EC2 VPC Instance - Ports are filtered











up vote
3
down vote

favorite












I've configured my server with a default security group, which has the following Inbound rules:



| Type | Protocol | Port Range | Source |
| All TCP | TCP | 0-65535 | 0.0.0.0/0 |
| All UDP | UDP | 0-65535 | 0.0.0.0/0|


With these rules, netstat shows the following output:



netstat -atn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1113 0.0.0.0:* LISTEN
tcp 0 0 10.0.1.31:2113 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2113 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:11300 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::5432 :::* LISTEN
tcp6 0 0 :::3306 :::* LISTEN
tcp6 0 0 :::6379 :::* LISTEN


So, in theory, I should be able to connect to port 1113 with TCP from any IP Address. But this is not working, the IP address is showing as filtered, as you can see in the following output:



The only ports that seem to be OK (open and not filtered) are 22 & 80. Here's the output I get when testing them with nmap:



PORT     STATE    SERVICE
22/tcp open ssh
80/tcp open http
1113/tcp filtered ltp-deepspace
2113/tcp filtered unknown
3306/tcp filtered mysql
6379/tcp filtered unknown


I even tried adding a custom inbound rule just for my IP and Port 1113, but the result is the same.



I suspect that some firewall is blocking traffic on those PORTS in my instance, but I'm not sure how to check that.



One thing to notice, is that this instance is in a Amazon VPC. However, the network ACL for this instance has the following inbound rule, that should allow income communications from all ports:



|Rule # | Type | Protocol | Port Range | Source | Allow / Deny |
| 100 | ALL Traffic | ALL | ALL | 0.0.0.0/0 |ALLOW |


Any ideas on what could be the issue here?



Thanks a lot for your help!










share|improve this question






















  • Is this connecting through an internet gateway or a NAT instance?
    – Vern Burton
    Sep 16 '15 at 13:49










  • @VernBurton it's an internet gateway, I belive. Not sure how to check that.
    – pmartelletti
    Sep 16 '15 at 14:08










  • What does the output of lsof -i:3306 look like?
    – Vern Burton
    Sep 17 '15 at 16:38










  • The output is empty (for 3306 and 1113, just in case you meant that port). The only port that has some output is port 80.
    – pmartelletti
    Sep 22 '15 at 18:39










  • Based on that, while you have opened the ports at the firewall, it would appear that no services on the server is actually running to accept the connection. lsof -i shows us programs and services that are using those ports and with it not showing anything means that nothing is answering the call for 1113. What service are you expecting to connect? Can you use netcat to listen on that port and then test?
    – Vern Burton
    Sep 25 '15 at 18:50















up vote
3
down vote

favorite












I've configured my server with a default security group, which has the following Inbound rules:



| Type | Protocol | Port Range | Source |
| All TCP | TCP | 0-65535 | 0.0.0.0/0 |
| All UDP | UDP | 0-65535 | 0.0.0.0/0|


With these rules, netstat shows the following output:



netstat -atn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1113 0.0.0.0:* LISTEN
tcp 0 0 10.0.1.31:2113 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2113 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:11300 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::5432 :::* LISTEN
tcp6 0 0 :::3306 :::* LISTEN
tcp6 0 0 :::6379 :::* LISTEN


So, in theory, I should be able to connect to port 1113 with TCP from any IP Address. But this is not working, the IP address is showing as filtered, as you can see in the following output:



The only ports that seem to be OK (open and not filtered) are 22 & 80. Here's the output I get when testing them with nmap:



PORT     STATE    SERVICE
22/tcp open ssh
80/tcp open http
1113/tcp filtered ltp-deepspace
2113/tcp filtered unknown
3306/tcp filtered mysql
6379/tcp filtered unknown


I even tried adding a custom inbound rule just for my IP and Port 1113, but the result is the same.



I suspect that some firewall is blocking traffic on those PORTS in my instance, but I'm not sure how to check that.



