Create GRE OpenvSwitch network over SSH tunnel - overlay

I am in need of creating an overlay network to connect the VMs of two KVM hosts with each other.
The tutorial at OpenvSwitch explains it pretty well [1], but I do have one restriction. Host A can only reach host B via SSH on Port 22. All other outgoing connections and ports are blocked.
I have established an SSH tunnel with port forwarding between the two hosts and would need to send the OpenvSwitch traffic over that SSH tunnel. The problem is, the command for creating the SSH tunnel requires me to specify the IP of the tunnel endpoint:
ovs-vsctl add-port br0 gre0 -- set interface gre0 type=gre options:remote_ip=<IP of eth0 on host2>
Since I am using port forwarding I would need to insert "localhost" here and specify the forwarded port. This option, however, does not exist.
How can I create an overlay network between two hosts that are only connected via an SSH tunnel?
I tried to create tap interfaces with socat on both sides from [2] and added these tap interfaces to the OpenvSwitch bridge br0 that I created. Maybe this would eliminate the need for the GRE tunnel, if traffic is routed via the socat tunnels instead?
Thanks,
Nils
[1] https://docs.openvswitch.org/en/latest/howto/tunneling/
[2] https://gist.github.com/cfra/752d6e761225fd5bf783b44abe30f707

Related

How to forward packets between VLANs on Open vSwitch router?

I'm trying to configure an OVS router. I want to achieve that, by adding flows on the OVS router, the devices connected with switch ports (port 2-5) can access to the internet, if the internet cable is inserted into the WAN port (port 1).
My VLAN configuration in file /etc/config/network of the OVS router is:
eth1.1: 0t, 2
eth1.2: 0t, 3
eth1.3: 0t, 4
eth1.4: 0t, 5
eth1.5: 1, 6
The output of ovs-vsctl show is:
root#OpenWrt:~# ovs-vsctl show
84d9ab2f-a3e6-46e3-874f-156ef975d673
Bridge "br0"
Controller "tcp:<an IP address>"
is_connected: true
fail_mode: standalone
Port "eth1.4"
Interface "eth1.4"
Port "eth1.2"
Interface "eth1.2"
Port "eth1.1"
Interface "eth1.1"
Port "br0"
Interface "br0"
type: internal
Port "eth1.3"
Interface "eth1.3"
The truncated output of ifconfig is:
br0: 192.168.3.1
eth0: 192.168.0.105 (There is another home router)
eth1, eth1.1-1.4
As the subnet provides IP prefix of 192.168.3.* and the router itself is assigned IP of 192.168.0., I wonder if it's helpful to add a flow to forward packets from 192.168.3. to 192.168.0.104.
So is it correct if I suppose, a machine with IP 192.168.3.10, for example, it wants to make query to google, the path should be 192.168.3.10->192.168.0.105->192.168.0.1(home router)->outside?
This is to build a flow based on Layer3. But I'm wondering if I can build flows between VLANs? According to my configuration, WAN port is port1, belongs to VLAN 5. Do you think is viable to add flows bidirectionally from VLAN 1 (machine connected) to VLAN 5 and from VLAN 5 to VLAN 1? If so, is there any examples I can flow please?
Another detail. The output of ifconfig shows eth0 interface was assigned IP 192.168.0.105, which means it's connected with my home router (192.168.0.1). So do I need to forward packets between these to IP addresses?
I really appreciate any help.
The following commands add two rules to send packet from VLAN 5 and port 5 to port 1 with VLAN 1 and vice versa:
ovs-ofctl add-flow br0 in_port=5,dl_vlan=5,actions=mod_vlan_vid:1,output:1
ovs-ofctl add-flow br0 in_port=1,dl_vlan=1,actions=mod_vlan_vid:5,output:5
I have solved this problem. Following is the solution.
The main idea is to build a linux bridge connected with OVS bridge, when I need the VLANs to be able talking with outside internet. I can use brctl to operate linux bridge. Firstly I tried:
brctl addbr br-lan
brctl addif br-lan br0
Then all the machine can access to the internet. But unfortunately, only for couple minutes. After that, the router collapsed. I could not access to the OVS router anymore unless I reset it. That could be caused by the incorrect bridge configuration. I tried many ways and finally this one works:
brctl addbr br-lan
ifconfig br-lan 192.168.3.1
brctl addif br-lan br0
ifconfig br0 0.0.0.0
I considered linux bridge br-lan should be originally connected with eth0 (wan). And as I know, br0 could means 'local', with IP address 192.168.3.1. All VLANs talk with this IP address. If I move 'local' to linux bridge which connected with wan port, it should work.
Thanks for everybody who viewed and tried to help me!

