What I want to do is setup two web servers. One will simply deliver normal content to people that request it and one will put minimal strain on the system and strictly deliver an access denied type of message for hackers.
I looked at http://www.cyberciti.biz/faq/linux-port-redirection-with-iptables/ for ideas on how to create this redirection based on a bad IP address and its suggesting:
iptables -t nat -A PREROUTING --src <source address> -p tcp --dport <new server port number> -j REDIRECT --to-port <new server port number>
I then tested that theory by trying the following on a computer without internet but with apache server running on port 80 and nothing on port 81:
iptables -t nat -A PREROUTING --src 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to-port 81
I then typed in 127.0.0.1 in my web browser and received the same apache response as usual. Instead, I expected a browser message that it could not connect to the remote server.
How to I adjust the iptables command to make computers from listed IP in --src redirect from 127.0.0.1 port 80 to 127.0.0.1 port 81?
I understand I can use apache or php and even apache modules and all that for the redirection but I'm trying to use the least system-intensive approach and I want hackers to have the least amount of system resources available to them so that real visitors can enjoy a quality website, however
I want them to be able to see a message because if a real person gets blocked by accident then at least they can understand what's going on from an error message instead of a connection drop.
Packets on the loopback interface (127.0.0.0/8) don't pass through the NAT tables. Try using an external computer for the test.
Related
I have a website.example.com The website is hosted on OVH I would like to point a sub domain shop.example.com to another website hosted on another server
(95.110.189.135:8069) the problem is that I can't c name to an IP with a port.
I used Ubuntu for my odoo server
I've got odoo on my vps server with database. Now, It's working on IP with port (example: 55.55.55.55:8069). So now,
How can I change it to IP without port?
If I want a domain name - how can I do this?
I found the solution it's easy to redirect to port 80
to do that add a line of code in the file
etc/rc.local
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8069
then the file will become like this
#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8069
exit 0
save and then restart the server
You cannot use plain DNS to transfer traffic to another port. This is not possible with either canonical name (CNAME record) or address (A record). These DNS services are only used for address resolution.
To solve your configuration issue you can use reverse proxy, e.g. Nginx. You can find example configurations from the Odoo.com site at https://www.odoo.com/documentation/11.0/setup/deploy.html#https. This is describing how to use https in port 443 to proxy Odoo in upstream service at port 8069. For public services you should use encrypted https, not http. Point your show.example.com in DNS to your "another" server ip address and on that server have Odoo and Nginx running. Your Odoo can run on port 8069 and your Nginx would run on https 443 and proxy connections to Odoo upstream service on localhost 8069.
Hope this helps you forward. Please check your configuration with someone who have experience with this kind of setups before you go production. This will make sure your configuration is secure.
I'm trying to use Rundeck on Ubuntu 14.04.
How do I change the web interface port from 4440 (default) to 80?
The port number seems to be referred to in various config locations (including /etc/rundeck/profile and /etc/rundeck/framework.properties) but changing these had no effect for me and I can't find a specific section in the documentation on changing the web port.
Use a proxy pass with either Apache or Nginx. Its a solution..
You needed to modify these files from 4440 to 80
framework.properties
profile
rundeck-config.properties
But you will get the following java exception when trying to run in 80.
java.net.SocketException: Permission denied
Hence apache or nginx proxy pass is the working solution
Do you can use two rules iptables
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 4440
iptables -I INPUT -p tcp --dport 4440 -j ACCEPT
I'm trying to set up a client machine so that only kinit traffic works. So far, my rules look like
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i eth0 -s 192.168.1.130 -p tcp -m tcp --sport kerberos -j ACCEPT
-A INPUT -i eth0 -s 192.168.1.130 -p udp -m udp --sport kerberos -j ACCEPT
-A OUTPUT -i eth0 -d 192.168.1.130 -p tcp -m tcp --dport kerberos -j ACCEPT
-A OUTPUT -i eth0 -d 192.168.1.130 -p udp -m udp --dport kerberos -j ACCEPT
With this as-is, when I run "kinit remuser", I keep getting the error
kinit: Cannot contact any KDC for realm 'EXAMPLE.COM' while getting initial credentials
If I run
iptables -P INPUT ACCEPT
then "kinit remuser" works as expected. And after that first success, if I run
iptables -P INPUT DROP
it still keeps working.