One thing to notice, is that this instance is in a Amazon VPC. However, the network ACL for this instance has the following inbound rule, that should allow income communications from all ports:



|Rule # | Type | Protocol | Port Range | Source | Allow / Deny |
| 100 | ALL Traffic | ALL | ALL | 0.0.0.0/0 |ALLOW |


Any ideas on what could be the issue here?



Thanks a lot for your help!










share|improve this question






















  • Is this connecting through an internet gateway or a NAT instance?
    – Vern Burton
    Sep 16 '15 at 13:49










  • @VernBurton it's an internet gateway, I belive. Not sure how to check that.
    – pmartelletti
    Sep 16 '15 at 14:08










  • What does the output of lsof -i:3306 look like?
    – Vern Burton
    Sep 17 '15 at 16:38










  • The output is empty (for 3306 and 1113, just in case you meant that port). The only port that has some output is port 80.
    – pmartelletti
    Sep 22 '15 at 18:39










  • Based on that, while you have opened the ports at the firewall, it would appear that no services on the server is actually running to accept the connection. lsof -i shows us programs and services that are using those ports and with it not showing anything means that nothing is answering the call for 1113. What service are you expecting to connect? Can you use netcat to listen on that port and then test?
    – Vern Burton
    Sep 25 '15 at 18:50













up vote
3
down vote

favorite









up vote
3
down vote

favorite











I've configured my server with a default security group, which has the following Inbound rules:



| Type | Protocol | Port Range | Source |
| All TCP | TCP | 0-65535 | 0.0.0.0/0 |
| All UDP | UDP | 0-65535 | 0.0.0.0/0|


With these rules, netstat shows the following output:



netstat -atn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1113 0.0.0.0:* LISTEN
tcp 0 0 10.0.1.31:2113 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2113 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:11300 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::5432 :::* LISTEN
tcp6 0 0 :::3306 :::* LISTEN
tcp6 0 0 :::6379 :::* LISTEN


So, in theory, I should be able to connect to port 1113 with TCP from any IP Address. But this is not working, the IP address is showing as filtered, as you can see in the following output:



The only ports that seem to be OK (open and not filtered) are 22 & 80. Here's the output I get when testing them with nmap:



PORT     STATE    SERVICE
22/tcp open ssh
80/tcp open http
1113/tcp filtered ltp-deepspace
2113/tcp filtered unknown
3306/tcp filtered mysql
6379/tcp filtered unknown


I even tried adding a custom inbound rule just for my IP and Port 1113, but the result is the same.



I suspect that some firewall is blocking traffic on those PORTS in my instance, but I'm not sure how to check that.



One thing to notice, is that this instance is in a Amazon VPC. However, the network ACL for this instance has the following inbound rule, that should allow income communications from all ports:



|Rule # | Type | Protocol | Port Range | Source | Allow / Deny |
| 100 | ALL Traffic | ALL | ALL | 0.0.0.0/0 |ALLOW |


Any ideas on what could be the issue here?



Thanks a lot for your help!










share|improve this question













I've configured my server with a default security group, which has the following Inbound rules:



| Type | Protocol | Port Range | Source |
| All TCP | TCP | 0-65535 | 0.0.0.0/0 |
| All UDP | UDP | 0-65535 | 0.0.0.0/0|


With these rules, netstat shows the following output:



netstat -atn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:5432 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1113 0.0.0.0:* LISTEN
tcp 0 0 10.0.1.31:2113 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:2113 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:11300 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:6379 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::5432 :::* LISTEN
tcp6 0 0 :::3306 :::* LISTEN
tcp6 0 0 :::6379 :::* LISTEN


So, in theory, I should be able to connect to port 1113 with TCP from any IP Address. But this is not working, the IP address is showing as filtered, as you can see in the following output:



The only ports that seem to be OK (open and not filtered) are 22 & 80. Here's the output I get when testing them with nmap:



PORT     STATE    SERVICE
22/tcp open ssh
80/tcp open http
1113/tcp filtered ltp-deepspace
2113/tcp filtered unknown
3306/tcp filtered mysql
6379/tcp filtered unknown


I even tried adding a custom inbound rule just for my IP and Port 1113, but the result is the same.



