
declare -x HOME="/home/ubuntu"
declare -x LANG="en_US.UTF-8"
declare -x LESSCLOSE="/usr/bin/lesspipe %s %s"
declare -x LESSOPEN="| /usr/bin/lesspipe %s"
declare -x LOGNAME="ubuntu"
declare -x LS_COLORS="rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arj=01;31:*.taz=01;31:*.lzh=01;31:*.lzma=01;31:*.tlz=01;31:*.txz=01;31:*.zip=01;31:*.z=01;31:*.Z=01;31:*.dz=01;31:*.gz=01;31:*.lz=01;31:*.xz=01;31:*.bz2=01;31:*.bz=01;31:*.tbz=01;31:*.tbz2=01;31:*.tz=01;31:*.deb=01;31:*.rpm=01;31:*.jar=01;31:*.war=01;31:*.ear=01;31:*.sar=01;31:*.rar=01;31:*.ace=01;31:*.zoo=01;31:*.cpio=01;31:*.7z=01;31:*.rz=01;31:*.jpg=01;35:*.jpeg=01;35:*.gif=01;35:*.bmp=01;35:*.pbm=01;35:*.pgm=01;35:*.ppm=01;35:*.tga=01;35:*.xbm=01;35:*.xpm=01;35:*.tif=01;35:*.tiff=01;35:*.png=01;35:*.svg=01;35:*.svgz=01;35:*.mng=01;35:*.pcx=01;35:*.mov=01;35:*.mpg=01;35:*.mpeg=01;35:*.m2v=01;35:*.mkv=01;35:*.webm=01;35:*.ogm=01;35:*.mp4=01;35:*.m4v=01;35:*.mp4v=01;35:*.vob=01;35:*.qt=01;35:*.nuv=01;35:*.wmv=01;35:*.asf=01;35:*.rm=01;35:*.rmvb=01;35:*.flc=01;35:*.avi=01;35:*.fli=01;35:*.flv=01;35:*.gl=01;35:*.dl=01;35:*.xcf=01;35:*.xwd=01;35:*.yuv=01;35:*.cgm=01;35:*.emf=01;35:*.axv=01;35:*.anx=01;35:*.ogv=01;35:*.ogx=01;35:*.aac=00;36:*.au=00;36:*.flac=00;36:*.mid=00;36:*.midi=00;36:*.mka=00;36:*.mp3=00;36:*.mpc=00;36:*.ogg=00;36:*.ra=00;36:*.wav=00;36:*.axa=00;36:*.oga=00;36:*.spx=00;36:*.xspf=00;36:"
declare -x MAIL="/var/mail/ubuntu"
declare -x OLDPWD
declare -x PATH="/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games"
declare -x PWD="/home/ubuntu"
declare -x SHELL="/bin/bash"
declare -x SHLVL="1"
declare -x TERM="xterm-256color"
declare -x USER="ubuntu"
:~$ locale
LANG=en_US.UTF-8
LANGUAGE=
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=
Oh region...I had googled that, but want sure. Maybe because I chose Ireland as region? let me see...
Hmm, should not do so often(try connet to one ip address).chaeplin, I edited my previous post before you posted. Please look at the image I posted with the debug.log
12. using home pc, make 1000 DRK encryped wallet.dat to upload
* use home pc, not ec2
* install new wallet
* check account address 0 / getaccountaddress 0
* https://www.darkcointalk.org/thread...ternode-requirements-masternode-payments.225/
* send 1000 DRK to that address
* encypt wallet
* backup wallet
* using scp upload encypted backup wallet.dat to ec2 ubuntu home directory
[email protected]:/usr/local/src/darkcoin$ rm peers.dat
rm: cannot remove 'peers.dat': No such file or directory
[email protected]:/usr/local/src/darkcoin$ ls
COPYING INSTALL README.md bitcoin-qt.pro contrib doc share src
[email protected]:/usr/local/src/darkcoin$
Darkcoin start with X. Testnet start with m.while I was waiting for help, I ran the command again and it works. Getting accepted messages. Guess I needed to let it connect before launching next command.
anyway, tried - darcoing getblockcount and its up to to height.
But, when running mining ufo, I get this - shouldn't testnet=true?
I also tried * check account address 0 / getaccountaddress 0
darkcoind gettaccountaddress 0
and it generated an address starting with "X" not with "m" like I see in the RC2 test net thread.
dammit, what am I doing wrong?
RC1
:~$ .darkcoin/darkcoind getinfo
{
"version" : 100400,
"protocolversion" : 70014,
"walletversion" : 60000,
"balance" : 1000.00000000,
"blocks" : 59329,
"timeoffset" : 0,
"connections" : 18,
"proxy" : "",
"difficulty" : 1424.99959688,
"testnet" : false,
"keypoololdest" : 1397159252,
"keypoolsize" : 101,
"paytxfee" : 0.00000000,
"mininput" : 0.00001000,
"unlocked_until" : 0,
"errors" : ""
}
RC2(testnet=1)
:~$ .darkcoin/darkcoind-testnet getinfo
{
"version" : 100500,
"protocolversion" : 70014,
"walletversion" : 60000,
"balance" : 12395.30000000,
"blocks" : 1354,
"timeoffset" : 0,
"connections" : 8,
"proxy" : "",
"difficulty" : 0.20442253,
"testnet" : true,
"keypoololdest" : 1398603299,
"keypoolsize" : 97,
"paytxfee" : 0.00000000,
"mininput" : 0.00001000,
"unlocked_until" : 0,
"errors" : ""
}
Make sure you logged in as the same user you set it up as.God dammit... so I decided to reboot, logged in, went to ./darkcoin and opened darkcoin.conf... empty!!
Did it 2x now, and it stays empty!! Dog dammit, took the day off for this and just sitting here...
So basically, since RC2 is out, this tutorial in no longer valid? (except obviously updated to RC2)