I've tried using wireshark to see what I'm initially disallowing. It seems arp related, but I can't consistently see that... and I thought iptables wasn't supposed to mess with arp. I'm not seeing anything missing with "arp -n" or "ip -s neigh".
I've got the client and server configured correctly enough to work, but I'm still too new to this stuff to know what other ports I need to allow to get this working. If anyone can give me some tips I'd appreciate it.
UPDATE
Although my adapter claimed to be in promiscuous mode, it wasn't. I ended up running wireshark on the server, and saw no other port numbers needed. To verify that, I updated the rules to include
-A INPUT -s 192.168.1.130 -j ACCEPT
and as the successful kinit wireshark capture suggested, it didn't help. It's only when I open up all INPUTs that it works.
Thanks.
Hector
Kerberos is generally udp by default. I'm not that familiar with IP tables, but while port number on the server is defined the port number on the client is entirely random. So any ip based filter has to allow incoming udp packets with arbitrary client port numbers.
Similarly on the outgoing side, you need to be able to send packets with arbitrary udp ports on the client side. For kinit you only need the kerberos port, but changing passwords, etc, you will also need the kadmin ports.
Having said all that and making my best guess at what the ip tables rules mean, I think that's what you've implemented. However, you also need access to DNS srv records or a working krb5.conf.
http://wiki.unixh4cks.com/index.php/Using_DNS_SRV_records_to_find_Kerberos_realm_servers
It may be that kinit starts working when you allow incoming DNS record lookups. This would also explain why it continues to work after the first connection as it likely the DNS record is cached on the system. Is the server listed in your krb5.conf in your /etc/hosts file? If not that would explain the behaviour.
Thinking about this a bit more, what exactly do you expect to do with this ticket after you get it? The whole point of kerberos is to implement security on an open network by securing the endpoints, not by implementing firewalls.
I got it. And perhaps this only applies to me or anyone else using a HW VPN. An ICMP type 3 packet needed to be received from the gateway for the krb5 transaction to continue. My co-workers who are testing something similar on a work network aren't seeing this issue, so we'll need to figure out what's special in my case and whether it applies to other things.
The hardest part of all this was finding a wired adapter that truly supports promiscuous mode.
Today a started apache on CentOS and I'm able to open the test page on same machine as localhost. But I'm unable to open it using another computer. The CentOS server is on a VLAN (using switch) behind a router. I'm able to ping the server from other side using my laptop. But I'm not able to open the test page in my browser. I have another server in same VLAN which I'm able to access from my laptop.
Also here is some entries of iptables -L
Chain INPUT
ACCEPT tcp -- anywhere anywhere tcp:dtp:http
ACCEPT udp -- anywhere anywhere udp:dtp:http
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I'm not sure what else I need to check.
Security theory tells to first drop the firewall and test (iptables -F). If you can access then it is really a iptables issue, if you are still unable to reach your service, try looking if you got any specific bind: netstat -an | grep "LISTEN " if you see something like:
"tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN "
means that your server is only listening on localhost ip, you should check on specific httpd binds on /etc/httpd/conf/httpd.conf
If you require some more help, keep posting =)
Is it possible to run a buildbot-slave from inside a corporate firewall where you are allowed to create only outgoing connection on standard HTTP(s) ports?
How can I achieve that?
In this case you should run your master to use exactly these ports, i.e. running web interface on HTTP(80) port while using HTTPS(443) port for slaves' connections. However this would require master to run with root privileges which is bad. In this case you could redirect traffic from these ports to the actual used in master with iptables. With default master ports for web interface(8010) and slave connections(9989) you'll get something like:
# iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 127.0.0.1:9989
The same goes for web interface in case you're not using any proxy HTTP server (like nginx, haproxy, lighthttpd, etc).