I suspect that some firewall is blocking traffic on those PORTS in my instance, but I'm not sure how to check that.



One thing to notice, is that this instance is in a Amazon VPC. However, the network ACL for this instance has the following inbound rule, that should allow income communications from all ports:



|Rule # | Type | Protocol | Port Range | Source | Allow / Deny |
| 100 | ALL Traffic | ALL | ALL | 0.0.0.0/0 |ALLOW |


Any ideas on what could be the issue here?



Thanks a lot for your help!







networking tcp amazon-ec2 ports amazon-vpc






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Sep 16 '15 at 13:07









pmartelletti

262




262












  • Is this connecting through an internet gateway or a NAT instance?
    – Vern Burton
    Sep 16 '15 at 13:49










  • @VernBurton it's an internet gateway, I belive. Not sure how to check that.
    – pmartelletti
    Sep 16 '15 at 14:08










  • What does the output of lsof -i:3306 look like?
    – Vern Burton
    Sep 17 '15 at 16:38










  • The output is empty (for 3306 and 1113, just in case you meant that port). The only port that has some output is port 80.
    – pmartelletti
    Sep 22 '15 at 18:39










  • Based on that, while you have opened the ports at the firewall, it would appear that no services on the server is actually running to accept the connection. lsof -i shows us programs and services that are using those ports and with it not showing anything means that nothing is answering the call for 1113. What service are you expecting to connect? Can you use netcat to listen on that port and then test?
    – Vern Burton
    Sep 25 '15 at 18:50


















  • Is this connecting through an internet gateway or a NAT instance?
    – Vern Burton
    Sep 16 '15 at 13:49










  • @VernBurton it's an internet gateway, I belive. Not sure how to check that.
    – pmartelletti
    Sep 16 '15 at 14:08










  • What does the output of lsof -i:3306 look like?
    – Vern Burton
    Sep 17 '15 at 16:38










  • The output is empty (for 3306 and 1113, just in case you meant that port). The only port that has some output is port 80.
    – pmartelletti
    Sep 22 '15 at 18:39










  • Based on that, while you have opened the ports at the firewall, it would appear that no services on the server is actually running to accept the connection. lsof -i shows us programs and services that are using those ports and with it not showing anything means that nothing is answering the call for 1113. What service are you expecting to connect? Can you use netcat to listen on that port and then test?
    – Vern Burton
    Sep 25 '15 at 18:50
















Is this connecting through an internet gateway or a NAT instance?
– Vern Burton
Sep 16 '15 at 13:49




Is this connecting through an internet gateway or a NAT instance?
– Vern Burton
Sep 16 '15 at 13:49












@VernBurton it's an internet gateway, I belive. Not sure how to check that.
– pmartelletti
Sep 16 '15 at 14:08




@VernBurton it's an internet gateway, I belive. Not sure how to check that.
– pmartelletti
Sep 16 '15 at 14:08












What does the output of lsof -i:3306 look like?
– Vern Burton
Sep 17 '15 at 16:38




What does the output of lsof -i:3306 look like?
– Vern Burton
Sep 17 '15 at 16:38












The output is empty (for 3306 and 1113, just in case you meant that port). The only port that has some output is port 80.
– pmartelletti
Sep 22 '15 at 18:39




The output is empty (for 3306 and 1113, just in case you meant that port). The only port that has some output is port 80.
– pmartelletti
Sep 22 '15 at 18:39












Based on that, while you have opened the ports at the firewall, it would appear that no services on the server is actually running to accept the connection. lsof -i shows us programs and services that are using those ports and with it not showing anything means that nothing is answering the call for 1113. What service are you expecting to connect? Can you use netcat to listen on that port and then test?
– Vern Burton
Sep 25 '15 at 18:50




Based on that, while you have opened the ports at the firewall, it would appear that no services on the server is actually running to accept the connection. lsof -i shows us programs and services that are using those ports and with it not showing anything means that nothing is answering the call for 1113. What service are you expecting to connect? Can you use netcat to listen on that port and then test?
– Vern Burton
Sep 25 '15 at 18:50












2 Answers
2






active

oldest

votes

















up vote
0
down vote













For those who are seeking for an answer. It is because there is an additional firewall in your Linux system. For example, you probably need to do this if you are using Ubuntu: sudo ufw disable.



See this link for more information.






share|improve this answer




























    up vote
    0
    down vote













    [I know this is an old post, but I was bitten by the very same thing just today and came across this very question.]



    When you fire up a new EC2 instance from a new AMI there seem to be conditions where the local firewall is set to filter everything except SSH. Now that might be the default on the newer AMIs, or something at work such as fail2ban or such like. The symptoms are as you describe - you have a public-facing IP address (either directly attached or via Elastic IP), you have permissive Security Groups, and all is otherwise well. An nmap from another working server (NB be careful, AWS don't like people running nmap from EC2 instances even onto your own servers) will show port 22 open but everything else filtered.



    TLDR; The quick fix is probably easy in order to flush the rules:



    iptables -F


    Ideally, run this first to list what the offending rule is:



    iptables -L


    But you should have a good look at why it was being set up that way. It's possible something like firewalld is running which is going to monkey with the rules and you have the choice of configuring or disabling it. These will tell you if it's running:



    firewall-cmd --status
    firewall-cmd --get-services


    There are other firewall services, of course.



    Once you think you have it right make sure you reboot the server to ensure everything comes up right rather than reverting to a catatonic state (services speaking).






    share|improve this answer























      Your Answer






      StackExchange.ifUsing("editor", function () {
      StackExchange.using("externalEditor", function () {
      StackExchange.using("snippets", function () {
      StackExchange.snippets.init();
      });
      });
      }, "code-snippets");

      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "1"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      convertImagesToLinks: true,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: 10,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














       

      draft saved


      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f32609501%2fec2-vpc-instance-ports-are-filtered%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes








      up vote
      0
      down vote













      For those who are seeking for an answer. It is because there is an additional firewall in your Linux system. For example, you probably need to do this if you are using Ubuntu: sudo ufw disable.



      See this link for more information.






      share|improve this answer

























        up vote
        0
        down vote













        For those who are seeking for an answer. It is because there is an additional firewall in your Linux system. For example, you probably need to do this if you are using Ubuntu: sudo ufw disable.



        See this link for more information.






        share|improve this answer























          up vote
          0
          down vote










          up vote
          0
          down vote









          For those who are seeking for an answer. It is because there is an additional firewall in your Linux system. For example, you probably need to do this if you are using Ubuntu: sudo ufw disable.



          See this link for more information.






          share|improve this answer












          For those who are seeking for an answer. It is because there is an additional firewall in your Linux system. For example, you probably need to do this if you are using Ubuntu: sudo ufw disable.



          See this link for more information.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Nov 8 at 8:09









          Hao Xi

          13217




          13217
























              up vote
              0
              down vote













              [I know this is an old post, but I was bitten by the very same thing just today and came across this very question.]



              When you fire up a new EC2 instance from a new AMI there seem to be conditions where the local firewall is set to filter everything except SSH. Now that might be the default on the newer AMIs, or something at work such as fail2ban or such like. The symptoms are as you describe - you have a public-facing IP address (either directly attached or via Elastic IP), you have permissive Security Groups, and all is otherwise well. An nmap from another working server (NB be careful, AWS don't like people running nmap from EC2 instances even onto your own servers) will show port 22 open but everything else filtered.



              TLDR; The quick fix is probably easy in order to flush the rules:



              iptables -F


              Ideally, run this first to list what the offending rule is:



              iptables -L


              But you should have a good look at why it was being set up that way. It's possible something like firewalld is running which is going to monkey with the rules and you have the choice of configuring or disabling it. These will tell you if it's running:



              firewall-cmd --status
              firewall-cmd --get-services


              There are other firewall services, of course.