socket communication between two device under sub-Lan

For two device both has public IP address, we can use socket IP and port to setup socket communication.
If both device do not has public IP but connect to sub-Lan then access public network through router (no port mapping in router), how can this two device setup socket connection?
For example in above diagram, how can machine A communicate with machine C?
Assuming that you have not set up a VPN tunnel between the two routers that connects both branches of the 192.168.1.0/24 network then the answer is: you can't.
If you set up a VPN tunnel then each side of the 192.168.1.0/24 network will be able to see the other side. Please note that the routers will need to be able to do ARP spoofing, i.e. the router for A & B will need to be able to spoof the MAC for C, i.e. intercept IP packages for C on their LAN and forward them through to the VPN to the other network half where they are delivered to C.
If you set up at least one port forwarding on one router, then you'll have other options, e.g. an SSH tunnel on C that connects to the port forward on either A & B. You can then use the -L option on C to setup port forwarding through the SSH tunnel to the other half of the network.

Localhost server in loopback does not answer incoming SYN

I have a TCP server which runs in localhost (127.0.0.1), I am trying to connect to the server by injecting SYN packets to the loopback interface, but the server doesn't answer them. These packets have the source IP of the Ethernet interface of my internet adapter (and not localhost IP).
I watch the SYN packet that goes to my loopback server in Wireshark, but the server does not answer it with a SYN/ACK. I think it is because the IP source is not 127.0.0.1, which for example is 192.168.1.24.
If I go to the browser and I connect to my localhost server it works fine, but the source IP that I am using is 127.0.0.1 and the destination IP is 127.0.0.1 too; the only difference between the packets is the source IP.
I want to establish a TCP connection with my loopback server (localhost) by using different IP source addresses than 127.0.0.1. Is that possible?
For example, a Loopback TCP SYN packet which comes from 192.168.1.24 to 127.0.0.1 should be answered by the loopbackserver?
Thanks and regards!
You can send packets to localhost via Npcap Loopback Adapter and get response from the counterpart (e.g. a process on the same machine). An example is Nmap, Nmap uses Npcap Loopback Adapter to scan the ports of localhost. The command is: nmap -v -A 127.0.0.1. Nmap is open-sourced here, so you can see its code about the implementation. If you think Nmap is too complicated, you can see the source code of Nping here, a ping tool shipped by Nmap. Nping also uses Npcap Loopback Adapter when pinging localhost, which works differently with the original ping shipped by Windows.
Using IP of one of local adapters or using 127.0.0.1 should be the same. You can run Nmap to test it. Whatever, using 127.0.0.1 is the best and recommended by Npcap when talking to localhost.
So I think the issue still relates to your own implementation.
Does the server bind() using INADDR_LOOPBACK? If so, you could try changing it to INADDR_ANY to see if that helps. See also man 7 ip.
(These links are obviously Linux-specific; if your platform is something else, then refer to the documentation applicable to your system. For example, if you're on Windows, then maybe refer to https://msdn.microsoft.com/en-us/library/windows/desktop/ms737550(v=vs.85).aspx.)
I solved the problem, thank you very much for your answers.
The problem was a bit stupid, I was trying to establish a TCP connection with the loopback server (localhost) with IP source addresses that were not in the range of the loopback, loopback gateway: 127.0.0.1, loopback netmask: 255.255.0.0; It cant accept packets from IP source addresses that are not in the range of 127.0.X.X ; if I do NAT and I translate the packet from for example 192.168.1.154 to 127.0.1.154 the packet is received by the server and I can establish the server connection, I do not know how I did not realize it before.
Thank you for the time, regards!.
I think too that maybe it is better to bind the server to other virtual network adapter and not to the loopback, I am studing this: https://github.com/Microsoft/Windows-driver-samples/tree/master/network/ndis/netvmini/6x
It would be fine to create a miniport driver and bind the server there, we would have the advantage of having our own gateway and netmask and the layer would be ethernet and not BSD loopback. Your opinions will be interesting for me.

