Here is the scenario I am working on.
I have sslh listening on 443 which redirects https traffic to 445 and TURN traffic to 3478. I also have 6 TURN servers listening on 3478 to 3483. I wish to load balance the incoming TURN traffic across all these ports. I tried load balancing through the PREROUTING chain of the nat table but it didnt work since sslh is a local process and packets generated form it skips the PREROUTING table. I can see these packets coming from sslh in the OUTPUT chain of the nat table but I am unable to redirect them to another port.
Here is the rule i am using.
iptables -t nat -A OUTPUT -p tcp -o lo --dport 3478 -j REDIRECT --to-ports 3479
which is not working. Any help is highly appreciated!
Try to use loadbalance in coturn. So option:
alternate-server
An example in coturn source https://github.com/coturn/coturn/blob/master/examples/scripts/loadbalance/master_relay.sh
I missed to add the transparency rules for sslh. After adding these rules,I was able to redirect the packets to a different ports
Related
I need to forward an unidirectional stream of udp packets from one side to an HTTPS connection on the other end.
I can potentially solve it using python, but this server should be able to forward large amount of traffic so I would like to rely on Nginx for this task.
can Nginx do such a thing?
What I tried
I tried:
stream {
server {
listen 9990 udp;
proxy_pass localhost:9995;
}
}
which forward correctly UDP packets.
I tested it running 2 servers
nc -u -l 9995 # listen on udp port 9995
nc -u localhost 9990 # send packets to nginx listening on udp port 9990
this test worked when both connections are udp. my goal to listen on TCP on port 9995 instead of udp, currently I couldn't do it with nginx.
Why?
additional context, not part of the question
I have a wire that can transfer packets only in one direction. so TCP connection can't be established. the other end requires https connection, so I can go around this by another server in the middle that will accept udp socket on one end and http/tcp socket on the other end, that will forward any udp packet coming from one end as an HTTP msg over TCP with the other end
K8s wont allow external servers to push udp packages from arbitrary ports to pods.
RTSP protocol uses random udp ports to push data every frame.
RTSP-UDP initially connects to 554 TCP port, and gets assigned to a random UDP port between ~18000-25000 at every request.
Is there any way I can allowthis without using hostNetwork? Something like open a range of ports or, allow all UDP traffic from outside the cluster?
To recreate:
ffplay <rtsp-url>
And use a network tool like tcpdump, wireshark to probe udp packages.
You can expose plain TCP and UDP services using the standard nginx ingress controller - see the documentation.
Port ranges are not supported for services. Here is a related issue on github
https://github.com/kubernetes/kubernetes/issues/23864
Im trying to implement an "opt ack" attack
this attack involves sending ack packets before the packets arrive thus increasing the tcp windows and creating a big load on the network channel.
im using scapy to record traffic between a client and a server
and then i send the client ack packets one after one
i have two problems:
i need to shut down the kernel sending packets automatically
(it makes the attacker send reset packets)
also i need to fix the timestamp and checksum
can you help me with at least the first problem?
The first problem (RESET packets) can be fixed by installing iptables rules. It worked really well for me in my implementation of packet replay.
iptables -A OUTPUT -p tcp -d "DST IP ADDR" --sport "SRC PORT" --tcp-flags RST RST -j DROP
The kernel has no knowledge of segments sent by Scapy, it doesn't have a socket bound to the port you are using (see here) so it sends RST segments as an answer to the ACK segments.
You can add an iptable rule to drop these on the attacker's machine:
iptables -A OUTPUT -p tcp --tcp-flags RST RST -s source_ip -j DROP
If you change segments, Scapy will recompute checksums before resending it.
Note that invalid checksums when recording trafic could be caused by checksum offload on your machine and can be solved with ethtool command:
ethtool --offload ethX rx off tx off
For the timestamps, I assume you are talking about TCP Timestamps option. You can forge them before resending the segment with Scapy TCP options:
ACK = IP(...)/TCP(..., options=[("Timestamp", (TS_value, TS_ecr))])
Im pretty new to load balancing and using HAProxy.
After doing a lot of reading and setting up my own development environment, I am unable to work out the following:
I have a bank of web servers which traffic is being balanced across, how do I soft stop these servers whilst i fail over to a new bank?
My test congif looks like this:
frontend front-end-test
maxconn 2000
bind 192.168.0.10:8666
use_backend back-end-test-a
backend back-end-test-a
mode http
balance roundrobin
option forwardfor
server machine1 10.1.1.92:44410 weight 1 maxconn 2000 check
server machine2 10.1.1.92:44420 weight 1 maxconn 2000 check
backend back-end-test-b
mode http
balance roundrobin
server machine3 10.1.1.92:44430 weight 1 maxconn 2000 check
server machine4 10.1.1.92:44440 weight 1 maxconn 2000 check
To change banks the config would be updated and the hot restart used:
frontend front-end-test
maxconn 2000
bind 192.168.0.10:8666
use_backend back-end-test-a
To
frontend front-end-test
maxconn 2000
bind 192.168.0.10:8666
use_backend back-end-test-b
So to recap, I need to update the config so my backend farm changes but any requests for the original servers still need to be served by them.
Is this possible?
Adam
Normally, if I want to change backends, I would switch it right away (as in change to use_backend back-end-test-b) and do a graceful reload by delaying SYN packets (new incoming connections) before restarting the haproxy service. Ex:
iptables -I INPUT -p tcp --dport 8666 --syn -j DROP
sleep 1
service haproxy restart
iptables -D INPUT -p tcp --dport 8666 --syn -j DROP
The delay should allow running requests to finish before that service restarts and applies the new config.
This may not work for long running transactions though.
I'm new in this site.
This is my problem: I have 3 different sources (IP: 192.168.1.1,192.168.1.2 and 192.168.1.3) that send data (via UDP) to a single receiver (IP 192.168.1.4) on the listening port 8900 (same port for every source). I can redirect the traffic on 3 different listenging port on the receiver (one for every source i.e. 192.168.1.1 --> port 8910, 192.168.1.2 -->8920 and 192.168.1.3 --> 8930), 3 processes are listening on those ports.
If i loose a packet during the transmission, the process that should have been received this packet, try to send a retransmission request to the sender that is wrongly localhost instead of the original sender.
Is there a way to maintain the orinal IP during the redirection?
Sorry for my bad English and thanks for your help.
getsockopt(...,SO_ORIGINAL_DST) is what you are looking for.
(assuming that you did iptables -j REDIRECT or similar )