              Once you think you have it right make sure you reboot the server to ensure everything comes up right rather than reverting to a catatonic state (services speaking).






              share|improve this answer



























                up vote
                0
                down vote













                [I know this is an old post, but I was bitten by the very same thing just today and came across this very question.]



                When you fire up a new EC2 instance from a new AMI there seem to be conditions where the local firewall is set to filter everything except SSH. Now that might be the default on the newer AMIs, or something at work such as fail2ban or such like. The symptoms are as you describe - you have a public-facing IP address (either directly attached or via Elastic IP), you have permissive Security Groups, and all is otherwise well. An nmap from another working server (NB be careful, AWS don't like people running nmap from EC2 instances even onto your own servers) will show port 22 open but everything else filtered.



                TLDR; The quick fix is probably easy in order to flush the rules:



                iptables -F


                Ideally, run this first to list what the offending rule is:



                iptables -L


                But you should have a good look at why it was being set up that way. It's possible something like firewalld is running which is going to monkey with the rules and you have the choice of configuring or disabling it. These will tell you if it's running:



                firewall-cmd --status
                firewall-cmd --get-services


                There are other firewall services, of course.



                Once you think you have it right make sure you reboot the server to ensure everything comes up right rather than reverting to a catatonic state (services speaking).






                share|improve this answer

























                  up vote
                  0
                  down vote










                  up vote
                  0
                  down vote









                  [I know this is an old post, but I was bitten by the very same thing just today and came across this very question.]



                  When you fire up a new EC2 instance from a new AMI there seem to be conditions where the local firewall is set to filter everything except SSH. Now that might be the default on the newer AMIs, or something at work such as fail2ban or such like. The symptoms are as you describe - you have a public-facing IP address (either directly attached or via Elastic IP), you have permissive Security Groups, and all is otherwise well. An nmap from another working server (NB be careful, AWS don't like people running nmap from EC2 instances even onto your own servers) will show port 22 open but everything else filtered.



                  TLDR; The quick fix is probably easy in order to flush the rules:



                  iptables -F


                  Ideally, run this first to list what the offending rule is:



                  iptables -L


                  But you should have a good look at why it was being set up that way. It's possible something like firewalld is running which is going to monkey with the rules and you have the choice of configuring or disabling it. These will tell you if it's running:



                  firewall-cmd --status
                  firewall-cmd --get-services


                  There are other firewall services, of course.



                  Once you think you have it right make sure you reboot the server to ensure everything comes up right rather than reverting to a catatonic state (services speaking).






                  share|improve this answer














                  [I know this is an old post, but I was bitten by the very same thing just today and came across this very question.]



                  When you fire up a new EC2 instance from a new AMI there seem to be conditions where the local firewall is set to filter everything except SSH. Now that might be the default on the newer AMIs, or something at work such as fail2ban or such like. The symptoms are as you describe - you have a public-facing IP address (either directly attached or via Elastic IP), you have permissive Security Groups, and all is otherwise well. An nmap from another working server (NB be careful, AWS don't like people running nmap from EC2 instances even onto your own servers) will show port 22 open but everything else filtered.



                  TLDR; The quick fix is probably easy in order to flush the rules:



                  iptables -F


                  Ideally, run this first to list what the offending rule is:



                  iptables -L


                  But you should have a good look at why it was being set up that way. It's possible something like firewalld is running which is going to monkey with the rules and you have the choice of configuring or disabling it. These will tell you if it's running:



                  firewall-cmd --status
                  firewall-cmd --get-services


                  There are other firewall services, of course.



                  Once you think you have it right make sure you reboot the server to ensure everything comes up right rather than reverting to a catatonic state (services speaking).







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited Nov 21 at 6:03

























                  answered Nov 21 at 5:35









                  Miles Gillham

                  25518




                  25518






























                       

                      draft saved


                      draft discarded



















































                       


                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f32609501%2fec2-vpc-instance-ports-are-filtered%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      Berounka

                      Sphinx de Gizeh

                      Different font size/position of beamer's navigation symbols template's content depending on regular/plain...