postgresql-crunchy not in rhc port-forward list

I have installed Postgresql 9.3 on OpenShift with the cartridge available at github. The database is started.
I want to connect to it from PgAdmin-III on my local PC. I am supposed to forward ports with:
rhc port-forward <myapp>
Yet, the list of port forwarding does not contain a forwarding for my Postgresql database. Hence, I cannot configure PgAdmin-III with the local port used for forwarding.
C:\>rhc port-forward ligatures
Checking available ports ... done
Forwarding ports ...
Permission denied - bind(2) while forwarding port 8080. Trying local port 8081
Permission denied - bind(2) while forwarding port 8080. Trying local port 8081
Only one usage of each socket address (protocol/network address/port) is
normally permitted. - bind(2) while forwarding port 8081. Trying local port 8082
Permission denied - bind(2) while forwarding port 8080. Trying local port 8081
Only one usage of each socket address (protocol/network address/port) is
normally permitted. - bind(2) while forwarding port 8081. Trying local port 8082
Only one usage of each socket address (protocol/network address/port) is
normally permitted. - bind(2) while forwarding port 8082. Trying local port 8083
To connect to a service running on OpenShift, use the Local address
Service Local OpenShift
------- -------------- ---- -----------------
haproxy 127.0.0.1:8081 => 127.2.56.130:8080
haproxy 127.0.0.1:8082 => 127.2.56.131:8080
node 127.0.0.1:8083 => 127.2.56.129:8080
Press CTRL-C to terminate port forwarding
How do I get a port forwarding for my postgresql-crunchy database?
Update
I have opened an issue at Bugzilla Redhat.
Update II
Issue can be replicated by creating a simple scalable nodejs + crunchydb application at Openshift.
Looking at the manifest.yml file, it does not look like it is publishing it's list of ports correctly (https://github.com/CrunchyData/openshift-postgres-cartridge/blob/master/metadata/manifest.yml) under the "Publishes" section, which is missing, take a look at this manifest for the official postgresql cartridge and compare the Publishes sections (https://github.com/openshift/origin-server/blob/master/cartridges/openshift-origin-cartridge-postgresql/metadata/manifest.yml)
It also seems to be missing the "protocols" section, along with other important information.
It should also probably use more descriptive port names in the "Endpoints" section. I would recommend logging an issue on that github repo with the specifics of the problem you are encountering.
I was able to run the cartridge just now without any problems. I'll take this offline with the user and try to resolve the problem.

How to drop the incoming packet from openVswitch integration bridge for specific IP?

I have installed the openvSwitch server on my two centos server (KVM). I have created two VM’s and bridged using openvSwitch. I am able to ping between the two VM’s. I am using VLAN for differentiating the private network.
Below is the VM IP
VM1 IP : 198.0.0.2 (resides in host1)
VM2 IP : 198.0.0.3 (resides in host2)
VLAN: 1000
I have followed the steps from the below link to configure the openvSwitch and it works fine.
http://openvswitch.org/support/config-cookbooks/vlan-configuration-cookbook/
Now I want to block few ports. I want to block the incoming traffic to the port 443, 80 for the VM1. One option is I can modify the iptables in my VM to drop the traffic to the ports. But I don’t want to modify the firewall rules in the VM. I want to drop the packets from the OVS integration Bridge itself.
Thanks,
Kalpeer