We are currently running a Kubernetes cluster on GCP. The cluster has several pods, in the default network 10.154.0.0/16. We have now created a new VM in the same network and assigned a static internal IP 10.154.0.4.
We are now trying to connect from a Pod to the freshly created VM, but we are only able to ping it. We installed a basic webserver on it that only the internal network is supposed to access, but it doesn't work.
Isn't it possible to access all ports on the internal network without creating any additional firewall rules?
Logs:
Ping VM from Pod (works)
root#censored-6d9f888f75-pncs4:/var/www# ping 10.154.0.4
PING 10.154.0.4 (10.154.0.4): 56 data bytes
64 bytes from 10.154.0.4: icmp_seq=0 ttl=63 time=1.636 ms
Accessing the webserver of the VM (not working)
root#censored-6d9f888f75-pncs4:/var/www# curl 10.154.0.4
^C
Not sure if this is what's happening to you, but if you ssh into a node and run sudo iptables-save, there is this interesting rule...
-A POSTROUTING ! -d 10.0.0.0/8 -m comment --comment "kubenet: SNAT for outbound traffic from cluster" -m addrtype ! --dst-type LOCAL -j MASQUERADE
...that says that for destination IP addresses within 10.0.0.0/8 range, do not masquerade. If your pods are running in 172., or 192., that's the IP address they are making the requests with, which can be dropped, if the firewall rules and routes have not been properly configured.
Related
I run a working Wireguard server with 2 Wireguard Gateways for Site-to-Site VPN and a couple of Mobile Devices with a Full Tunnel that are used occasionally. One of my Site Gateways is a RaspberryPi4 that I want to provide a WIFI-Access-Point that directly tunnels to the Wireguard Server. This RaspberryPi has working access to all connected subnets via the main Server, so Wireguard is setup properly.
I want to use my Raspi4 to roam the world and provide me a WIFI-Access-Point while any device that connects to it is directly routed into Wireguard and emerges to the web only from there. I used the standard gateway setup provided and my WIFI device can access the web but doesn't tunnel through Wireguard (yet).
I can't really find where I can configure where the access point is bound to, dnsmasq, apdconf or a simply iptables rule?
Example IPs
Server: 10.0.7.1, local network 192.168.0.1/24
Raspi4: 10.0.7.5, local network 192.168.6.5/24, WIFI 192.168.7.5/24
So far I haven't succeeded, ideas?
Got it to work, took a few steps.
First I changed the Wireguard-tunnel on the RP4 to be a full tunnel, it was previously a split-tunnel, only routing the IPs of the other local LANs into the wg0 interface.
Working Full Tunnel:
AllowedIPs = 0.0.0.0/0
Not working Split-Tunnel:
AllowedIPs = 10.0.7.0/24, 192.168.0.0/24
Trying with a Split-Tunnel was stupid to begin with. Only the local IPs mapped in wireguard were fed into the tunnel, public IPs emerged directly on the RP4 network. The tunnel was working as configured but simply not as I wanted to.
Second, iptables was the solution, everything else was already setup properly. I had to add
iptables -A FORWARD -i wlan0 -o wg0 -j ACCEPT
iptables -A FORWARD -i wg0 -o wlan0 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o wg0 -j MASQUERADE
Without those rules, I would only be able to connect to the WIFI but had no internet connection
The rest of the setup is pretty much the same as in this tutorial
I have a website.example.com The website is hosted on OVH I would like to point a sub domain shop.example.com to another website hosted on another server
(95.110.189.135:8069) the problem is that I can't c name to an IP with a port.
I used Ubuntu for my odoo server
I've got odoo on my vps server with database. Now, It's working on IP with port (example: 55.55.55.55:8069). So now,
How can I change it to IP without port?
If I want a domain name - how can I do this?
I found the solution it's easy to redirect to port 80
to do that add a line of code in the file
etc/rc.local
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8069
then the file will become like this
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8069
exit 0
save and then restart the server
You cannot use plain DNS to transfer traffic to another port. This is not possible with either canonical name (CNAME record) or address (A record). These DNS services are only used for address resolution.
To solve your configuration issue you can use reverse proxy, e.g. Nginx. You can find example configurations from the Odoo.com site at https://www.odoo.com/documentation/11.0/setup/deploy.html#https. This is describing how to use https in port 443 to proxy Odoo in upstream service at port 8069. For public services you should use encrypted https, not http. Point your show.example.com in DNS to your "another" server ip address and on that server have Odoo and Nginx running. Your Odoo can run on port 8069 and your Nginx would run on https 443 and proxy connections to Odoo upstream service on localhost 8069.
Hope this helps you forward. Please check your configuration with someone who have experience with this kind of setups before you go production. This will make sure your configuration is secure.
What I want to do is setup two web servers. One will simply deliver normal content to people that request it and one will put minimal strain on the system and strictly deliver an access denied type of message for hackers.
I looked at http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/ for ideas on how to create this redirection based on a bad IP address and its suggesting:
iptables -t nat -A PREROUTING --src <source address> -p tcp --dport <new server port number> -j REDIRECT --to-port <new server port number>
I then tested that theory by trying the following on a computer without internet but with apache server running on port 80 and nothing on port 81:
iptables -t nat -A PREROUTING --src 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to-port 81
I then typed in 127.0.0.1 in my web browser and received the same apache response as usual. Instead, I expected a browser message that it could not connect to the remote server.
How to I adjust the iptables command to make computers from listed IP in --src redirect from 127.0.0.1 port 80 to 127.0.0.1 port 81?
I understand I can use apache or php and even apache modules and all that for the redirection but I'm trying to use the least system-intensive approach and I want hackers to have the least amount of system resources available to them so that real visitors can enjoy a quality website, however
I want them to be able to see a message because if a real person gets blocked by accident then at least they can understand what's going on from an error message instead of a connection drop.
Packets on the loopback interface (127.0.0.0/8) don't pass through the NAT tables. Try using an external computer for the test.
Is it possible to run a buildbot-slave from inside a corporate firewall where you are allowed to create only outgoing connection on standard HTTP(s) ports?
How can I achieve that?
In this case you should run your master to use exactly these ports, i.e. running web interface on HTTP(80) port while using HTTPS(443) port for slaves' connections. However this would require master to run with root privileges which is bad. In this case you could redirect traffic from these ports to the actual used in master with iptables. With default master ports for web interface(8010) and slave connections(9989) you'll get something like:
# iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:9989
The same goes for web interface in case you're not using any proxy HTTP server (like nginx, haproxy, lighthttpd, etc).
I have hosted an application in a machine running Red Hat Enterprise Linux 5. I started the jBoss AS using the command.
./run.sh -b 0.0.0.0
and
./run.sh -Djboss.bind.address=<<server_address>>
and
./run.sh --host=<<ipaddress>>
but using any of these commands i cannot access the application remotely. Using the the above commands I cannot even access the application on the host machine itself, using localhost as well as ip address. I am not able to figure out the problem here. I can ping the linux machine from the other windows machines.
Check iptables rules are not blocking firstly
Also are you running as a user? If so, you will not have permission to bind to a port number less than 1024.
try telneting the port from the server itself to check the service is responding e.g.
telnet localhost 8080
presuming that you are running on 8080 in the example above.
you can drop your iptables temporarily for testing if it is safe to do so by:
/etc/init.d/iptables stop
and restart them when you've finished with
/etc/init.d/iptables start
you can make a permanent change to your iptables config by adding the following line to /etc/sysconfig/iptables
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT